Trend Micro researchers have discovered a critical flaw in the LoRaWAN stack allowing attackers to launch malicious code on a victim’s device. Researchers published a blog post to demonstrate the methodology employed by attackers to spot exploitable vulnerabilities in the LoRaWAN stack. Interestingly, the same technique can be used by stack developers to shield the stack and make LoRaWAN communication resistant to critical bugs.
Detecting bugs through fuzz testing
Researchers created a fuzzy architecture to spot vulnerabilities exploited by threat actors While researching and experimenting with LoRaWAN stack security, they designed a fuzzing architecture to detect interesting bugs that attackers might be able to leverage. It can also be used to create more effective security for the protocol stacks of LoRaWAN and other protocols as well.
Fuzz testing is a novel technique to detect security loopholes in software applications. Unlike traditional software testing techniques – SAST, DAST, or IAST – fuzz testing essentially “pings” code with random (or semi-random) inputs in an effort to crash it and thus identify “faults” that would otherwise not be apparent.
The name “fuzz” is a reference to the random nature of the process. Fuzz testing’s supporters praise it for being fully automated and able to find obscure weaknesses, while its detractors complain it can be difficult to set up and prone to deliver unreliable results.
Trend Micro employed this technique to cover as many code paths as possible with legitimate and dumb fuzzing using the AFL++ framework (evolution of AFL). This supplies some instrumentation for mutating pseudorandom bits, bytes, and words.
Additionally, researchers compiled every type of message that could be interpreted by the parser. To increase the fuzzing process speed from 'by x2' up to 'by x20' persistent mode was used and to handle the amount of "uniq crash files" found in the repositories after fuzzing, researchers designed a classification method that can help users focus on the critical bugs first.
Finally, the code is compiled into a different architecture than x86-64 - with a particular cross compiler with specific options. Hence, if researchers attempt to prove the flaw by exploiting it, additional time will be wasted in adapting the exploit to the right architecture.
