Aperture Podcast: Claroty, JFrog on Fuzzing BusyBox
By Michael Mimoso | Nov. 29, 2021
BusyBox, the popular open-source embedded Linux utility suite, is a mainstay within operational technology networks as many devices such as programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs) run BusyBox under the hood as an embedded operating system.
Recently, researchers from Claroty’s Team82 and JFrog collaborated on a research project that examined the security of BusyBox, uncovering 14 vulnerabilities in vendors’ implementations of the utility suite that could expose users to denial of service conditions, and in some cases, information leaks or remote code execution.
In this episode of Claroty’s Aperture podcast, Team82’s Vera Mens and JFrog senior director of security research Shachar Menashe join to discuss the research paper describing this collaboration, as well as the importance of contributing to open-source security. In addition to the paper, one output of this collaboration was the release to open source of the custom AFL fuzzing harnesses developed by Claroty that were used to trigger the vulnerabilities. AFL (American Fuzzy Lop) is a free software fuzzing platform.
“Fuzzing, especially with AFL, proved to be very fruitful in finding vulnerabilities,” Mens said. “Most of the work done was to tailor those fuzzers to the project itself.” The community, Mens said, may now use those fuzzers to look for BusyBox vulnerabilities in their own implementations.
“We have to give back,” Menashe said. “We used this open source project, and we want to give back by open-sourcing whatever we got from it. It just helps the security posture all around because now someone can take our harnesses and run them in some different configurations and find even more bugs in BusyBox. Because BusyBox is in every embedded device around us, this contributes to the security of all of us.”
You learn more in this discussion:
- Details on some of the vulnerabilities discovered by Team82 and JFrog
- Strategies for developing and using the custom fuzzing harnesses to test all 200 BusyBox utilities, and not just network utilities
- A compare and contrast discussion about disclosing vulnerabilities to open source projects versus commercial software companies
- The responsibilities researchers should assume when working with ubiquitous open source software