DualFuzz: Detecting Vulnerability in Wi-Fi NICs through Dual-Directional Fuzzing
Wi-Fi Network Interface Cards (NICs) are vital for enabling wireless connectivity across a wide range of devices. Ensuring their security is critical, as vulnerabilities can expose entire networks to threats. Fuzzing is a promising technique for detecting such flaws. However, existing Wi-Fi fuzzers typically test transmission and reception separately, overlooking their interactions and resulting in inefficient testing.
In this work, we present DualFuzz, a dual-directional fuzzing framework designed to simultaneously test both transmission and reception processes in Wi-Fi NICs. First, DualFuzz automatically identifies interaction behaviors within Wi-Fi NICs and constructs a Transmission-Reception Model (TRModel) to characterize Wi-Fi frames that influence these interactions. Leveraging this model, DualFuzz utilizes latency guided fuzzing to efficiently coordinate exploring transmission and reception interaction logics. Finally, we propose liveness and equivalence detectors that enable real-time monitoring to identify abnormal states and uncover potential vulnerabilities in Wi-Fi NICs. We implemented and evaluated DualFuzz on eight widely used Wi-Fi NICs, incorporating chipsets from various manufacturers (e.g., Intel and Realtek). Compared to state-of-the-art Wi-Fi fuzzers like OwFuzz, wpaspy, and Greyhound, DualFuzz detects 75%, 163%, and 250% more vulnerabilities, respectively. In total, it uncovered 21 previously unknown vulnerabilities, 7 of which have been assigned CVEs. All have been confirmed and fixed by the corresponding maintainers.
Tue 18 NovDisplayed time zone: Seoul change
14:00 - 15:30 | Fuzzing 1Research Papers / Journal-First at Grand Hall 2 Chair(s): Yanjie Zhao Huazhong University of Science and Technology | ||
14:00 10mTalk | RSFuzz: A Robustness-Guided Swarm Fuzzing Framework Based on Behavioral Constraints Research Papers Ruoyu Zhou School of Computer Science and Technology, Xidian University, Xi'an, China; Shaanxi Key Laboratory of Network and System Security, Xidian University, Xi'an, China, Zhiwei Zhang School of Computer Science and Technology, Xidian University, Xi'an, China; Shaanxi Key Laboratory of Network and System Security, Xidian University, Xi'an, China, Haocheng Han School of Computer Science and Technology, Xidian University, Xi'an, China; Shaanxi Key Laboratory of Network and System Security, Xidian University, Xi'an, China, Xiaodong Zhang University of Chinese Academy of Science, Zehan Chen School of Computer Science and Technology, Xidian University, Xi’an, China; Shaanxi Key Laboratory of Network and System Security , Xidian University, Jun Sun Singapore Management University, Yulong Shen Xidian University, Dehai Xu Yiqiyin (Hangzhou) Technology Co., Ltd. Xi'an Branch, Xi'an, China | ||
14:10 10mTalk | DualFuzz: Detecting Vulnerability in Wi-Fi NICs through Dual-Directional Fuzzing Research Papers Yuanliang Chen Tsinghua University, Fuchen Ma Tsinghua University, Yanyang Zhao Tsinghua University, Yuanyi Li Shuimu Yulin Technology Co., Ltd, Yu Jiang Tsinghua University | ||
14:20 10mTalk | ORFuzz: Fuzzing the "Other Side" of LLM Safety – Testing Over-Refusal Research Papers Haonan Zhang Zhejiang University, Dongxia Wang Zhejiang University, Yi Liu Nanyang Technological University, Kexin Chen Zhejiang University, Jiashui Wang Zhejiang University, Xinlei Ying Ant Group, Long Liu Ant Group, Wenhai Wang Zhejiang University Pre-print | ||
14:30 10mTalk | DNAFuzz: Descriptor-Aware Fuzzing for USB Drivers Research Papers Zhengshu Wang Hubei University, Peng He Hubei University, Fuchen Ma Tsinghua University, Yuanliang Chen Tsinghua University, Shuoshuo Duan Shuimu Yulin Technology Co., Ltd, Yiyuan Bai Shuimu Yulin Technology Co., Ltd, Yu Jiang Tsinghua University | ||
14:40 10mTalk | ARG: Testing Query Rewriters via Abstract Rule Guided Fuzzing Research Papers Dawei Li Beihang University, Yuxiao Guo Beihang University, Qifan Liu Beihang University, Jie Liang Beihang University, Zhiyong Wu Tsinghua University, China, Jingzhou Fu School of Software, Tsinghua University, Chi Zhang Tsinghua University, Yu Jiang Tsinghua University | ||
14:50 10mTalk | Algernon: A Flag-Guided Hybrid Fuzzer for Unlocking Hidden Program Paths Research Papers Peng Deng Fudan University, Lei Zhang Fudan University, Jingqi Long Fudan University, Wenzheng Hong Independent, Zhemin Yang Fudan University, Yuan Zhang Fudan University, Donglai Zhu Fudan University, Min Yang Fudan University | ||
15:00 10mTalk | Interleaved Learning and Exploration: A Self-Adaptive Fuzz Testing Framework for MLIR Research Papers Zeyu Sun Institute of Software, Chinese Academy of Sciences, Jingjing Liang East China Normal University, Weiyi Wang Institute of Software, Chinese Academy of Sciences, Chenyao Suo Tianjin University, Junjie Chen Tianjin University, Fanjiang Xu Institute of Software at Chinese Academy of Sciences | ||
15:10 10mTalk | WingMuzz: Blackbox Testing of IoT Protocols via Two-dimensional Fuzzing Schedule Research Papers Xiaogang Zhu Adelaide University, Enze Dai Swinburne University of Technology, Xiaotao Feng 360 Vulnerability Research Institute, Shaohua Wang Central University of Finance and Economics, Xin Xia Zhejiang University, Sheng Wen Swinburne University of Technology, Kwok-Yan Lam Nanyang Technological University, Singapore, Yang Xiang Digital Research & Innovation Capability Platform, Swinburne University of Technology | ||
15:20 10mTalk | Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs Journal-First Andrea Arcuri Kristiania University College and Oslo Metropolitan University, Man Zhang Beihang University, China, Juan Pablo Galeotti University of Buenos Aires | ||