SOHO (small office/home office) routers provide services for end devices to connect to the Internet, playing an important role in cyberspace. Unfortunately, security vulnerabilities pervasively exist in these routers, especially in the web server modules, greatly endangering end users. To discover these vulnerabilities, fuzzing web server modules of SOHO routers is the most popular solution. However, its effectiveness is limited due to the lack of input specification, lack of routers’ internal running states, and lack of testing environment recovery mechanisms. Moreover, existing works for device fuzzing are more likely to detect memory corruption vulnerabilities.In this paper, we propose a solution ESRFuzzer to address these issues. It is a fully automated fuzzing framework for testing physical SOHO devices. It continuously and effectively generates test cases by leveraging two input semantic models, i.e., KEY-VALUE data model and CONF-READ communication model, and automatically recovers the testing environment with power management. It also coordinates diversified mutation rules with multiple monitoring mechanisms to trigger multi-type vulnerabilities. With the guidance of the two semantic models, ESRFuzzer can work in two ways: general mode fuzzing and D-CONF mode fuzzing. General mode fuzzing can discover both issues which occur in the CONF and READ operation, while D-CONF mode fuzzing focus on the READ-op issues especially missed by general mode fuzzing.We ran ESRFuzzer on 10 popular routers across five vendors. In total, it discovered 136 unique issues, 120 of which have been confirmed as 0-day vulnerabilities we found. As an improvement of SRFuzzer, ESRFuzzer have discovered 35 previous undiscovered READ-op issues that belong to three vulnerability types, and 23 of them have been confirmed as 0-day vulnerabilities by vendors. The experimental results show that ESRFuzzer outperforms state-of-the-art solutions in terms of types and number of vulnerabilities found.

SOHO（小型办公室/家庭办公室）路由器为终端设备提供连接互联网的服务，在网络空间中发挥着重要作用。不幸的是，这些路由器中普遍存在安全漏洞，尤其是在 Web 服务器模块中，极大地危及最终用户。为了发现这些漏洞，对 SOHO 路由器的 Web 服务器模块进行模糊测试是最流行的解决方案。然而，由于缺乏输入规范、缺乏路由器内部运行状态、缺乏测试环境恢复机制，其有效性受到限制。此外，现有的设备模糊测试工作更有可能检测内存损坏漏洞。在本文中，我们提出了一种解决方案 ESRFuzzer 来解决这些问题。它是一个用于测试物理 SOHO 设备的全自动模糊测试框架。它利用两个输入语义模型，即KEY-VALUE数据模型和CONF-READ通信模型，持续有效地生成测试用例，并通过电源管理自动恢复测试环境。它还通过多种监控机制协调多样化的变异规则，以触发多类型的漏洞。在两种语义模型的指导下，ESRFuzzer 可以以两种方式工作：通用模式模糊测试和 D-CONF 模式模糊测试。通用模式模糊测试可以发现 CONF 和 READ 操作中出现的问题，而 D-CONF 模式模糊测试专注于通用模式模糊测试尤其忽略的 READ-op 问题。我们在 5 个供应商的 10 个流行路由器上运行了 ESRFuzzer。它总共发现了 136 个独特的问题，其中 120 个已被确认为我们发现的 0-day 漏洞。作为对SRFuzzer的改进，ESRFuzzer已经发现了35个之前未被发现的READ-op问题，属于三种漏洞类型，其中23个被厂商确认为0day漏洞。实验结果表明，ESRFuzzer 在发现的漏洞类型和数量方面优于最先进的解决方案。