TaPaFuzz: Hardware-accelerated RISC-V bare-metal firmware fuzzing using rapid job launches

Florian Meisel,Christoph Spang,David Volz,Andreas Koch
DOI: https://doi.org/10.1016/j.sysarc.2024.103288
IF: 5.836
2024-10-21
Journal of Systems Architecture
Abstract:Fuzz testing serves as a key technique in software security aimed at identifying unexpected program behaviors by repeatedly executing the target program with auto-generated random inputs. Testing is integral to IoT device security but is hampered by the minimal observability features of typical in-market IoT devices. Moreover, the slow nature of a RISC-V software emulation on x86 host CPUs and the inaccuracies introduced by compiling IoT applications to a different ISA for execution on host systems pose significant challenges. Our software-hardware co-design surmounts these hurdles. Fuzzing jobs are prepared and evaluated on a host computer, while the actual execution with high-throughput tracing is performed on an FPGA. Advances in the host-to-FPGA interface together with an accelerated reset procedure between Fuzzer jobs effectively hide the costly host-FPGA communication, increasing the single-thread fuzzing performance by up to factor 11.7x that of the leading QEMU-based fuzzer AFL++ running on a very fast x86 CPU. We demonstrate practical usability by evaluating our framework on a collection of bare-metal applications.
computer science, software engineering, hardware & architecture
What problem does this paper attempt to address?