Jinyan Xu,Yiyuan Liu,Sirui He,Haoran Lin,Yajin Zhou,Cong Wang

DOI: https://doi.org/10.5281/zenodo.8024468

2023-01-01

Abstract:Modern processors are too complex to be bug free. Recently, a few hardware fuzzing techniques have shown promising results in verifying processor designs. However, due to the complexity of processors, they suffer from complex input grammar, deceptive mutation guidance, and model implementation differences. Therefore, how to effectively and efficiently verify processors is still an open problem. This paper proposes MorFuzz, a novel processor fuzzer that can efficiently discover software triggerable hardware bugs. The core idea behind MorFuzz is to use runtime information to generate instruction streams with valid formats and meaningful semantics. MorFuzz designs a new input structure to provide multi-level runtime mutation primitives and proposes the instruction morphing technique to mutate instruction dynamically. Besides, we also extend the co-simulation framework to various microarchitectures and develop the state synchronization technique to eliminate implementation differences. We evaluate MorFuzz on three popular open-source RISC-V processors: CVA6, Rocket, BOOM, and discover 17 new bugs (with 13 CVEs assigned). Our evaluation shows MorFuzz achieves 4.4x and 1.6x more state coverage than the state-of-the-art fuzzer, DifuzzRTL, and the famous constrained instruction generator, riscv-dv.

Chi Zhang,Yu Wang,Linzhang Wang

DOI: https://doi.org/10.1145/3457913.3457934

2021-01-01

Abstract:Background: Firmware is the enable software of Internet of Things (IoT) devices, and its software vulnerabilities are one of the primary reason of IoT devices being exploited. Due to the limited resources of IoT devices, it is impractical to deploy sophisticated run-time protection techniques. Under an insecure network environment, when a firmware is exploited, it may lead to denial of service, information disclosure, elevation of privilege, or even life-threatening. Therefore, firmware vulnerability detection by fuzzing has become the key to ensure the security of IoT devices, and has also become a hot topic in academic and industrial research. With the rapid growth of the existing IoT devices, the size and complexity of firmware, the variety of firmware types, and the firmware defects, existing IoT firmware fuzzing methods face challenges. Objective: This paper summarizes the typical types of IoT firmware fuzzing methods, analyzes the contribution of these works, and summarizes the shortcomings of existing fuzzing methods. Method: We design several research questions, extract keywords from the research questions, then use the keywords to search for related literature. Result: We divide the existing firmware fuzzing work into real-device-based fuzzing and simulation-based fuzzing according to the firmware execution environment, and simulation-based fuzzing is the mainstream in the future; we found that the main types of vulnerabilities targeted by existing fuzzing methods are memory corruption vulnerabilities; firmware fuzzing faces more difficulties than ordinary software fuzzing. Conclusion: Through the analysis of the advantages and disadvantages of different methods, this review provides guidance for further improving the performance of fuzzing techniques, and proposes several recommendations from the findings of this review.

Hangtian Liu,Shuitao Gan,Chao Zhang,Zicong Gao,Hongqi Zhang,Xiangzhi Wang,Guangming Gao

DOI: https://doi.org/10.1109/sp54263.2024.00127

2024-01-01

Abstract:Fuzzing is a popular solution to finding vulnerabilities in software including IoT firmware. However, due to the challenges of emulating or rehosting firmware, some IoT devices (e.g., enterprise-level devices) can only be fuzzed in a black-box manner, which makes fuzzers blind and inefficient due to missing feedbacks (e.g., code coverage or distance). In this paper, we present a novel response guided directed fuzzing solution Labrador, able to test black-box IoT devices efficiently. Specifically, we leverage the network response to infer the execution trace of firmware and deduce the code coverage of testing. Second, we leverage the test case (i.e., request) and its response to estimate the distance to the target sensitive code (i.e., sink). Lastly, we further leverage the distance to guide test case mutation, which efficiently drives directed fuzzing toward candidate vulnerable code. We have implemented a prototype of Labrador and evaluated it on 14 different enterprise-level IoT devices. Results showed that Labrador significantly outperforms state-of-the-art (SOTA) solutions. It finds 44X more vulnerabilities than SNIPUZZ, BOOFUZZ and FIRM-AFL and 8.57X more vulnerabilities than SaTC. In total, it discovered 79 unknown vulnerabilities, of which 61 were assigned with CVEs.

Deepak Narayan Gadde,Aman Kumar,Djones Lettnin,Sebastian Simon

2024-10-23

Abstract:Ever-increasing design complexity of System-on-Chips (SoCs) led to significant verification challenges. Unlike software, bugs in hardware design are vigorous and eternal i.e., once the hardware is fabricated, it cannot be repaired with any patch. Despite being one of the powerful techniques used in verification, the dynamic random approach cannot give confidence to complex Register Transfer Leve (RTL) designs during the pre-silicon design phase. In particular, achieving coverage targets and exposing bugs is a complicated task with random simulations. In this paper, we leverage an existing testing solution available in the software world known as fuzzing and apply it to hardware verification in order to achieve coverage targets in quick time. We created an automated hardware fuzzing framework FuzzWiz using metamodeling and Python to achieve coverage goals faster. It includes parsing the RTL design module, converting it into C/C++ models, creating generic testbench with assertions, fuzzer-specific compilation, linking, and fuzzing. Furthermore, it is configurable and provides the debug flow if any crash is detected during the fuzzing process. The proposed framework is applied on four IP blocks from Google's OpenTitan chip with various fuzzing engines to show its scalability and compatibility. Our benchmarking results show that we could achieve around 90% of the coverage 10 times faster than traditional simulation regression based approach.

Hardware Architecture,Artificial Intelligence,Software Engineering

Yu Zhang,Nanyu Zhong,Wei You,Yanyan Zou,Kunpeng Jian,Jiahuan Xu,Jian Sun,Baoxu Liu,Wei Huo

DOI: https://doi.org/10.1186/s42400-022-00120-1

2022-11-02

Abstract:Network function virtualization provides programmable in-network middlewares by leveraging virtualization technologies and commodity hardware and has gained popularity among all mainstream network device manufacturers. Yet it is challenging to apply coverage-guided fuzzing, one of the state-of-the-art vulnerability discovery approaches, to those virtualized network devices, due to inevitable integrity protection adopted by those devices. In this paper, we propose a coverage-guided fuzzing framework NDFuzz for virtualized network devices with a novel integrity protection bypassing method, which is able to distinguish processes of virtualized network devices from hypervisors with a carefully designed non-intrusive page global directory inference technique. We implement NDFuzz atop of two black-box fuzzers and evaluate NDFuzz with three representative network protocols, SNMP , DHCP and NTP , on nine popular virtualized network devices. NDFuzz obtains an average 36% coverage improvement in comparison with its black-box counterparts. NDFuzz discovers 2 0-Day vulnerabilities and 1 1-Day vulnerability with coverage guidance while the black-box fuzzer can find only one of them. All discovered vulnerabilities are confirmed by corresponding vendors.

computer science, information systems, interdisciplinary applications, software engineering

Bo Yu,Pengfei Wang,Tai Yue,Yong Tang

DOI: https://doi.org/10.1145/3319535.3363247

2019-01-01

Abstract:In this work, we present IoTHunter, the first grey-box fuzzer for fuzzing stateful protocols in IoT firmware. IoTHunter addresses the state scheduling problem based on a multi-stage message generation mechanism on runtime monitoring of IoT firmware. We evaluate IoTHunter with a set of real-world programs, and the result shows that IoTHunter outperforms black-box fuzzer boofuzz, which has a 2.2x, 2.0x, and 2.5x increase for function coverage, block coverage, and edge coverage, respectively. IoTHunter also found five new vulnerabilities in the firmware of home router Mikrotik, which have been reported to the vendor.

Lingyun Situ,Chi Zhang,Le Guan,Zhiqiang Zuo,Linzhang Wang,Xuandong Li,Peng Liu,Jin Shi

DOI: https://doi.org/10.1109/jiot.2023.3303780

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:With the rapid expansion of the Internet of Things, a vast number of microcontroller-based IoT devices are now susceptible to attacks through the Internet. Vulnerabilities within the firmware are one of the most important attack surfaces. Fuzzing has emerged as one of the most effective techniques for identifying such vulnerabilities. However, when applied to IoT firmware, several challenges arise, including: (1) the inability of firmware to execute properly in the absence of peripherals, (2) the lack of support for exploring input spaces of multiple peripherals, (3) difficulties in instrumenting and gathering feedback, and (4) the absence of a fault detection mechanism. To address these challenges, we have developed and implemented an innovative peripheral-independent hybrid fuzzing tool called . This tool enables testing of microcontroller-based firmware without reliance on specific peripheral hardware. First, a unified virtual peripheral was integrated to model the behaviors of various peripherals, thus enabling the physical devices-agnostic firmware execution. Then, a hybrid event generation approach was used to generate inputs for different peripheral accesses. Furthermore, two-level coverage feedback was collected to optimize the testcase generation. Finally, a plugin-based fault detection mechanism was implemented to identify typical memory corruption vulnerabilities. A Large-scale experimental evaluation has been performed to show ’s effectiveness and efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic

Bodong Zhao,Zheming Li,Shisong Qin,Zheyu Ma,Ming Yuan,Wenyu Zhu,Zhihong Tian,Chao Zhang

2022-01-01

Abstract:Coverage-guided fuzzing has achieved great success in finding software vulnerabilities. Existing coverage-guided fuzzers generally favor test cases that hit new code, and discard ones that exercise the same code. However, such a strategy is not optimum. A new test case exercising the same code could be better than a previous test case, as it may trigger new program states useful for code exploration and bug discovery. In this paper, we assessed the limitation of coverage-guided fuzzing solutions and proposed a state-aware fuzzing solution StateFuzz to address this issue. First, we model program states with values of state-variables and utilize static analysis to recognize such variables. Then, we instrument target programs to track such variables' values and infer program state transition at runtime. Lastly, we utilize state information to prioritize test cases that can trigger new states, and apply a three-dimension feedback mechanism to fine-tune the evolutionary direction of coverage-guided fuzzers. We have implemented a prototype of StateFuzz, and evaluated it on Linux upstream drivers and Android drivers. Evaluation results show that StateFuzz is effective at discovering both new code and vulnerabilities. It finds 18 unknown vulnerabilities and 2 known but unpatched vulnerabilities, and reaches 19% higher code coverage and 32% higher state coverage than the state-of-the-art fuzzer Syzkaller.

Rohan Padhye,Caroline Lemieux,Koushik Sen,Laurent Simon,Hayawardh Vijayakumar

DOI: https://doi.org/10.1145/3360600

2019-10-10

Proceedings of the ACM on Programming Languages

Abstract:Coverage-guided fuzz testing has gained prominence as a highly effective method of finding security vulnerabilities such as buffer overflows in programs that parse binary data. Recently, researchers have introduced various specializations to the coverage-guided fuzzing algorithm for different domain-specific testing goals, such as finding performance bottlenecks, generating valid inputs, handling magic-byte comparisons, etc. Each such solution can require non-trivial implementation effort and produces a distinct variant of a fuzzing tool. We observe that many of these domain-specific solutions follow a common solution pattern. In this paper, we present FuzzFactory, a framework for developing domain-specific fuzzing applications without requiring changes to mutation and search heuristics. FuzzFactory allows users to specify the collection of dynamic domain-specific feedback during test execution, as well as how such feedback should be aggregated. FuzzFactory uses this information to selectively save intermediate inputs, called waypoints, to augment coverage-guided fuzzing. Such waypoints always make progress towards domain-specific multi-dimensional objectives. We instantiate six domain-specific fuzzing applications using FuzzFactory: three re-implementations of prior work and three novel solutions, and evaluate their effectiveness on benchmarks from Google's fuzzer test suite. We also show how multiple domains can be composed to perform better than the sum of their parts. For example, we combine domain-specific feedback about strict equality comparisons and dynamic memory allocations, to enable the automatic generation of LZ4 bombs and PNG bombs.

Bo Yu,Lei Zhou,Chengnuo Cai,Qiang Yang,Yaojia Yang,Runhao Liu,Lei Luo,Wenyu Long,Lianghua Gong

DOI: https://doi.org/10.1109/icws62655.2024.00139

2024-01-01

Abstract:Fuzzing network protocols is challenging due to their various factors including syntax, state transition, and even conformation of its executable software. To achieve better convenience of platform development and effectiveness of individual protocol testing, current grey-box fuzzing approaches generally focus on limited factors. However, it leaves poor performance on real-world services’s protocol evaluation since it requires significant additional adaptation efforts to accommodate the diversity of protocol software. To address this issue, we present FuzzFabric, a scalable grey-box fuzzing framework designed for polymorphic protocol services. FuzzFabric decouples existing fuzzing engines and modular programs the protocol processing adapters, and finally adaptive assembles fuzzing engine to evaluate different network protocol services. We implemented FuzzFabric on top of AFLNet, supporting 3 different protocol types and 4 instrumentation tools, and conducted experiments using 11 real-world protocol applications. The results demonstrate that FuzzFabric can effectively fuzz protocols in different forms with various instrumentation, validating its practical efficacy and scalability.

Yingpei Zeng,Mingmin Lin,Shanqing Guo,Yanzhao Shen,Tingting Cui,Ting Wu,Qiuhua Zheng,Qiuhua Wang

DOI: https://doi.org/10.3390/s20185194

IF: 3.9

2020-09-11

Sensors

Abstract:The publish/subscribe model has gained prominence in the Internet of things (IoT) network, and both Message Queue Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) support it. However, existing coverage-based fuzzers may miss some paths when fuzzing such publish/subscribe protocols, because they implicitly assume that there are only two parties in a protocol, which is not true now since there are three parties, i.e., the publisher, the subscriber and the broker. In this paper, we propose MultiFuzz, a new coverage-based multiparty-protocol fuzzer. First, it embeds multiple-connection information in a single input. Second, it uses a message mutation algorithm to stimulate protocol state transitions, without the need of protocol specifications. Third, it uses a new desockmulti module to feed the network messages into the program under test. desockmulti is similar to desock (Preeny), a tool widely used by the community, but it is specially designed for fuzzing and is 10x faster. We implement MultiFuzz based on AFL, and use it to fuzz two popular projects Eclipse Mosquitto and libCoAP. We reported discovered problems to the projects. In addition, we compare MultiFuzz with AFL and two state-of-the-art fuzzers, MOPT and AFLNET, and find it discovering more paths and crashes.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Congxi Song,Bo Yu,Xu Zhou,Qiang Yang

DOI: https://doi.org/10.1109/access.2019.2895025

IF: 3.9

2019-01-01

IEEE Access

Abstract:In recent years, the fuzzing technology is widely used to detect the software vulnerabilities owing to the coverage improvement in the target program and the easiness of use. However, it is less efficient to fuzz the stateful protocols due to the difficulties like maintaining states and dependencies of messages. To address these challenges, we present SPFuzz, a framework for building flexible, coverage-guided stateful protocol fuzzing. We define a language in SPFuzz to describe the protocol specifications, protocol states transitions and dependencies for generating valuable test cases, maintaining correct messages in session states and handling protocol dependencies by updating message data in time. The SPFuzz adopts a three-level mutation strategy, namely head, content, and sequence mutation strategy to drive the fuzzing process to cover more paths, in conjunction with the method to randomly assign weights to messages and strategies. We use the following metrics to evaluate the performance of SPFuzz and other frameworks upon three protocol implementations, i.e., Proftpd, Oftpd, and OpenSSL, which are three-granularity coverages specifically function, basic block, and edge. In experiments, the SPFuzz framework outperforms the existing stateful protocol fuzzing tool Boofuzz by an average of 69.12% in three granularities coverage tests. This demonstrates that the SPFuzz has the ability to explore more and deeper paths of the target program. We further triggered CVE-2015-0291 in OpenSSL 1.0.2 with the SPFuzz, which proves the validity and utility of our framework.

Yifei Gao,Xu Zhou,Wei Xie,Baosheng Wang,Enze Wang,Zhenhua Wang

DOI: https://doi.org/10.3390/app12136429

2022-01-01

Applied Sciences

Abstract:IoT web fuzzing is an effective way to detect security flaws in IoT devices. However, without enough information of the tested targets, IoT web fuzzing is often blind and inefficient. In this paper, we propose to use static analysis to assist IoT web fuzzing. Our insight is that plenty of useful information is hidden in firmwares, which can be mined by static analysis and used to guide the subsequent dynamic analysis—fuzzing. Hence, our approach contains two stages: pre-fuzzing stage and fuzzing stage. In the pre-fuzzing stage, we perform static analysis on the IoT firmwares to exploit helpful information, such as web page paths, interfaces, and shared keywords. These kinds of information are used to construct diverse seeds for covering more web paths and interfaces, and are also used to prioritize seeds according to their importance (related to shared keywords) in the fuzzing stage. Based on this approach, we implement a prototype IoT web fuzzing system—IoTParser. Experiments show that IoTParser increased the vulnerability discovery capability by 44% on average, while increasing the vulnerability discovery efficiency by 48.2% on average compared with state-of-the-art IoT web fuzzer. In addition, IoTParser has found 13 vulnerabilities, including 7 0-day.

Hangwei Zhang,Kai Lu,Xu Zhou,Qidi Yin,Pengfei Wang,Tai Yue

DOI: https://doi.org/10.3390/app11073120

2021-01-01

Abstract:Cyber attacks against the web management interface of Internet of Things (IoT) devices often have serious consequences. Current research uses fuzzing technologies to test the web interfaces of IoT devices. These IoT fuzzers generate messages (a test case sent from the client to the server to test its functionality) without considering their dependency, which is unlikely to bypass the early check of the server. These invalid test cases significantly reduce the efficiency of fuzzing. To overcome this problem, we propose a stateful message generation (SMG) mechanism for IoT web fuzzing. SMG addresses two problems in IoT fuzzing. First, we retrieve the message dependency by using web front-end analysis and status analysis. These dependent messages, which can easily bypass the server check, are used as a valid seed. Second, we adopt a multi-message seed format to preserve the dependency of the messages when mutating the seed to get a valid test case, so that the test case can bypass the state check of the server to make a valid test. Message dependency preservation is implemented by our proposed parameter mutation and structural mutation methods. We implement SMG in our IoT fuzzer, SIoTFuzzer, which applies IoT firmware on the latest Linux-based simulation tool, FirmAE. We test nine IoT devices including a router and an IP camera and adopt a vulnerability detection mechanism. Our evaluation results show that (1) SIoTFuzzer is capable of finding real-world vulnerabilities in IoT devices; (2) our SMG is effective as it enables Boofuzz (a popular protocol fuzzer) to find command injection and cross-site scripting (XSS) vulnerabilities; and (3) compared to FirmFuzz, SIoTFuzzer found all the vulnerabilities in our benchmarks, while FirmFuzz found only four-the efficiency of our tool increased by 20.57% on average.

Xuechao Du,Andong Chen,Boyuan He,Hao Chen,Fan Zhang,Yan Chen

DOI: https://doi.org/10.1016/j.cose.2022.102889

2022-11-01

Abstract:In recent years, coverage-guided greybox fuzzing has demonstrated its efficiency in detecting security vulnerabilities on traditional devices. Instrumentation information plays a significant role in sophisticated greybox fuzzer such as American Fuzzing Lop to directionally improve coverage and distill seeds. While open-source programs leverage wrapped assemblers to glean instrumentation information, closed-source programs can utilize the emulation-based instrumentation for coverage-guided fuzzing. The pervasiveness of the closed source puts a strong demand for emulation instrumentation. However, the required access to peripherals brings great difficulty in fuzzing on the emulator, especially for those various IoT devices. This paper presents AflIot, the first generic on-device fuzzing framework for Linux-based IoT binary programs. By leveraging offset-free binary-level instrumentation, binary programs can avoid unnecessarily rewriting, inherit compatibility of peripherals, and be executed directly on IoT devices by AflIot. We evaluate AflIot on multiple benchmarks with real-world IoT programs. AflIot identified 437 unique crashes in 13 binary programs, including 95 newly confirmed unique crashes. Those crashes demonstrate that AflIot is efficient and effective in detecting potential software bugs in binary programs on Linux-based IoT devices.

computer science, information systems

Yurong Chen,Yongsheng Mei,Tian Lan,Guru Venkataramani

DOI: https://doi.org/10.1145/3526088

2024-01-01

Digital Threats Research and Practice

Abstract:In recent years, coverage-based greybox fuzzing has become popular forvulnerability detection due to its simplicity and efficiency. However, it is less powerful when applied directly to protocol fuzzing due to the unique challenges involved in fuzzing communication protocols. In particular, the communication among multiple ends contains more than one packet, which are not necessarily dependent upon each other, i.e., fuzzing single (usually the first) packet can only achieve extremely limited code coverage. In this paper, we study such challenges and demonstrate the limitation of current non-stateful greybox fuzzer. In order to achieve higher code coverage, we design stateful protocol fuzzing strategies for communication protocols to explore the code related to different protocol states. Our approach contains a state switching engine, together with a multi-state forkserver to consistently and flexibly fuzz different states of an compiler-instrumented protocol program. Our experimental results on OpenSSL show that our approach achieves an improvement of 73% more code coverage and 2x unique crashes when comparing against fuzzing the first packet during a protocol handshake.

Fanglei Zhang,Baojiang Cui,Chen Chen,Yiqi Sun,Kairui Gong,Jinxin Ma

DOI: https://doi.org/10.1007/978-3-030-79728-7_30

2021-01-01

Abstract:The early research on IoT (Internet of Things) firmware is mostly based on the hardware environment, the software interfaces and hardware resources are very limited, and the traditional dynamic debugging and fuzzing tools cannot be executed efficiently, which leads to high research costs. In order to solve this problem, a simulation-based fuzzing prototype tool for smart IoT devices (IoTSFT) is proposed in this paper. It builds a pure software virtual environment to make the firmware run out of hardware constraints. In addition, the security analysis of the firmware can be completed by combining the path coverage-based fuzzing technology. It is verified by experiments that IoTSFT can successfully simulate binary, obtain the sample execution path coverage, and fuzz the target binary.

Ke Yan,Bo Yu,Yong Tang,Xiangdong Kong,Chen,Jin Lei

DOI: https://doi.org/10.1109/dsc55868.2022.00060

2022-01-01

Abstract:Fuzzing is one of the most popular software analysis techniques for discovering vulnerabilities. Different from common terminal software, servers should be interacted with well-formed message that conforms to protocol specifications to exercise more functions. However, without protocol specifications, random bit flipping is unlikely to generate valid messages, making fuzzing struggle to traverse the deeper branches of the program. What’s more, manually extracting specifications is typically labor-intensive. In this paper, we present NAFuzzer, a format-aware fuzzing framework for network protocol software. Based on the key insight that similar message fields being parsed at similar locations in the program, NAFuzzer collects constraints of message handling process using replay-based concolic execution, then runs Loop Mapping algorithm to infer the protocol format, and finally uses the format information to generate seeds and perform fuzzing. We implemented and evaluated NAFuzzer on 6 real-world protocol software (LightFTP, Exim, Live555, NetSNMP, Dnsmasq, TinyHTTPd). The results show that NAFuzzer can extract the message formats of six protocol software with a field recognition accuracy of close to 90%. In fuzzing, it achieves higher branch coverage (up to 27.3%) and discovers more paths (up to 38.2%) compared to state-of-the-art fuzzers without any manual involvement.

Zhengxiong Luo,Feilong Zuo,Yuheng Shen,Xun Jiao,Wanli Chang,Yu Jiang

DOI: https://doi.org/10.1109/dac18072.2020.9218603

2020-01-01

Abstract:Industrial Control System (ICS) protocols play an essential role in building communications among system components. Recently, many severe vulnerabilities, such as Stuxnet and DragonFly, exposed in ICS protocols have affected a wide distribution of devices. Therefore, it is of vital importance to ensure their correctness. However, the vulnerability detection efficiency of traditional techniques such as fuzzing is challenged by the complexity and diversity of the protocols.In this paper, we propose to equip the traditional protocol fuzzing with coverage-guided packet crack and generation. We collect the coverage information during the testing procedure, save those valuable packets that trigger new path coverage and crack them into pieces, based on which, we can construct higher-quality new packets for further testing. For evaluation, we build Peach * on top of Peach, which is one of the most widely used protocol fuzzers, and conduct experiments on several ICS protocols such as Modbus and DNP3. Results show that, compared with the original Peach, Peach * achieves the same code coverage and bug detection numbers at the speed of 1.2X-25X. It also gains final increase with 8.35%-36.84% more paths within 24 hours and has exposed 9 previously unknown vulnerabilities.

Florian Hofhammer,Qinying Wang,Atri Bhattacharyya,Majid Salehi,Bruno Crispo,Manuel Egele,Mathias Payer,Marcel Busch

2024-12-17

Abstract:Dynamic analysis and especially fuzzing are challenging tasks for embedded firmware running on modern low-end Microcontroller Units (MCUs) due to performance overheads from instruction emulation, the difficulty of emulating the vast space of available peripherals, and low availability of open-source embedded firmware. Consequently, efficient security testing of MCU firmware has proved to be a resource- and engineering-heavy endeavor. EmbedFuzz introduces an efficient end-to-end fuzzing framework for MCU firmware. Our novel firmware transplantation technique converts binary MCU firmware to a functionally equivalent and fuzzing-enhanced version of the firmware which executes on a compatible high-end device at native performance. Besides the performance gains, our system enables advanced introspection capabilities based on tooling for typical Linux user space processes, thus simplifying analysis of crashes and bug triaging. In our evaluation against state-of-the-art MCU fuzzers, EmbedFuzz exhibits up to eight-fold fuzzing throughput while consuming at most a fourth of the energy thanks to its native execution.

Cryptography and Security