Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
126 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

ES-FUZZ: Improving the Coverage of Firmware Fuzzing with Stateful and Adaptable MMIO Models (2403.06281v2)

Published 10 Mar 2024 in cs.CR

Abstract: Grey-box fuzzing is widely used for testing embedded systems (ESes). The fuzzers often test the ES firmware in a fully emulated environment without real peripherals. To achieve decent code coverage, some state-of-the-art (SOTA) fuzzers infer the memory-mapped I/O (MMIO) behavior of peripherals from the firmware binary. We find the thus-generated MMIO models stateless, fixed, and poor at handling ES firmware's MMIO reads for retrieval of a data chunk. This leaves ample room for improving the code coverage. We propose ES-Fuzz to enhance the coverage of firmware fuzz-testing with stateful MMIO models that adapt to the fuzzer's coverage bottleneck. ES-Fuzz runs concurrently with a given fuzzer and starts a new run whenever the fuzzer's coverage stagnates. It exploits the highest-coverage test case in each run and generates new stateful MMIO models that boost the fuzzer's coverage at that time. We have implemented ES-Fuzz upon Fuzzware and evaluated it with 24 popular ES firmware. ES-Fuzz is shown to improve Fuzzware's coverage by up to $47\%$ and find new bugs in these firmware.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (22)
  1. D. Davidson, B. Moench, T. Ristenpart, and S. Jha, “FIE on firmware: finding vulnerabilities in embedded systems using symbolic execution,” in 22nd USENIX Security Symposium (USENIX Security 13), August 2013, pp. 463–478.
  2. M. Muench, J. Stijohann, F. Kargl, A. Francillon, and D. Balzarotti, “What you corrupt is not what you crash: challenges in fuzzing embedded devices,” in Network and Distributed Systems Security (NDSS) Symposium 2018, February 2018.
  3. N. Corteggiani, G. Camurati, and A. Francillon, “Inception: system-wide security testing of real-world embedded systems software,” in 27th USENIX Security Symposium (USENIX Security 18), August 2018, pp. 309–326.
  4. E. Gustafson, M. Muench, C. Spensky, N. Redini, A. Machiry, Y. Fratantonio, A. Francillon, D. Balzarotti, Y. R. Choe, C. Kruegel, and G. Vigna1, “Toward the analysis of embedded firmware through automated re-hosting,” in 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), September 2019, pp. 135–150.
  5. B. Feng, A. Mera, and L. Lu, “P2IM: scalable and hardware-independent firmware testing via automatic peripheral interface modeling,” in 29th USENIX Security Symposium (USENIX Security 20), August 2020, pp. 1237–1254.
  6. C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution is possible: a concolic execution approach for peripheral emulation,” in Annual Computer Security Applications Conference (ACSAC ’20), December 2020, pp. 746–759.
  7. W. Zhou, L. Guan, P. Liu, and Y. Zhang, “Automatic firmware emulation through invalidity-guided knowledge inference,” in 30th USENIX Security Symposium (USENIX Security 21), August 2021, pp. 2007–2024.
  8. A. Mera, B. Feng, L. Lu, and E. Kirda, “DICE: automatic emulation of DMA input channels for dynamic firmware analysis,” in 2021 IEEE Symposium on Security and Privacy (SP), May 2021, pp. 1938–1954, doi: 10.1109/SP40001.2021.00018.
  9. T. Scharnowski, N. Bars, M. Schloegel, E. Gustafson, M. Muench, G. Vigna, C. Kruegel, T. Holz, and A. Abbasi, “Fuzzware: using precise MMIO modeling for effective firmware fuzzing,” in 31st USENIX Security Symposium (USENIX Security 22), August 2022, pp. 1239–1256.
  10. W. Zhou, L. Zhang, L. Guan, P. Liu, and Y. Zhang, “What your firmware tells you is not how you should emulate it: a specification-guided approach for firmware emulation,” in 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS ’22), November 2022, pp. 3269–3283, doi: 10.1145/3548606.3559386.
  11. W. Li, J. Shi, F. Li, J. Lin, W. Wang, and L. Guan, “μ𝜇\muitalic_μAFL: non-intrusive feedback-driven fuzzing for microcontroller firmware,” in 44th International Conference on Software Engineering (ICSE ’22), May 2022, pp. 1–12, doi: 10.1145/3510003.3510208.
  12. T. Scharnowski, S. Wörner, F. Buchmann, N. Bars, M. Schloegel, and T. Holz, “Hoedur: embedded firmware fuzzing using multi-stream inputs,” in 32nd USENIX Security Symposium (USENIX Security 23), August 2023, pp. 2885–2902.
  13. G. Farrelly, M. Chesser, and D. C. Ranasinghe, “Ember-IO: effective firmware fuzzing with model-free memory mapped IO,” in 2023 ACM Asia Conference on Computer and Communications Security (ASIA CCS ’23), July 2023, pp. 401-–414, doi: 10.1145/3579856.3582840.
  14. M. Chesser, S. Nepal, and D. C. Ranasinghe, “Icicle: a re-designed emulator for grey-box firmware fuzzing,” in 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2023), July 2023, pp. 76-–88.
  15. G. Farrelly, P. Quirk, S. S. Kanhere, S. Camtepe, and D. C. Ranasinghe, “SplITS: split input-to-state mapping for effective firmware fuzzing,” in 28th European Symposium on Research in Computer Security (ESORICS 2023), September 2023.
  16. A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse, “AFL++: combining incremental steps of fuzzing research,” in 14th USENIX Workshop on Offensive Technologies (WOOT 20), August 2020, pp. 10–21.
  17. F. Bellard, “QEMU, a fast and portable dynamic translator,” in USENIX Annual Technical Conference (ATEC ’05), April 2005, pp. 41–46.
  18. L. de Moura and N. Bjørner, “Z3: an efficient SMT solver,” in International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2008), March 2008, pp. 337–340.
  19. Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna, “(State of) the art of war: offensive techniques in binary analysis,” in 2016 IEEE Symposium on Security and Privacy (SP), May 2016, pp. 138–157, doi: 10.1109/SP.2016.17.
  20. E. Baccelli, O. Hahm, M. Günes, M. Wählisch, and T. C. Schmidt, “RIOT OS: towards an OS for the Internet of Things,” in 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), April 2013, pp. 79–80, doi: 10.1109/INFCOMW.2013.6970748.
  21. L. Seidel, D. Maier, and M. Muench, “Forming faster firmware fuzzers,” in 32nd USENIX Security Symposium (USENIX Security 23), August 2023, pp. 2903–2920.
  22. Y. Wu, T. Zhang, C. Jung, and D. Lee, “DevFuzz: automatic device model-guided device driver fuzzing,” in 2023 IEEE Symposium on Security and Privacy (SP), May 2023, pp. 3246–3261, doi: 10.1109/SP46215.2023.10179293.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now