Papers
Topics
Authors
Recent
Search
2000 character limit reached

ES-FUZZ: Improving the Coverage of Firmware Fuzzing with Stateful and Adaptable MMIO Models

Published 10 Mar 2024 in cs.CR | (2403.06281v3)

Abstract: Gray-box fuzzing is widely used for testing embedded systems (ESes). State-of-the-art (SOTA) gray-box fuzzers test ES firmware in fully emulated environments without real peripherals. They emulate missing peripherals to achieve decent code coverage. Some fuzzers infer the memory-mapped I/O (MMIO) behavior of firmware peripherals from the firmware binary. We find that these fuzzers emulate the inferred MMIO behavior using stateless and non-adaptive MMIO models, which perform poorly in handling ES firmware's MMIO reads to collectively retrieve a data chunk. This leaves ample room for improving the code coverage of these fuzzers. We propose ES-Fuzz to improve the code coverage of each such fuzzer using stateful MMIO models that adapt to overcome the fuzzer's coverage bottlenecks. ES-Fuzz runs concurrently with a given fuzzer and starts a new run whenever the fuzzer's coverage stagnates. In each run, ES-Fuzz leverages a high-coverage test case to generate new stateful MMIO models that boost the coverage further. We have implemented ES-Fuzz upon Fuzzware and evaluated it with 24 popular ES firmware. ES-Fuzz is shown to enhance Fuzzware's coverage by up to 54% in 11 of them and trigger additional bugs in 5 of them without hurting the coverage in the remainder. ES-Fuzz's MMIO models are shown to describe a wide range of MMIO-retrieved data chunks and the firmware's usage of the same data chunk in various contexts.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (22)
  1. D. Davidson, B. Moench, T. Ristenpart, and S. Jha, “FIE on firmware: finding vulnerabilities in embedded systems using symbolic execution,” in 22nd USENIX Security Symposium (USENIX Security 13), August 2013, pp. 463–478.
  2. M. Muench, J. Stijohann, F. Kargl, A. Francillon, and D. Balzarotti, “What you corrupt is not what you crash: challenges in fuzzing embedded devices,” in Network and Distributed Systems Security (NDSS) Symposium 2018, February 2018.
  3. N. Corteggiani, G. Camurati, and A. Francillon, “Inception: system-wide security testing of real-world embedded systems software,” in 27th USENIX Security Symposium (USENIX Security 18), August 2018, pp. 309–326.
  4. E. Gustafson, M. Muench, C. Spensky, N. Redini, A. Machiry, Y. Fratantonio, A. Francillon, D. Balzarotti, Y. R. Choe, C. Kruegel, and G. Vigna1, “Toward the analysis of embedded firmware through automated re-hosting,” in 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), September 2019, pp. 135–150.
  5. B. Feng, A. Mera, and L. Lu, “P2IM: scalable and hardware-independent firmware testing via automatic peripheral interface modeling,” in 29th USENIX Security Symposium (USENIX Security 20), August 2020, pp. 1237–1254.
  6. C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution is possible: a concolic execution approach for peripheral emulation,” in Annual Computer Security Applications Conference (ACSAC ’20), December 2020, pp. 746–759.
  7. W. Zhou, L. Guan, P. Liu, and Y. Zhang, “Automatic firmware emulation through invalidity-guided knowledge inference,” in 30th USENIX Security Symposium (USENIX Security 21), August 2021, pp. 2007–2024.
  8. A. Mera, B. Feng, L. Lu, and E. Kirda, “DICE: automatic emulation of DMA input channels for dynamic firmware analysis,” in 2021 IEEE Symposium on Security and Privacy (SP), May 2021, pp. 1938–1954, doi: 10.1109/SP40001.2021.00018.
  9. T. Scharnowski, N. Bars, M. Schloegel, E. Gustafson, M. Muench, G. Vigna, C. Kruegel, T. Holz, and A. Abbasi, “Fuzzware: using precise MMIO modeling for effective firmware fuzzing,” in 31st USENIX Security Symposium (USENIX Security 22), August 2022, pp. 1239–1256.
  10. W. Zhou, L. Zhang, L. Guan, P. Liu, and Y. Zhang, “What your firmware tells you is not how you should emulate it: a specification-guided approach for firmware emulation,” in 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS ’22), November 2022, pp. 3269–3283, doi: 10.1145/3548606.3559386.
  11. W. Li, J. Shi, F. Li, J. Lin, W. Wang, and L. Guan, “μ𝜇\muitalic_μAFL: non-intrusive feedback-driven fuzzing for microcontroller firmware,” in 44th International Conference on Software Engineering (ICSE ’22), May 2022, pp. 1–12, doi: 10.1145/3510003.3510208.
  12. T. Scharnowski, S. Wörner, F. Buchmann, N. Bars, M. Schloegel, and T. Holz, “Hoedur: embedded firmware fuzzing using multi-stream inputs,” in 32nd USENIX Security Symposium (USENIX Security 23), August 2023, pp. 2885–2902.
  13. G. Farrelly, M. Chesser, and D. C. Ranasinghe, “Ember-IO: effective firmware fuzzing with model-free memory mapped IO,” in 2023 ACM Asia Conference on Computer and Communications Security (ASIA CCS ’23), July 2023, pp. 401-–414, doi: 10.1145/3579856.3582840.
  14. M. Chesser, S. Nepal, and D. C. Ranasinghe, “Icicle: a re-designed emulator for grey-box firmware fuzzing,” in 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2023), July 2023, pp. 76-–88.
  15. G. Farrelly, P. Quirk, S. S. Kanhere, S. Camtepe, and D. C. Ranasinghe, “SplITS: split input-to-state mapping for effective firmware fuzzing,” in 28th European Symposium on Research in Computer Security (ESORICS 2023), September 2023.
  16. A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse, “AFL++: combining incremental steps of fuzzing research,” in 14th USENIX Workshop on Offensive Technologies (WOOT 20), August 2020, pp. 10–21.
  17. F. Bellard, “QEMU, a fast and portable dynamic translator,” in USENIX Annual Technical Conference (ATEC ’05), April 2005, pp. 41–46.
  18. L. de Moura and N. Bjørner, “Z3: an efficient SMT solver,” in International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2008), March 2008, pp. 337–340.
  19. Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna, “(State of) the art of war: offensive techniques in binary analysis,” in 2016 IEEE Symposium on Security and Privacy (SP), May 2016, pp. 138–157, doi: 10.1109/SP.2016.17.
  20. E. Baccelli, O. Hahm, M. Günes, M. Wählisch, and T. C. Schmidt, “RIOT OS: towards an OS for the Internet of Things,” in 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), April 2013, pp. 79–80, doi: 10.1109/INFCOMW.2013.6970748.
  21. L. Seidel, D. Maier, and M. Muench, “Forming faster firmware fuzzers,” in 32nd USENIX Security Symposium (USENIX Security 23), August 2023, pp. 2903–2920.
  22. Y. Wu, T. Zhang, C. Jung, and D. Lee, “DevFuzz: automatic device model-guided device driver fuzzing,” in 2023 IEEE Symposium on Security and Privacy (SP), May 2023, pp. 3246–3261, doi: 10.1109/SP46215.2023.10179293.

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Authors (2)

  1. Wei-Lun Huang 
  2. Kang G. Shin 

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up