Papers
Topics
Authors
Recent
Search
2000 character limit reached

FirmRCA: Towards Post-Fuzzing Analysis on ARM Embedded Firmware with Efficient Event-based Fault Localization

Published 24 Oct 2024 in cs.CR | (2410.18483v1)

Abstract: While fuzzing has demonstrated its effectiveness in exposing vulnerabilities within embedded firmware, the discovery of crashing test cases is only the first step in improving the security of these critical systems. The subsequent fault localization process, which aims to precisely identify the root causes of observed crashes, is a crucial yet time-consuming post-fuzzing work. Unfortunately, the automated root cause analysis on embedded firmware crashes remains an underexplored area, which is challenging from several perspectives: (1) the fuzzing campaign towards the embedded firmware lacks adequate debugging mechanisms, making it hard to automatically extract essential runtime information for analysis; (2) the inherent raw binary nature of embedded firmware often leads to over-tainted and noisy suspicious instructions, which provides limited guidance for analysts in manually investigating the root cause and remediating the underlying vulnerability. To address these challenges, we design and implement FirmRCA, a practical fault localization framework tailored specifically for embedded firmware. FirmRCA introduces an event-based footprint collection approach to aid and significantly expedite reverse execution. Next, to solve the complicated memory alias problem, FirmRCA proposes a history-driven method by tracking data propagation through the execution trace, enabling precise identification of deep crash origins. Finally, FirmRCA proposes a novel strategy to highlight key instructions related to the root cause, providing practical guidance in the final investigation. We evaluate FirmRCA with both synthetic and real-world targets, including 41 crashing test cases across 17 firmware images. The results show that FirmRCA can effectively (92.7% success rate) identify the root cause of crashing test cases within the top 10 instructions.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (59)
  1. C. Wright, W. A. Moeglein, S. Bagchi, M. Kulkarni, and A. A. Clements, “Challenges in firmware re-hosting, emulation, and analysis,” ACM Computing Surveys (CSUR), vol. 54, no. 1, pp. 1–36, 2021.
  2. HP, “HP Wolf Security Threat Insights Report,” https://threatresearch.ext.hp.com/wp-content/uploads/2024/02/HP_Wolf_Security_Threat_Insights_Report_Q4_2023.pdf, 2023, accessed Jun. 2024.
  3. IBM, “Cost of a Data Breach Report,” https://www.ibm.com/reports/data-breach, 2023, accessed Jun. 2024.
  4. Viasat, “KA-SAT Network cyber attack overview,” https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview, 2022, accessed Jun. 2024.
  5. T. Scharnowski, N. Bars, M. Schloegel, E. Gustafson, M. Muench, G. Vigna, C. Kruegel, T. Holz, and A. Abbasi, “Fuzzware: Using precise mmio modeling for effective firmware fuzzing,” in 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 1239–1256.
  6. W. Li, J. Shi, F. Li, J. Lin, W. Wang, and L. Guan, “μ𝜇\muitalic_μafl: non-intrusive feedback-driven fuzzing for microcontroller firmware,” in Proceedings of the 44th International Conference on Software Engineering, 2022, pp. 1–12.
  7. J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti et al., “Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares.” in NDSS, vol. 14, 2014, pp. 1–16.
  8. M. Muench, D. Nisi, A. Francillon, and D. Balzarotti, “Avatar 2: A multi-target orchestration platform,” in Proc. Workshop Binary Anal. Res.(Colocated NDSS Symp.), vol. 18, 2018, pp. 1–11.
  9. J. Xu, D. Mu, X. Xing, P. Liu, P. Chen, and B. Mao, “Postmortem program analysis with hardware-enhanced post-crash artifacts,” in 26th USENIX Security Symposium (USENIX Security 17), 2017, pp. 17–32.
  10. D. Mu, Y. Wu, Y. Chen, Z. Lin, C. Yu, X. Xing, and G. Wang, “An in-depth analysis of duplicated linux kernel bug reports.” in NDSS, 2022.
  11. T. Blazytko, M. Schlögel, C. Aschermann, A. Abbasi, J. Frank, S. Wörner, and T. Holz, “AURORA: Statistical crash analysis for automated root cause explanation,” in 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 235–252.
  12. Y. Park, H. Lee, J. Jung, H. Koo, and H. K. Kim, “Benzene: A practical root cause analysis system with an under-constrained state mutation,” in 2024 IEEE Symposium on Security and Privacy (SP).   IEEE Computer Society, 2024, pp. 74–74.
  13. D. Xu, D. Tang, Y. Chen, X. Wang, K. Chen, H. Tang, and L. Li, “Racing on the negative force: Efficient vulnerability root-cause analysis through reinforcement learning on counterexamples,” 2024.
  14. W. Guo, D. Mu, X. Xing, M. Du, and D. Song, “DEEPVSA: Facilitating value-set analysis with deep learning for postmortem program analysis,” in 28th USENIX Security Symposium (USENIX Security 19), 2019, pp. 1787–1804.
  15. W. Cui, X. Ge, B. Kasikci, B. Niu, U. Sharma, R. Wang, and I. Yun, “REPT: Reverse debugging of failures in deployed software,” in 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18), 2018, pp. 17–32.
  16. W. Cui, M. Peinado, S. K. Cha, Y. Fratantonio, and V. P. Kemerlis, “Retracer: Triaging crashes by reverse execution from partial memory dumps,” in Proceedings of the 38th International Conference on Software Engineering, 2016, pp. 820–831.
  17. X. Li and L. Zhang, “Transforming programs and tests in tandem for fault localization,” Proceedings of the ACM on Programming Languages, vol. 1, no. OOPSLA, pp. 1–30, 2017.
  18. J. Sohn and S. Yoo, “Fluccs: Using code and change metrics to improve fault localization,” in Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis, 2017, pp. 273–283.
  19. X. Li, W. Li, Y. Zhang, and L. Zhang, “Deepfl: Integrating multiple fault diagnosis dimensions for deep fault localization,” in Proceedings of the 28th ACM SIGSOFT international symposium on software testing and analysis, 2019, pp. 169–180.
  20. A. Z. Yang, C. Le Goues, R. Martins, and V. Hellendoorn, “Large language models for test-free fault localization,” in Proceedings of the 46th IEEE/ACM International Conference on Software Engineering, 2024, pp. 1–12.
  21. W. E. Wong, V. Debroy, Y. Li, and R. Gao, “Software fault localization using dstar (d*),” in 2012 IEEE Sixth International Conference on Software Security and Reliability.   IEEE, 2012, pp. 21–30.
  22. Q. I. Sarhan and Á. Beszédes, “A survey of challenges in spectrum-based software fault localization,” IEEE Access, vol. 10, pp. 10 618–10 639, 2022.
  23. A. Fasano, T. Ballo, M. Muench, T. Leek, A. Bulekov, B. Dolan-Gavitt, M. Egele, A. Francillon, L. Lu, N. Gregory et al., “Sok: Enabling security analyses of embedded systems via rehosting,” in Proceedings of the 2021 ACM Asia conference on computer and communications security, 2021, pp. 687–701.
  24. T. Scharnowski, S. Wörner, F. Buchmann, N. Bars, M. Schloegel, and T. Holz, “Hoedur: embedded firmware fuzzing using multi-stream inputs,” in 32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 2885–2902.
  25. M. Chesser, S. Nepal, and D. C. Ranasinghe, “Icicle: a re-designed emulator for grey-box firmware fuzzing,” in Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, 2023, pp. 76–88.
  26. Unicorn Engine, “The Ultimate CPU emulator,” 2015, accessed Jun. 2024. [Online]. Available: https://www.unicorn-engine.org/
  27. D. Mu, Y. Du, J. Xu, J. Xu, X. Xing, B. Mao, and P. Liu, “POMP++: Facilitating postmortem program diagnosis with value-set analysis,” IEEE Transactions on Software Engineering, vol. 47, no. 9, pp. 1929–1942, 2019.
  28. Capstone Engine, “The Ultimate Disassembler,” https://www.capstone-engine.org/, 2015, accessed Jun. 2024.
  29. Intel, “Collecting intel® processor trace (intel® pt) in intel® system debugger,” https://www.intel.com/content/www/us/en/developer/videos/collecting-processor-trace-in-intel-system-debugger.html?wapkw=intel%20pt, accessed Jun. 2024.
  30. Fuzzware, “Files used for reproducing fuzzware’s experiments,” https://github.com/fuzzware-fuzzer/fuzzware-experiments/tree/main, 2022, accessed Jun. 2024.
  31. P. S. Kochhar, X. Xia, D. Lo, and S. Li, “Practitioners’ expectations on automated fault localization,” in Proceedings of the 25th international symposium on software testing and analysis, 2016, pp. 165–176.
  32. ARM, “Embedded trace macrocell, etmv1.0 to etmv3.5, architecture specification,” https://documentation-service.arm.com/static/5f90158b4966cd7c95fd5b5e, 2011, accessed Jun. 2024.
  33. Y. Zhang, Y. Hu, H. Li, W. Shi, Z. Ning, X. Luo, and F. Zhang, “Alligator in vest: A practical failure-diagnosis framework via arm hardware features,” in Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, 2023, pp. 917–928.
  34. K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham et al., “Experimental security analysis of a modern automobile,” in 2010 IEEE symposium on security and privacy (SP).   IEEE, 2010, pp. 447–462.
  35. C. Mulliner, N. Golde, and J.-P. Seifert, “SMS of death: From analyzing to attacking mobile phones on a large scale,” in 20th USENIX Security Symposium (USENIX Security 11), 2011.
  36. J. Chen, W. Diao, Q. Zhao, C. Zuo, Z. Lin, X. Wang, W. C. Lau, M. Sun, R. Yang, and K. Zhang, “Iotfuzzer: Discovering memory corruptions in iot through app-based fuzzing.” in NDSS, 2018.
  37. Q. Wang, B. Chang, S. Ji, Y. Tian, X. Zhang, B. Zhao, G. Pan, C. Lyu, M. Payer, W. Wang, and R. Beyah, “Syztrust: State-aware fuzzing on trusted os designed for iot devices,” in 2024 IEEE Symposium on Security and Privacy (SP).   IEEE Computer Society, 2024, pp. 70–70.
  38. K. Koscher, T. Kohno, and D. Molnar, “SURROGATES: Enabling Near-Real-Time dynamic analyses of embedded systems,” in 9th USENIX Workshop on Offensive Technologies (WOOT 15), 2015.
  39. S. M. S. Talebi, H. Tavakoli, H. Zhang, Z. Zhang, A. A. Sani, and Z. Qian, “Charm: Facilitating dynamic analysis of device drivers of mobile systems,” in 27th USENIX Security Symposium (USENIX Security 18), 2018, pp. 291–307.
  40. Y. Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “FIRM-AFL:High-Throughput greybox fuzzing of IoT firmware via augmented process emulation,” in 28th USENIX Security Symposium (USENIX Security 19), 2019, pp. 1099–1114.
  41. B. Feng, A. Mera, and L. Lu, “P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling,” in 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 1237–1254.
  42. W. Zhou, L. Guan, P. Liu, and Y. Zhang, “Automatic firmware emulation through invalidity-guided knowledge inference,” in 30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 2007–2024.
  43. A. A. Clements, E. Gustafson, T. Scharnowski, P. Grosen, D. Fritz, C. Kruegel, G. Vigna, S. Bagchi, and M. Payer, “HALucinator: Firmware re-hosting through abstraction layer emulation,” in 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 1201–1218.
  44. Michal Zalewski, “American fuzzy lop,” https://lcamtuf.coredump.cx/afl/, 2010, accessed Jun. 2024.
  45. A. d. S. Meyer, A. A. F. Garcia, A. P. d. Souza, and C. L. d. Souza Jr, “Comparison of similarity coefficients used for cluster analysis with dominant markers in maize (zea mays l),” Genetics and Molecular Biology, vol. 27, pp. 83–91, 2004.
  46. J. A. Jones and M. J. Harrold, “Empirical evaluation of the tarantula automatic fault-localization technique,” in Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, 2005, pp. 273–282.
  47. R. Abreu, P. Zoeteweij, and A. J. Van Gemund, “An evaluation of similarity coefficients for software fault localization,” in 2006 12th Pacific Rim International Symposium on Dependable Computing (PRDC’06).   IEEE, 2006, pp. 39–46.
  48. ——, “On the accuracy of spectrum-based fault localization,” in Testing: Academic and industrial conference practice and research techniques-MUTATION (TAICPART-MUTATION 2007).   IEEE, 2007, pp. 89–98.
  49. L. Naish, H. J. Lee, and K. Ramamohanarao, “A model for spectra-based software diagnosis,” ACM Transactions on software engineering and methodology (TOSEM), vol. 20, no. 3, pp. 1–32, 2011.
  50. P. Arumuga Nainar, T. Chen, J. Rosin, and B. Liblit, “Statistical debugging using compound boolean predicates,” in Proceedings of the 2007 international symposium on Software testing and analysis, 2007, pp. 5–15.
  51. X. Zhang, J. Chen, C. Feng, R. Li, W. Diao, K. Zhang, J. Lei, and C. Tang, “Default: mutual information-based crash triage for massive crashes,” in Proceedings of the 44th International Conference on Software Engineering, 2022, pp. 635–646.
  52. C. Liu, X. Yan, L. Fei, J. Han, and S. P. Midkiff, “Sober: statistical model-based bug localization,” ACM SIGSOFT Software Engineering Notes, vol. 30, no. 5, pp. 286–295, 2005.
  53. D. Mu, W. Guo, A. Cuevas, Y. Chen, J. Gai, X. Xing, B. Mao, and C. Song, “Renn: Efficient reverse execution with neural-network-assisted alias analysis,” in 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).   IEEE, 2019, pp. 924–935.
  54. R. Wu, H. Zhang, S.-C. Cheung, and S. Kim, “Crashlocator: Locating crashing faults based on crash stacks,” in Proceedings of the 2014 International Symposium on Software Testing and Analysis, 2014, pp. 204–214.
  55. Y. Li, S. Wang, and T. Nguyen, “Fault localization with code coverage representation learning,” in 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE).   IEEE, 2021, pp. 661–673.
  56. Z. Zhang, Y. Lei, X. Mao, M. Yan, X. Xia, and D. Lo, “Context-aware neural fault localization,” IEEE Transactions on Software Engineering, 2023.
  57. Y. Lou, Q. Zhu, J. Dong, X. Li, Z. Sun, D. Hao, L. Zhang, and L. Zhang, “Boosting coverage-based fault localization via graph-based representation learning,” in Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2021, pp. 664–676.
  58. S. Wang, K. Liu, B. Lin, L. Li, J. Klein, X. Mao, and T. F. Bissyandé, “Beep: Fine-grained fix localization by learning to predict buggy code elements,” arXiv preprint arXiv:2111.07739, 2021.
  59. X. Shang, S. Cheng, G. Chen, Y. Zhang, L. Hu, X. Yu, G. Li, W. Zhang, and N. Yu, “How far have we gone in stripped binary code understanding using large language models,” arXiv preprint arXiv:2404.09836, 2024.

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up