Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing

As embedded devices are becoming more pervasive in our everyday lives, they turn into an attractive target for adversaries. Despite their high value and large attack surface, applying automated testing techniques such as fuzzing is not straightforward for such devices. As fuzz testing firmware on constrained embedded devices is inefficient, state-of-the-art approaches instead opt to run the firmware in an emulator (through a process called re-hosting). However, existing approaches either use coarse-grained static models of hardware behavior or require manual effort to re-host the firmware. We propose a novel combination of lightweight program analysis, re-hosting, and fuzz testing to tackle these challenges. We present the design and implementation of FUZZWARE, a software-only system to fuzz test unmodified monolithic firmware in a scalable way. By determining how hardwaregenerated values are actually used by the firmware logic, FUZZWARE can automatically generate models that help focusing the fuzzing process on mutating the inputs that matter, which drastically improves its effectiveness. We evaluate our approach on synthetic and real-world targets comprising a total of 19 hardware platforms and 77 firmware images. Compared to state-of-the-art work, FUZZWARE achieves up to 3.25 times the code coverage and our modeling approach reduces the size of the input space by up to 95.5%. The synthetic samples contain 66 unit tests for various hardware interactions, and we find that our approach is the first generic re-hosting solution to automatically pass all of them. FUZZWARE discovered 15 completely new bugs including bugs in targets which were previously analyzed by other works; a total of 12 CVEs were assigned.

[1]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[2]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[3]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[4]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[5]  Jean-Pierre Seifert,et al.  SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale , 2011, USENIX Security Symposium.

[6]  Somesh Jha,et al.  FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution , 2013, USENIX Security Symposium.

[7]  Edward A. Lee,et al.  Introduction to Embedded Systems - A Cyber-Physical Systems Approach , 2013 .

[8]  Wolfgang Kastner,et al.  Prospect: peripheral proxying supported embedded code testing , 2014, AsiaCCS.

[9]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[10]  Brendan Dolan-Gavitt,et al.  Repeatable Reverse Engineering with PANDA , 2015, PPREW@ACSAC.

[11]  Tadayoshi Kohno,et al.  SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems , 2015, WOOT.

[12]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[13]  Apostolis Zarras,et al.  Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces , 2015, AsiaCCS.

[14]  David Brumley,et al.  Towards Automated Dynamic Analysis for Linux-based Embedded Firmware , 2016, NDSS.

[15]  Wolfgang Kastner,et al.  Embedded Security Testing with Peripheral Device Caching and Runtime Program State Approximation , 2016, SECURWARE 2016.

[16]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[17]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[18]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[19]  Aurélien Francillon,et al.  What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices , 2018, NDSS.

[20]  Aurélien Francillon,et al.  Inception: System-Wide Security Testing of Real-World Embedded Systems Software , 2018, USENIX Security Symposium.

[21]  Andrew Ruef,et al.  Evaluating Fuzz Testing , 2018, CCS.

[22]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[23]  Meng Xu,et al.  QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing , 2018, USENIX Security Symposium.

[24]  Aurélien Francillon,et al.  Avatar2: A Multi-Target Orchestration Platform , 2018 .

[25]  Hang Zhang,et al.  Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems , 2018, USENIX Security Symposium.

[26]  Hao Chen,et al.  Angora: Efficient Fuzzing by Principled Search , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[27]  Christopher Krügel,et al.  Toward the Analysis of Embedded Firmware through Automated Re-hosting , 2019, RAID.

[28]  Thorsten Holz,et al.  AntiFuzz: Impeding Fuzzing Audits of Binary Executables , 2019, USENIX Security Symposium.

[29]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[30]  Mathias Payer,et al.  FirmFuzz: Automated IoT Firmware Introspection and Analysis , 2019, IoT S&P@CCS.

[31]  Heng Yin,et al.  FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation , 2019, USENIX Security Symposium.

[32]  Thorsten Holz,et al.  REDQUEEN: Fuzzing with Input-to-State Correspondence , 2019, NDSS.

[33]  Suryeon Kim,et al.  FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis , 2020, ACSAC.

[34]  Koushik Sen,et al.  PARTEMU: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation , 2020, USENIX Security Symposium.

[35]  Cornelius Aschermann,et al.  Ijon: Exploring Deep State Spaces via Fuzzing , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[36]  Ardalan Amiri Sani,et al.  Mousse: a system for selective symbolic execution of programs with untamed environments , 2020, EuroSys.

[37]  Long Lu,et al.  P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling (extended version) , 2019, USENIX Security Symposium.

[38]  Jiang Ming,et al.  Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation , 2020, ACSAC.

[39]  Giovanni Vigna,et al.  HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation , 2020, USENIX Security Symposium.

[40]  Andrea Fioraldi,et al.  AFL++ : Combining Incremental Steps of Fuzzing Research , 2020, WOOT @ USENIX Security Symposium.

[41]  Aurélien Francillon,et al.  SoK: Enabling Security Analyses of Embedded Systems via Rehosting , 2021, AsiaCCS.

[42]  Le Guan,et al.  Automatic Firmware Emulation through Invalidity-guided Knowledge Inference (Extended Version) , 2021, USENIX Security Symposium.

[43]  William K. Robertson,et al.  DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[44]  Stefan Savage,et al.  Jetset: Targeted Firmware Rehosting for Embedded Systems , 2021, USENIX Security Symposium.

[45]  Fengjun Li,et al.  From Library Portability to Para-rehosting: Natively Executing Microcontroller Software on Commodity Hardware , 2021, NDSS.

[46]  Saurabh Bagchi,et al.  Challenges in Firmware Re-Hosting, Emulation, and Analysis , 2021, ACM Comput. Surv..