Embedded devices are used ubiquitously for managing both personnel belongs and critical infrastructures. Researchers have adopted various fuzzing techniques to test firmware images of embedded devices for detecting security vulnerabilities. However, firmware images are different from traditional desktop applications, especially in the input/output system, which brings unique changes that hinder efficient testing. In this paper, we propose a novel method, input/output reposition (or I/O reposition) to improve the performance of fuzzing firmware images. The core idea is to automatically replace the interrupt-based I/O method with polling to address two issues. First, interrupt introduces a lot of context switches, leading to heavy overhead; Second, interrupt is triggered in a low frequency and the system either starves on input or gets stuck on output. We implement Fire that utilizes probabilistic invocation and interrupt service slicing to achieve practical I/O reposition. We evaluate Fire on 30 popular and widely used firmware images. The results show that Fire brings 95.4% higher throughput and achieves 30.4% more code coverage. Fuzzing Fire-modified images can detect 12 known bugs with 63.6% of the time required by fuzzing the original images. We detect three new vulnerabilities from tested firmware images and have reported to their developers.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Fast Firmware Fuzz with Input/Output Reposition

  • Mingfeng Xin,
  • Liting Deng,
  • Hui Wen,
  • Dongliang Fang,
  • Shichao Lv,
  • Limin Sun

摘要

Embedded devices are used ubiquitously for managing both personnel belongs and critical infrastructures. Researchers have adopted various fuzzing techniques to test firmware images of embedded devices for detecting security vulnerabilities. However, firmware images are different from traditional desktop applications, especially in the input/output system, which brings unique changes that hinder efficient testing. In this paper, we propose a novel method, input/output reposition (or I/O reposition) to improve the performance of fuzzing firmware images. The core idea is to automatically replace the interrupt-based I/O method with polling to address two issues. First, interrupt introduces a lot of context switches, leading to heavy overhead; Second, interrupt is triggered in a low frequency and the system either starves on input or gets stuck on output. We implement Fire that utilizes probabilistic invocation and interrupt service slicing to achieve practical I/O reposition. We evaluate Fire on 30 popular and widely used firmware images. The results show that Fire brings 95.4% higher throughput and achieves 30.4% more code coverage. Fuzzing Fire-modified images can detect 12 known bugs with 63.6% of the time required by fuzzing the original images. We detect three new vulnerabilities from tested firmware images and have reported to their developers.