Fast Firmware Fuzz with Input/Output Reposition
摘要
Embedded devices are used ubiquitously for managing both personnel belongs and critical infrastructures. Researchers have adopted various fuzzing techniques to test firmware images of embedded devices for detecting security vulnerabilities. However, firmware images are different from traditional desktop applications, especially in the input/output system, which brings unique changes that hinder efficient testing. In this paper, we propose a novel method, input/output reposition (or I/O reposition) to improve the performance of fuzzing firmware images. The core idea is to automatically replace the interrupt-based I/O method with polling to address two issues. First, interrupt introduces a lot of context switches, leading to heavy overhead; Second, interrupt is triggered in a low frequency and the system either starves on input or gets stuck on output. We implement Fire that utilizes probabilistic invocation and interrupt service slicing to achieve practical I/O reposition. We evaluate Fire on 30 popular and widely used firmware images. The results show that Fire brings 95.4% higher throughput and achieves 30.4% more code coverage. Fuzzing Fire-modified images can detect 12 known bugs with 63.6% of the time required by fuzzing the original images. We detect three new vulnerabilities from tested firmware images and have reported to their developers.