Edge Coverage Feedback of Embedded Systems Fuzzing Based on Debugging Interfaces
摘要
Fuzzing is one of the most widely used dynamic testing techniques for identifying bugs and vulnerabilities. However, the lack of accurate and generalized hardware-based coverage feedback methods hinders the application of Coverage-based Gray-box Fuzzing (CGF) on embedded systems. To cope with this problem, we propose an edge-coverage feedback method based on debugging interfaces for the first time and implement the prototype tool HIFuzz. HIFuzz first utilizes hardware breakpoints and debug probes to obtain information about a single node on the execution path. Other nodes on the path are then traced based on the dominance relations between nodes in the Control-Flow Graph (CFG). Finally, HIFuzz analyzes the edges contained in the execution path to obtain edge coverage feedback. In addition, we customize the breakpoint setting strategy and seed scheduling strategy for HIFuzz to improve the probability of hitting breakpoints and discovering new paths. Experiments show that HIFuzz can efficiently trace execution paths based on breakpoints and dominance relations. In tests using the MSP430, ESP32, and STM32, an average of 2.3 to 4.1 new edges can be tracked per breakpoint hit, saving 56.5% to 75.6% of the probing task. Compared with the state-of-the-art fuzzer GDBFuzz and black-box fuzzing, HIFuzz achieves the highest coverage in 8 of the 9 scenarios. In addition, our approach achieves high performance without impacting execution efficiency.