Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ES-FUZZ: Improving the Coverage of Firmware Fuzzing with Stateful and Adaptable MMIO Models

Wei-Lun Huang, Kang G. Shin

TL;DR

ES-Fuzz tackles the coverage bottleneck in rehosting-based firmware fuzzing by introducing stateful and adaptable MMIO behavior that captures data chunks retrieved via multiple MMIO reads. It runs concurrently with an existing fuzzer, builds models from high-coverage traces through trace-guided dynamic symbolic execution, and deploys these models to expand exploration of firmware code paths. Evaluated on 24 ES firmware with Fuzzware, ES-Fuzz achieves up to 54% additional coverage across 11 firmwares and discovers new bugs in 5, while demonstrating the critical role of DSE heuristics in managing path explosions. The work shows that richer, IRQ-aware, data-usage semantics in MMIO modeling substantially improves fuzzing effectiveness for embedded firmware, with practical implications for improving security in real-world devices.

Abstract

Gray-box fuzzing is widely used for testing embedded systems (ESes). State-of-the-art (SOTA) gray-box fuzzers test ES firmware in fully emulated environments without real peripherals. They emulate missing peripherals to achieve decent code coverage. Some fuzzers infer the memory-mapped I/O (MMIO) behavior of firmware peripherals from the firmware binary. We find that these fuzzers emulate the inferred MMIO behavior using stateless and non-adaptive MMIO models, which perform poorly in handling ES firmware's MMIO reads to collectively retrieve a data chunk. This leaves ample room for improving the code coverage of these fuzzers. We propose ES-Fuzz to improve the code coverage of each such fuzzer using stateful MMIO models that adapt to overcome the fuzzer's coverage bottlenecks. ES-Fuzz runs concurrently with a given fuzzer and starts a new run whenever the fuzzer's coverage stagnates. In each run, ES-Fuzz leverages a high-coverage test case to generate new stateful MMIO models that boost the coverage further. We have implemented ES-Fuzz upon Fuzzware and evaluated it with 24 popular ES firmware. ES-Fuzz is shown to enhance Fuzzware's coverage by up to 54% in 11 of them and trigger additional bugs in 5 of them without hurting the coverage in the remainder. ES-Fuzz's MMIO models are shown to describe a wide range of MMIO-retrieved data chunks and the firmware's usage of the same data chunk in various contexts.

ES-FUZZ: Improving the Coverage of Firmware Fuzzing with Stateful and Adaptable MMIO Models

TL;DR

ES-Fuzz tackles the coverage bottleneck in rehosting-based firmware fuzzing by introducing stateful and adaptable MMIO behavior that captures data chunks retrieved via multiple MMIO reads. It runs concurrently with an existing fuzzer, builds models from high-coverage traces through trace-guided dynamic symbolic execution, and deploys these models to expand exploration of firmware code paths. Evaluated on 24 ES firmware with Fuzzware, ES-Fuzz achieves up to 54% additional coverage across 11 firmwares and discovers new bugs in 5, while demonstrating the critical role of DSE heuristics in managing path explosions. The work shows that richer, IRQ-aware, data-usage semantics in MMIO modeling substantially improves fuzzing effectiveness for embedded firmware, with practical implications for improving security in real-world devices.

Abstract

Gray-box fuzzing is widely used for testing embedded systems (ESes). State-of-the-art (SOTA) gray-box fuzzers test ES firmware in fully emulated environments without real peripherals. They emulate missing peripherals to achieve decent code coverage. Some fuzzers infer the memory-mapped I/O (MMIO) behavior of firmware peripherals from the firmware binary. We find that these fuzzers emulate the inferred MMIO behavior using stateless and non-adaptive MMIO models, which perform poorly in handling ES firmware's MMIO reads to collectively retrieve a data chunk. This leaves ample room for improving the code coverage of these fuzzers. We propose ES-Fuzz to improve the code coverage of each such fuzzer using stateful MMIO models that adapt to overcome the fuzzer's coverage bottlenecks. ES-Fuzz runs concurrently with a given fuzzer and starts a new run whenever the fuzzer's coverage stagnates. In each run, ES-Fuzz leverages a high-coverage test case to generate new stateful MMIO models that boost the coverage further. We have implemented ES-Fuzz upon Fuzzware and evaluated it with 24 popular ES firmware. ES-Fuzz is shown to enhance Fuzzware's coverage by up to 54% in 11 of them and trigger additional bugs in 5 of them without hurting the coverage in the remainder. ES-Fuzz's MMIO models are shown to describe a wide range of MMIO-retrieved data chunks and the firmware's usage of the same data chunk in various contexts.
Paper Structure (32 sections, 3 figures, 4 tables)

This paper contains 32 sections, 3 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Firmware--Peripheral Interactions
  4. American Fuzzy Lop (AFL)
  5. Dynamic Symbolic Execution (DSE)
  6. Overview of ES-Fuzz
  7. Stateful and Adaptable MMIO Models
  8. A Motivating Example
  9. System Workflow
  10. System Design and Implementation
  11. The Instrumented Harness
  12. Clustering of MMIO Reads
  13. DSE with Heuristics
  14. Symbolic Execution of the MMIO Reads
  15. Symbolic Execution of the Data Usage
  16. ...and 17 more sections

Figures (3)

  • Figure 1: ES-Fuzz and the given firmware fuzzer work together to improve fuzz-testing coverage.
  • Figure 2: Clustering of the MMIO reads presumed to have collectively retrieved a complete data chunk
  • Figure 3: ES-Fuzz's and Fuzzware's coverage in the firmware under test over 24 hours