FirmRCA: Towards Post-Fuzzing Analysis on ARM Embedded Firmware with Efficient Event-based Fault Localization

TL;DR

FirmRCA is designed and implemented, a practical fault localization framework tailored specifically for embedded firmware that introduces an event-based footprint collection approach that leverages concrete memory accesses in the crash reproducing process to aid and significantly expedite reverse execution, and proposes a novel strategy to highlight key instructions related to the root cause.

Abstract

While fuzzing has demonstrated its effectiveness in exposing vulnerabilities within embedded firmware, the discovery of crashing test cases is only the first step in improving the security of these critical systems. The subsequent fault localization process, which aims to precisely identify the root causes of observed crashes, is a crucial yet time-consuming post-fuzzing work. Unfortunately, the automated root cause analysis on embedded firmware crashes remains an underexplored area, which is challenging from several perspectives: (1) the fuzzing campaign towards the embedded firmware lacks adequate debugging mechanisms, making it hard to automatically extract essential runtime information for analysis; (2) the inherent raw binary nature of embedded firmware often leads to over-tainted and noisy suspicious instructions, which provides limited guidance for analysts in manually investigating the root cause and remediating the underlying vulnerability. To address these challenges, we design and implement FirmRCA, a practical fault localization framework tailored specifically for embedded firmware. FirmRCA introduces an event-based footprint collection approach to aid and significantly expedite reverse execution. Next, to solve the complicated memory alias problem, FirmRCA proposes a history-driven method by tracking data propagation through the execution trace, enabling precise identification of deep crash origins. Finally, FirmRCA proposes a novel strategy to highlight key instructions related to the root cause, providing practical guidance in the final investigation. We evaluate FirmRCA with both synthetic and real-world targets, including 41 crashing test cases across 17 firmware images. The results show that FirmRCA can effectively (92.7% success rate) identify the root cause of crashing test cases within the top 10 instructions.

Figures (10)

• Figure 1: Two instruction snippets of direct reasons to trigger firmware crashes. The relevant register values before the execution of the instruction are shown on the right. The snippet (a) shows an invalid memory write and the snippet (b) shows an invalid instruction execution.
• Figure 2: Overview of FirmRCA. The architecture of FirmRCA consists of three components, including footprint collection, reverse execution, and root cause analysis.
• Figure 3: An instruction snippet of CVE-2021-3322, where a radio frame is inserted and marked for fragmentation. The frame contains the full payload size, leading to an unexpected pointer alias, which finally results in an unexpected NULL pointer dereference in net_6lo_uncompress function.
• Figure 4: An instruction snippet of the firmware for CVE-2021-3322. Inconsecutive instructions for intraprocedural and interprocedural analysis are highlighted in different colors.
• Figure 5: An example of constructing the use-define chain for the instruction LDR R0, [R1, #4]. The source operand [R1, #4] and its base register R1 generate two use nodes. The destination operand R0 generates a define node.