Fuzz testing is a widely adopted technique for uncovering bugs and security vulnerabilities in embedded firmware.However,many embedded systems heavily rely on peripherals,rendering conventional fuzzing techniques inef...Fuzz testing is a widely adopted technique for uncovering bugs and security vulnerabilities in embedded firmware.However,many embedded systems heavily rely on peripherals,rendering conventional fuzzing techniques ineffective.When peripheral responses are missing or incorrect,fuzzing a firmware may crash or exit prematurely,significantly limiting code coverage.While prior re-hosting approaches have made progress in simulating Memory-Mapped Input/Output(MMIO)and interrupt-based peripherals,they either ignore Direct Memory Access(DMA)or handle it oversimplified.In this work,we present ADFEmu,a novel automated firmware re-hosting framework that enables effective fuzzing of DMA-enabled firmware.ADFEmu integrates concolic execution with large language models(LLMs)to semantically emulate DMA operations and synthesize peripheral input sequences intelligently.Specifically,it learns DMA transfer patterns from the firmware’s context and employs guided symbolic execution to explore deeper and more diverse execution paths.This approach allows firmware to operate stably without hardware dependencies while achieving higher fidelity in emulation.Evaluated on real-world embedded firmware samples,ADFEmu achieves a 100%re-hosting success rate,improves total execution path exploration by 5.31%,and triggers more crashes compared to the state-of-the-art.These results highlight ADFEmu’s effectiveness in overcoming long-standing limitations of DMA emulation and its potential to advance automated vulnerability discovery in peripheral-rich embedded environments.展开更多
In order to effectively detect and analyze the backdoors this paper introduces a method named Backdoor Analysis based on Sensitive flow tracking and Concolic Execution(BASEC).BASEC uses sensitive flow tracking to ef...In order to effectively detect and analyze the backdoors this paper introduces a method named Backdoor Analysis based on Sensitive flow tracking and Concolic Execution(BASEC).BASEC uses sensitive flow tracking to effectively discover backdoor behaviors, such as stealing secret information and injecting evil data into system, with less false negatives. With concolic execution on predetermined path, the backdoor trigger condition can be extracted and analyzed to achieve high accuracy. BASEC has been implemented and experimented on several software backdoor samples widespread on the Internet, and over 90% of them can be detected. Compared with behavior-based and system-call-based detection methods, BASEC relies less on the historical sample collections, and is more effective in detecting software backdoors, especially those injected into software by modifying and recompiling source codes.展开更多
Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs.To further discover vulnerabilities hidden in deep execution paths,the hybrid fuzzing combines fuzzi...Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs.To further discover vulnerabilities hidden in deep execution paths,the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions.In general,we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug.Based on this observation,we propose a hybrid fuzzing method assisted by static analysis for binary programs.The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths.For this purpose,we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs’weights.The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing.To evaluate the effectiveness of our method,we design and implement a prototype system,namely SHFuzz.The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.展开更多
Internet of things(IoT)devices are being increasingly used in numerous areas.However,the low priority on security and various IoT types have made these devices vulnerable to attacks.To prevent this,recent studies have...Internet of things(IoT)devices are being increasingly used in numerous areas.However,the low priority on security and various IoT types have made these devices vulnerable to attacks.To prevent this,recent studies have analyzed firmware in an emulation environment that does not require actual devices and is efficient for repeated experiments.However,these studies focused only on major firmware architectures and rarely considered exotic firmware.In addition,because of the diversity of firmware,the emulation success rate is not high in terms of large-scale analyses.In this study,we propose the adaptive emulation framework for multi-architecture(AEMA).In the field of automated emulation frameworks for IoT firmware testing,AEMA considers the following issues:(1)limited compatibility for exotic firmware architectures,(2)emulation instability when configuring an automated environment,and(3)shallow testing range resulting from structured inputs.To tackle these problems,AEMAcan emulate not onlymajor firmware architectures but also exotic firmware architectures not previously considered,such as Xtensa,ColdFire,and reduced instruction set computer(RISC)version five,by implementing a minority emulator.Moreover,we applied the emulation arbitration technique and input keyword extraction technique for emulation stability and efficient test case generation.We compared AEMA with other existing frameworks in terms of emulation success rates and fuzz testing.As a result,AEMA succeeded in emulating 864 out of 1,083 overall experimental firmware and detected vulnerabilities at least twice as fast as the experimental group.Furthermore,AEMAfound a 0-day vulnerability in realworld IoT devices within 24 h.展开更多
Purpose–Test suite prioritization technique is the process of modifying the order in which tests run to meet certain objectives.Early fault detection and maximum coverage of source code are the main objectives of tes...Purpose–Test suite prioritization technique is the process of modifying the order in which tests run to meet certain objectives.Early fault detection and maximum coverage of source code are the main objectives of testing.There are several test suite prioritization approaches that have been proposed at the maintenance phase of software development life cycle.A few works are done on prioritizing test suites that satisfy modified condition decision coverage(MC/DC)criteria which are derived for safety-critical systems.The authors know that it is mandatory to do MC/DC testing for Level A type software according to RTCA/DO178C standards.The paper aims to discuss this issue.Design/methodology/approach–This paper provides a novel method to prioritize the test suites for a system that includes MC/DC criteria along with other important criteria that ensure adequate testing.Findings–In this approach,the authors generate test suites from the input Java program using concolic testing.These test suites are utilized to measure MC/DC%by using the coverage calculator algorithm.Now,use MC/DC%and the execution time of these test suites in the basic particle swarm optimization technique with a modified objective function to prioritize the generated test suites.Originality/value–The proposed approach maximizes MC/DC%and minimizes the execution time of the test suites.The effectiveness of this approach is validated by experiments on 20 moderate-sized Java programs using average percentage of fault detected metric.展开更多
基金funded by the Science and Technology Project of State Grid Jiangsu Electric Power Company Ltd.,grant number J2024169.
文摘Fuzz testing is a widely adopted technique for uncovering bugs and security vulnerabilities in embedded firmware.However,many embedded systems heavily rely on peripherals,rendering conventional fuzzing techniques ineffective.When peripheral responses are missing or incorrect,fuzzing a firmware may crash or exit prematurely,significantly limiting code coverage.While prior re-hosting approaches have made progress in simulating Memory-Mapped Input/Output(MMIO)and interrupt-based peripherals,they either ignore Direct Memory Access(DMA)or handle it oversimplified.In this work,we present ADFEmu,a novel automated firmware re-hosting framework that enables effective fuzzing of DMA-enabled firmware.ADFEmu integrates concolic execution with large language models(LLMs)to semantically emulate DMA operations and synthesize peripheral input sequences intelligently.Specifically,it learns DMA transfer patterns from the firmware’s context and employs guided symbolic execution to explore deeper and more diverse execution paths.This approach allows firmware to operate stably without hardware dependencies while achieving higher fidelity in emulation.Evaluated on real-world embedded firmware samples,ADFEmu achieves a 100%re-hosting success rate,improves total execution path exploration by 5.31%,and triggers more crashes compared to the state-of-the-art.These results highlight ADFEmu’s effectiveness in overcoming long-standing limitations of DMA emulation and its potential to advance automated vulnerability discovery in peripheral-rich embedded environments.
基金Supported in part by the National Natural Science Foundation of China(61272493)the Specialized Research Fund for the Doctoral Program of Higher Education of China(20113402120026)Oversea Academic Training Funds of University of Science and Technology of China
文摘In order to effectively detect and analyze the backdoors this paper introduces a method named Backdoor Analysis based on Sensitive flow tracking and Concolic Execution(BASEC).BASEC uses sensitive flow tracking to effectively discover backdoor behaviors, such as stealing secret information and injecting evil data into system, with less false negatives. With concolic execution on predetermined path, the backdoor trigger condition can be extracted and analyzed to achieve high accuracy. BASEC has been implemented and experimented on several software backdoor samples widespread on the Internet, and over 90% of them can be detected. Compared with behavior-based and system-call-based detection methods, BASEC relies less on the historical sample collections, and is more effective in detecting software backdoors, especially those injected into software by modifying and recompiling source codes.
基金the National Key Research and Development Program of China under Grant No.2016QY07X1404National Natural Science Foundation of China(NSFC)under Grant No.61602035 and 61772078+1 种基金Beijing Science and Technology Project under Grant No.Z191100007119010,CCF-NSFOCUS Kun-Peng Scientific Research FoundationOpen Found of Key Laboratory of Network Assessment Technology,Institute of Information Engineering,Chinese Academy of Sciences.
文摘Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs.To further discover vulnerabilities hidden in deep execution paths,the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions.In general,we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug.Based on this observation,we propose a hybrid fuzzing method assisted by static analysis for binary programs.The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths.For this purpose,we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs’weights.The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing.To evaluate the effectiveness of our method,we design and implement a prototype system,namely SHFuzz.The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.
基金This work was supported by the Ministry of Science and ICT(MSIT)Korea,under the Information Technology Research Center(ITRC)support program(IITP-2022-2018-0-01423)+2 种基金supervised by the Institute for Information&Communications Technology Planning&Evaluation(IITP)by MSIT,Korea under the ITRC support program(IITP-2021-2020-0-01602)supervised by the IITP.
文摘Internet of things(IoT)devices are being increasingly used in numerous areas.However,the low priority on security and various IoT types have made these devices vulnerable to attacks.To prevent this,recent studies have analyzed firmware in an emulation environment that does not require actual devices and is efficient for repeated experiments.However,these studies focused only on major firmware architectures and rarely considered exotic firmware.In addition,because of the diversity of firmware,the emulation success rate is not high in terms of large-scale analyses.In this study,we propose the adaptive emulation framework for multi-architecture(AEMA).In the field of automated emulation frameworks for IoT firmware testing,AEMA considers the following issues:(1)limited compatibility for exotic firmware architectures,(2)emulation instability when configuring an automated environment,and(3)shallow testing range resulting from structured inputs.To tackle these problems,AEMAcan emulate not onlymajor firmware architectures but also exotic firmware architectures not previously considered,such as Xtensa,ColdFire,and reduced instruction set computer(RISC)version five,by implementing a minority emulator.Moreover,we applied the emulation arbitration technique and input keyword extraction technique for emulation stability and efficient test case generation.We compared AEMA with other existing frameworks in terms of emulation success rates and fuzz testing.As a result,AEMA succeeded in emulating 864 out of 1,083 overall experimental firmware and detected vulnerabilities at least twice as fast as the experimental group.Furthermore,AEMAfound a 0-day vulnerability in realworld IoT devices within 24 h.
文摘Purpose–Test suite prioritization technique is the process of modifying the order in which tests run to meet certain objectives.Early fault detection and maximum coverage of source code are the main objectives of testing.There are several test suite prioritization approaches that have been proposed at the maintenance phase of software development life cycle.A few works are done on prioritizing test suites that satisfy modified condition decision coverage(MC/DC)criteria which are derived for safety-critical systems.The authors know that it is mandatory to do MC/DC testing for Level A type software according to RTCA/DO178C standards.The paper aims to discuss this issue.Design/methodology/approach–This paper provides a novel method to prioritize the test suites for a system that includes MC/DC criteria along with other important criteria that ensure adequate testing.Findings–In this approach,the authors generate test suites from the input Java program using concolic testing.These test suites are utilized to measure MC/DC%by using the coverage calculator algorithm.Now,use MC/DC%and the execution time of these test suites in the basic particle swarm optimization technique with a modified objective function to prioritize the generated test suites.Originality/value–The proposed approach maximizes MC/DC%and minimizes the execution time of the test suites.The effectiveness of this approach is validated by experiments on 20 moderate-sized Java programs using average percentage of fault detected metric.
