Embedded Files
Overview
Overview
Symbolic Peripheral based Execution
Symbolic Peripheral based Execution
We propose an unified symbolic peripheral to emulate the behaviors of various unknown peripherals of QEMU, and use it to interact with firmware executed in emulator. All the I/O accesses to unknown peripherals including reading and writing operations are intercepted and forwarded to the unified symbolic peripheral. More specially, the unified symbolic peripheral provides three key behaviors for various unknown peripherals.
Hybrid Event Generation
Hybrid Event Generation
It is the key to generate effective events for various peripheral accesses, therefore exploring the multiple peripheral input spaces. Thus, we leverage the hybrid event generation, which consists ofconstraint-based and mutation-based generation techniques.
Coverage Feedback Guidance
Coverage Feedback Guidance
Due to the underlying translation and execution mechanism of QEMU, various run-time information such as executed basic blocks, instruments, visited peripheral access points and status of registersand memory could be tracked. Inspired by the AFL’s coverage based genetic optimization of fuzzing in QEMU mode, we collect two kinds of coverage feedbacks (i.e., BB2BB and PP2PP) to advance the hybrid firmware fuzzing.
Fault Detection Mechanism
Fault Detection Mechanism
We implemented a fault detection mechanism for microcontroller-based firmware inspired by the heuristics used to detect memory corruption in PANDA. More specifically, three tracking plugins are designed and implemented as QEMU TCG plugins in the fault detection mechanism.
Page updated
Google Sites
Report abuse