With the booming of Internet-of-Things technology, billions of low-cost microcontroller-based IoT devices, which are not properly protected, are exposed to the Internet. One of the most important attack surfaces is the vulnerable firmware of IoT devices. Feedback based greybox fuzzing, as one of the most effective dynamic analysis approaches to detecting bugs, faces new challenges when being applied to IoT firmware binaries. More specifically, (1) it lacks the support to enable the firmware execution without real devices; (2) there is a lack of the support for exploring the input space of multiple peripherals; (3) it is difficult to instrument and collect feedbacks to guide fuzzing.
To tackle the above challenges, we devised and implemented the first physical devices-agnostic hybrid fuzzing system, which can fuzz the microcontroller-based firmware without real devices. First, a unified symbolic peripheral was integrated to emulate the behaviors of unknown peripherals, thus enabling the physical devices-agnostic firmware execution. Furthermore, a hybrid approach was exploited to generate values of different peripheral accesses by combining constraint-based symbolic execution and mutation-based fuzzing. Finally, multiple coverage feedbacks, i.e., unique transitions of the basic block to basic block and peripheral access point to peripheral access point, were collected to guide fuzzing with underlying a genetic algorithm.
We constructed a benchmark which consists of 1,032 firmware images with common C/C++ vulnerabilities. It forms a ground truth for evaluating security analysis techniques of IoT firmware. We performed the large-scale experimental evaluation over this benchmark and the results showed that our system is able to fuzz IoT firmware effectively and efficiently.