Implementation

The hybrid fuzzing system for IoT firmware was implemented basedon Avatar2, Angr and AFL. We integrated the three tools into our system and add over 4.4K lines C code and 5K linespython code.

Fault Detection

Three tracking plugins are designed and implemented in the fault detection mechanism.

• Stack Tracking: This tracking plugin is designed to identify stack overflow and out-of-bound read and write vulnerability. More specially, we monitor all the direct and indirect function calls as well as the return instructions. We check if their return addresses are overwritten. Furthermore, we track all the stack frames of function calls and check if the contiguous memory accesses cross corresponding stack frames.
• Heap Tracking. This tracking plugin is designed to detect both temporal and spatial heap related bugs such as heap overflow, use after free, double free and so on. It achieves its goal by evaluating the arguments and return values of allocation and deallocation functions and bookkeeping the location and sizes of heap objects. This allows to easily detect out-of-bounds memory accesses or access to a freed object.
• Instruction Tracking. This tracking plugin is designed to detect integer overflow and division by zero vulnerabilities. We track the execution state of each instruction and check if the register value that acts as the operand of division instructions equal zero. Furthermore, We trace instructions for all arithmetic operations (e.g., add) to see if the result is outside the range of different integer types, thus detecting the integer overflow vulnerability.

I/O Interception

The I/O operations performed by firmware accessing unknown peripherals are intercepted and forwarded to aunified symbolic peripheral. We implemented it based on Avatar2,which implements a remote memory mechanism in which accessesto unmapped memory regions in QEMU are forwarded to a pythonscript. We modified the python script as the symbolic peripheralwith ability of the hybrid event generation.

State Transfer

The avatar uses GDB interface to synchronizestate of register and memory, but it must be issued when the target isstopped. In our scenario, we can not predicate the point of firmwareexecution that accesses unknown peripherals and set break points before hand. We overcame this issue by invoking the QEMU internal function to suspend the firmware execution when encountering unknown peripherals on the fly. We implemented the on-the-fly state transfer by exporting all RAM regions through shared memory based inter-process communication. A POSIX shared memory object is created and bound to the RAM region using mmap when a RAM region is created in QEMU. As a result, the symbolic enginecan directly address the firmware RAM by reading the exported shared memory.

Feedback Maintenance

A shared bitmap is created at the first time the IoT firmware image is executed. The bitmap is used to store the information about unique block to block transitions. We implemented it based on AFL's QEMU mode. In addition, a shared list in Python is established at the same time, which is used to store the unique peripheral access to peripheral access transitions. And a Python map between each peripheral access point and its seed queue information is created. These feedback information is shared between QEMU and Python in the shared memory.

Bounded Fuzzing

The avatar uses GDB interface to synchronizestate of register and memory, but it must be issued when the target isstopped. In our scenario, we can not predicate the point of firmwareexecution that accesses unknown peripherals and set break points before hand. We overcame this issue by invoking the QEMU internal function to suspend the firmware execution when encountering unknown peripherals on the fly. We implemented the on-the-fly state transfer by exporting all RAM regions through shared memory based inter-process communication. A POSIX shared memory object is created and bound to the RAM region using mmap when a RAM region is created in QEMU. As a result, the symbolic enginecan directly address the firmware RAM by reading the exported shared memory.