计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (12): 9-17.doi: 10.11896/jsjkx.250400144

• 计算机软件&体系架构 • 上一篇    下一篇

AFL-VTest:航天嵌入式软件模糊测试框架

王帅1, 黄晨2, 江云松2, 肖喜1, 王冠霖1, 于婷婷2, 许奇臻3   

  1. 1 清华大学深圳国际研究生院 广东 深圳 518055
    2 北京控制工程研究所 北京 100094
    3 厦门市软件供应链安全公共技术服务平台 福建 厦门 361000
  • 收稿日期:2025-04-29 修回日期:2025-09-07 出版日期:2025-12-15 发布日期:2025-12-09
  • 通讯作者: 肖喜(xiaox@sz.tsinghua.edu.cn)
  • 作者简介:(iwangshuai@foxmail.com)
  • 基金资助:
    广东省自然科学基金(2025A1515011946);厦门市软件供应链安全公共技术服务平台(3502Z20231042)

AFL-VTest:Fuzzing Framework for Aerospace Embedded Software

WANG Shuai1, HUANG Chen2, JIANG Yunsong2, XIAO Xi1, WANG Guanlin1, YU Tingting2, XU Qizhen3   

  1. 1 Tsinghua Shenzhen International Graduate School, Shenzhen, Guangdong 518055, China
    2 Beijing Institute of Control Engineering, Beijing 100094, China
    3 Xiamen Software Supply Chain Security Public Technology Service Platform, Xiamen, Fujian 361000, China
  • Received:2025-04-29 Revised:2025-09-07 Published:2025-12-15 Online:2025-12-09
  • About author:WANG Shuai,born in 1997,postgra-duate.His main research interest is fuzzing test.
    XIAO Xi,born in 1979,Ph.D,associate professor.His main research interests include AI security and network security.
  • Supported by:
    This work was supported by the Natural Science Foundation of Guangdong Province(2025A1515011946) and Xiamen Software Supply Chain Security Public Technology Service Platform(3502Z20231042).

PDF (PC)

35

摘要: 航天嵌入式软件的可靠性是确保航天任务成功执行的关键之一。模糊测试已经成为当今缺陷检测与漏洞挖掘的一种主流方式,并在软件安全领域取得了较大的成功。研究针对航天嵌入式软件的模糊测试方法,对于强化此类软件的可靠性、推动航天科技的进步具有深远意义。因此,提出了一套面向航天嵌入式软件的模糊测试框架AFL-VTest。AFL-VTest针对航天嵌入式软件内存资源受限和包含较多校验和检查的特点,分别提出了一种精简源码插桩方法与一种校验和修补算法,在多个样例程序及实际航天嵌入式程序上的评估实验结果表明了所提精简源码插桩方法和校验和修补算法的有效性。最后,AFL-VTest成功揭露了实际项目中未曾被发现的3个缺陷,从而证明了其在提升航天嵌入式软件安全性与可靠性方面的有效性与实用价值。

关键词: 嵌入式软件, 模糊测试, 软件测试, 缺陷检测, 源代码插桩

Abstract: The reliability of aerospace embedded software is a critical determinant of space mission success.Fuzzing has become the mainstream method for defect detection and vulnerability discovery today,and has achieved significant success in the field of software security.The research on fuzzing methods for aerospace embedded software has profound significance for enhancing the reliability of such software and promoting the progress of aerospace technology.Therefore,this paper proposes AFL-VTest,a fuzz testing framework specifically designed for aerospace embedded software.It integrates a streamlined source code instrumentation method and a novel checksum-fixing algorithm tailored to address limited memory resources and the prevalence of checksum verifications in embedded systems.Evaluation experiments conducted on multiple sample programs and practical aerospace embedded software demonstrate the effectiveness of the proposed instrumentation method and checksum fixing algorithm.Finally,AFL-VTest successfully uncoveres three previously undetected defects within the actual aerospace embedded software projects,thus verifying the effectiveness and practical value of the proposed method in bolstering the safety and reliability of aerospace systems.

Key words: Embedded software, Fuzz testing, Software testing, Defect detection, Source-level instrumentation

中图分类号: 

  • TP311
[1]CHEN L Q,WU G F,JIANG J H.Static Analysis Technique for Aerospace Embedded Software[J].Aerospace Contrd and Application,2021,47(2):86-92.
[2]WILLBOLDJ,SCHLOEGEL M,VÖGELE M,et al.Space odyssey:An experimental software security analysis of satellites[C]//2023 IEEE Symposium on Security and Privacy(SP).IEEE,2023:1-19.
[3]ZUO W J,DONG Y,HUANG C,et al.Research on static testing method of aerospace embedded software [J].Microelec-tronics & Compurer,2022,39(5):78-86.
[4]ZUO W J,YU L K,WANG X L,et al.Typical Test Cases Design Faults Research of Aerospace Embedded Software[J].Computer Measurement & Control,2019,27(10):36-40.
[5]ZUO W J,DONG Y,HUANG C,et al.Aerospace EmbeddedSoftware Code Logic Analysis[J].Computer Systems & Applications,2021,30(8):274-280.
[6]ZUO W J,WANG X L,HUANG C,et al.Analysis and Practice of ImplicitRequirement for Aerospace Embedded Software[J].Measurement & Control Technology,2023,42(10):24-29.
[7]SEREBRYANY K.Oss-fuzz-google’s continuous fuzzing service for open source software[EB/OL].https://github.com/google/oss-fuzz.
[8]YUN J,RUSTAMOV F,KIM J,et al.Fuzzing of embedded sys-tems:A survey[J].ACM Computing Surveys,2022,55(7):1-33.
[9]EISELE M,MAUGERI M,SHRIWAS R,et al.Embedded fuz-zing:a review of challenges,tools,and solutions[J].Cybersecurity,2022,5(1):18.
[10]SCHARNOWSKI T,BUCHMANN F,WÖRNER S,et al.ACase Study on Fuzzing Satellite Firmware[C]//Workshop on the Security of Space and Satellite Systems(SpaceSec).2023.
[11]SCHARNOWSKI T,BARS N,SCHLOEGEL M,et al.Fuzz-ware:Using precise MMIO modeling for effective firmware fuz-zing[C]//31st USENIX Security Symposium(USENIX Security 22).2022:1239-1256.
[12]ZALEWSKI M.AFL(American Fuzzy Lop)[EB/OL]. [2025-04-28].https://github.com/google/AFL.
[13]LLV M.libfuzzer[EB/OL].[2025-04-28].https://llvm.org/docs/Libfuzzer.html.
[14]Google.honggfuzz[EB/OL].[2025-04-28].https://github.com/google/honggfuzz.
[15]FAN R,PAN J,HUANG S.ARM-AFL:coverage-guided fuzzing framework for ARM-based IoT devices[C]//International Conference on Applied Cryptography and Network Security.Cham:Springer,2020:239-254.
[16]DU X,CHEN A,HE B,et al.AflIot:Fuzzing on linux-based IoT device with binary-level instrumentation[J].Computers & Security,2022,122:102889.
[17]SHEN Y,XU Y,SUN H,et al.Tardis:Coverage-guided embedded operating system fuzzing[J].IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems,2022,41(11):4563-4574.
[18]ZHANG C,LI Y,CHEN H,et al.Biff:Practical binary fuzzing framework for programs of iot and mobile devices[C]//2021 36th IEEE/ACM International Conference on Automated Software Engineering(ASE).IEEE,2021:1161-1165.
[19]QUYNHN A.Skorpio:Advanced binary instrumentation framework[EB/OL].[2025-10-12].https://groundx.io/docs/Opcde2018-skorpio.pdf.
[20]EISELE M,EBERT D,HUTH C,et al.Fuzzing embedded systems using debug interfaces[C]//Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis.2023:1031-1042.
[21]LI W,SHI J,LI F,et al.μAFL:non-intrusive feedback-driven fuzzing for microcontroller firmware[C]//Proceedings of the 44th International Conference on Software Engineering.2022:1-12.
[22]GAO Z,DONG W,CHANG R,et al.Fw-fuzz:A code coverage-guided fuzzing framework for network protocols on firmware[J].Concurrency and Computation:Practice and Experience,2022,34(16):e5756.
[23]BECKMANN M,STEFFAN J.Coverage-Guided Fuzzing ofEmbedded Systems Leveraging Hardware Tracing[C]//European Symposium on Research in Computer Security.Cham:Springer,2022:362-378.
[24]SPERL P,BÖTTINGER K.Side-channel aware fuzzing[C]//Computer Security-ESORICS 2019:24th European Symposium on Research in Computer Security.Springer,2019:259-278.
[25]FENG X,SUN R,ZHU X,et al.Snipuzz:Black-box fuzzing of iot firmware via message snippet inference[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.2021:337-350.
[26]CHEN J,DIAO W,ZHAO Q,et al.IoTFuzzer:DiscoveringMemory Corruptions in IoT Through App-based Fuzzing[C]//NDSS.2018.
[27]REDINI N,CONTINELLA A,DAS D,et al.Diane:Identifying fuzzing triggers in apps to generate under-constrained inputs for iot devices[C]//2021 IEEE Symposium on Security and Privacy(SP).IEEE,2021:484-500.
[28]BELLARD F.QEMU:a fast and portable dynamic translator[C]//USENIX Annual Technical Conference,FREENIX Track.2005.
[29]ZHANGF,CUI B,CHEN C,et al.Simulation-Based Fuzzing for Smart IoT Devices[C]//Innovative Mobile and Internet Services in Ubiquitous Computing:Proceedings of the 15th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing(IMIS-2021).Springer,2022:304-313.
[30]KAMMERSTETTER M,PLATZER C,KASTNER W.Pros-pect:peripheral proxying supported embedded code testing[C]//Proceedings of the 9th ACM Symposium on Information,Computer and Communications Security.2014:329-340.
[31]ZHENG Y,DAVANIAN A,YIN H,et al.FIRM-AFL:High-Throughput greybox fuzzing of IoT firmware via augmented process emulation[C]//28th USENIX Security Symposium(USENIX Security 19).2019:1099-1114.
[32]KIM J,YU J,KIM H,et al.FIRM-COV:high-coverage greybox fuzzing for IoT firmware via optimized process emulation[J].IEEE Access,2021,9:101627-101642.
[33]ZHENGY,LI Y,ZHANG C,et al.Efficient greybox fuzzing of applications in Linux-based IoT devices via enhanced user-mode emulation[C]//Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis.2022:417-428.
[34]FENG B,MERA A,LU L.P2IM:Scalable and hardware-inde-pendent firmware testing via automatic peripheral interface modeling[C]//29th USENIX Security Symposium(USENIX Security 20).2020:1237-1254.
[35]MERA A,FENG B,LU L,et al.DICE:Automatic emulation ofDMA input channels for dynamic firmware analysis[C]//2021 IEEE Symposium on Security and Privacy(SP).IEEE,2021:1938-1954.
[36]WANG C,LIANG H.Value Peripheral Register Values forFuzzing MCU Firmware[C]//2023 IEEE 34th International Symposium on Software Reliability Engineering(ISSRE).IEEE,2023:718-729.
[37]ZHOU W,GUAN L,LIU P,et al.Automatic firmware emula-tion through invalidity-guided knowledge inference[C]//30th USENIX Security Symposium(USENIX Security 21).2021:2007-2024.
[38]CLEMENTSA A,GUSTAFSON E,SCHARNOWSKI T,et al.HALucinator:Firmware re-hosting through abstraction layer emulation[C]//29th USENIX Security Symposium(USENIX Security 20).2020:1201-1218.
[39]GUI Z,SHU H,YANG J.Firmnano:Toward iot firmware fuzzing through augmented virtual execution[C]//2020 IEEE 11th International Conference on Software Engineering and Service Science(ICSESS).IEEE,2020:290-294.
[40]FARRELLY G,CHESSER M,RANASINGHE D C.Ember-IO:effective firmware fuzzing with model-free memory mapped IO[C]//Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security.2023:401-414.
[41]FARRELLY G,QUIRK P,KANHERE S S,et al.SplITS:Split Input-to-State Mapping for Effective Firmware Fuzzing[C]//European Symposium on Research in Computer Security.Cham:Springer,2023:290-310.
[42]SCHARNOWSKI T,WÖRNER S,BUCHMANN F,et al.Hoedur:Embedded Firmware Fuzzing using Multi-Stream Inputs[C]//Proceedings of the 32nd USENIX Conference on Security Symposium.USENIX Association,2023:2885-2902.
[43]Sunwiseinfo.VTest[EB/OL]. [2025-04-28].http://www.sun-wiseinfo.com.cn/vtest.
[44]ASCHERMANN C,SCHUMILO S,BLAZYTKO T,et al.REDQUEEN:Fuzzing with Input-to-State Correspondence[C]//NDSS.2019:1-15.
[45]NETHERCOTE N,SEWARD J.Valgrind:A program supervision framework[J].Electronic Notes in Theoretical Computer Science,2003,89(2):44-66.
[46]SEREBRYANY K,BRUENING D,POTAPENKO A,et al.AddressSanitizer:A fast address sanity checker[C]//2012 USENIX Annual Technical Conference(USENIX ATC 12).2012:309-318.
[47]FIORALDI A,MAIER D,EIßFELDT H,et al.AFL++:Com-bining incremental steps of fuzzing research[C]//14th USENIX Workshop on Offensive Technologies(WOOT 20).2020.
[48]GOOGLE PROJECTZERO.WinAFL[EB/OL].https://github.com/googleprojectzero/winafl.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发