嵌入式软件模糊测试研究综述

doi:10.11896/jsjkx.240800068

摘要/Abstract

摘要： 嵌入式软件目前已广泛应用于国防军工、航空航天、物联网通信等各类安全攸关系统,面临着日益严峻的安全挑战,因此,如何快速发现并修复嵌入式软件安全漏洞变得至关重要。模糊测试作为一种高效的软件测试技术,能够通过自动生成大量随机数据测试软件系统的可靠性,目前已逐步应用于各类嵌入式软件的漏洞发现。文中首先介绍了模糊测试技术、嵌入式系统及其固件设备;其次,概述了嵌入式软件模糊测试的流程,分析了其与传统软件模糊测试的区别和面临的挑战;然后,系统地介绍了嵌入式软件模糊测试的研究现状和主要方法,包括直接模糊测试和基于仿真的模糊测试;最后,分析了嵌入式软件模糊测试效果提升可采用的优化方法并展望了未来可能的技术方向。

关键词: 嵌入式软件, 固件设备, 安全漏洞, 直接模糊测试, 基于仿真的模糊测试

Abstract: Embedded software is now widely used in various safety-critical systems,such as national defense,aerospace,and IoT communications,which face increasingly severe security challenges.Therefore,it is crucial to quickly identify and fix security vulnerabilities in embedded software.Fuzz testing,as an efficient software testing technique,can automatically generate a large amount of random data to test the reliability of software systems and has gradually been applied to the discovery of vulnerabilities in various embedded software.This paper first introduces the concepts of fuzz testing,embedded systems,and their firmware devices.Then,it provides an overview of the fuzz testing process for embedded software,analyzes the differences from traditional software fuzz testing and the faced challenges.Following that,it systematically introduces the current research status and main methods of fuzz testing for embedded software,including direct fuzz testing and simulation-based fuzz testing.Finally,this paper discusses optimization methods that can be used to improve the effectiveness of embedded software fuzz testing and looks ahead to potential future technological directions.

Key words: Embedded software, Firmware devices, Security vulnerability, Direct fuzz testing, Simulation-based fuzz testing

中图分类号:

TP309

孙琪明, 侯刚, 靳文杰, 黄晨, 孔维强. 嵌入式软件模糊测试研究综述[J]. 计算机科学, 2025, 52(7): 13-25. https://doi.org/10.11896/jsjkx.240800068

SUN Qiming, HOU Gang, JIN Wenjie, HUANG Chen, KONG Weiqiang. Survey on Fuzzing of Embedded Software[J]. Computer Science, 2025, 52(7): 13-25. https://doi.org/10.11896/jsjkx.240800068

参考文献

[1]LI D.Analysis of the Stuxnet Virus Incident and Insights forEnhancing Industrial Control Security Protection[J].Network Security Technology & Application,2019,1:9-10,24.
[2]ANTONAKAKIS M,APRIL T,BAILEY M,et al.Understanding the mirai botnet[C]//Proceedings of the 26th USENIX Conference on Security Symposium.Berkeley:USENIX Association,2017:1093-1110.
[3]MILLER B P,FREDRIKSEN L,SO B.An empirical study of the reliability of UNIX utilities[J].Communications of the ACM,1990,33(12):32-44.
[4]KAKSONEN R,LAAKSO M,TAKANEN A.Software Security Assessment Through Specification Mutations and Fault Injection[M].Berlin:Springer,2001:173-183.
[5]GODEFROID P.Random testing for security:blackbox vs.whitebox fuzzing[C]//Proceedings of the 2nd International Workshop on Random testing:Co-Located with the 22nd IEEE/ACM International Conference on Automated Software Engineering.Los Alamitos:IEEE Computer Society Press,2007:206-215.
[6]ZALEWSKI M.American fuzzy lop[EB/OL].(2020-11-11)[2023-08-18].https://lcamtuf.coredump.cx/afl/.
[7]LI J,ZHAO B,ZHANG C.Fuzzing:a survey[J].Cybersecurity,2018,1:1-13.
[8]NIDHRA S,DONDETI J.Black box and white box testing techniques-a literature review[J].International Journal of Embedded Systems and Applications,2012,2(2):29-50.
[9]BÖHME M,PHAM V T,NGUYEN M D,et al.Directed greybox fuzzing[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.New York:Association for Computing Machinery,2017:2329-2344.
[10]BÖHME M,PHAM V T,ROYCHOUDHURY A.Coverage-based Greybox Fuzzing as Markov Chain[J].IEEE Transactions on Software Engineering,2019,45(5):489-506.
[11]CHEN P,CHEN H.Angora:Efficient fuzzing by principledsearch[C]//2018 IEEE Symposium on Security and Privacy.San Francisco:IEEE,2018:711-725.
[12]NAGY S,HICKS M.Full-speed fuzzing reducing fuzzing overhead through coverage-guided tracing[C]//Proceedings of 2019 IEEE Symp on Security and Privacy.San Francisco:IEEE,2019:787-802.
[13]BELLARD F.QEM U.a fast and portable dynamic translator[C]//USENIX Annual Technical Conference.Berkeley:USENIX Association,2005:41-46.
[14]SCHWARTZ E J,AVGERINOS T,BRUMLEY D.All you ever wanted to know about dynamic taint analysis and forward symbolic execution(but might have been afraid to ask)[C]//Proceedings of 2010 IEEE Symp on Security and Privacy.San Francisco:IEEE,2010:317-331.
[15]KIM J,KIM T,IM E G.Survey of dynamic taint analysis[C]//4th IEEE International Conference on Network Infrastructure and Digital Content.Beijing:IEEE,2014:269-272.
[16]MAGNUSSON P S,CHRISTENSSON M,ESKILSON J,et al.Simics:A full system simulation platform[J].Computer,2002,35(2):50-58.
[17]QUYNH N A.Unicorn Engine[EB/OL].[2023-08-18].https://www.unicornengine.org/.
[18]NGUYEN A Q,ZALEWSKI M.Qiling Framework Documentation[EB/OL].[2024-07-10].https://docs.qiling.io/en/latest/.
[19]CHEN D D,WOO M,BRUMLEY D,et al.Towards automated dynamic analysis for linux-based embedded firmware[C]//23rd Annual Network and Distributed Systems Security Symposium.San Diego:ISOC,2016:1-16.
[20]STEPANOV E,SEREBRYANY K.Memory- Sanitizer:Fast detector of uninitialized memory use in C++[C]//2015 IEEE/ACM International Symposium on Code Generation and Optimization.Los Alamitos:IEEE COMPUTER SOC,2015:46-55.
[21]SEREBRYANY K,BRUENING D,A POTAPENKO,et al.AddressSanitizer:A fast address sanity checker[C]//Proceedings of the 2012 USENIX Conference on Annual Technical Confe-rence.Berkeley:USENIX Association,2012:309-318.
[22]SEREBRYANY K,ISKHODZHANOV T.ThreadSanitizer:Data race detection in practice[C]//Proceedings of the Workshop on Binary Instrumentation and Applications.New York:Asso-ciation for Computing Machinery,2009:62-71.
[23]NORHUZAIMIN J,MAIMUN H H.The design of high speed UART[C]//2005 Asia-Pacific Conference on Applied Electromagnetics.Johor:IEEE,2005.
[24]ROSENFELD K,KARRI R.Attacks and defenses for JTAG[J].IEEE Design & Test of Computers,2010,27(1):36-47.
[25]GOSAIN A,SHARMA G.A survey of dynamic program analysis techniques and tools[C]//Proceedings of the 3rd International Conference on Frontiers of Intelligent Computing:Theory and Applications.Berlin:Springer Verlag,2015:113-122.
[26]ZHANG Y,HUO W,JIAN K,et al.SRFuzzer:An AutomaticFuzzing Framework for Physical SOHO Router Devices to Discover Multi-Type Vulnerabilities[C]//Proceedings of the 35th Annual Computer Security Applications Conference.New York:Association for Computing Machinery,2019:544-556.
[27]ZHANG Y,HUO W,JIAN K,et al.ESRFuzzer:an enhanced fuzzing framework for physical SOHO router devices to discover multi-Type vulnerabilities[J].Cybersecurity,2021,4:1-22.
[28]FENG X,SUN R,ZHU X,et al.Snipuzz:Black-box Fuzzing of IoT Firmware via Message Snippet Inference[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.New York:Association for Computing Machinery,2021:337-350.
[29]REDINI N,CONTINELLA A,DAS D,et al.DIANE:Identif-ying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices[C]//2021 IEEE Symposium on Security and Privacy.San Francisco:IEEE,2021:484-500.
[30]GAO Z,DONG W,CHANG R.Fw-fuzz:A code coverage-guided fuzzing framework for network protocols on firmware[J].Concurrency and Computation:Practice and Experience,2020,34(16):5756.
[31]SONG D,HETZELT F,DAS D,et al.PeriScope:An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary[C]//2019 Network and Distributed Systems Security Symposium.San Diego:Internet Society,2019:1-15.
[32]LU S,KUANG X,NIE Y,et al.A Hybrid Interface Recovery Method for Android Kernels Fuzzing[C]//2020 IEEE 20th International Conference on Software Quality,Reliability and Security.New York:IEEE,2020:335-346.
[33]BUSCH M,MACHIRY A,SPENSKY C,et al.TEEzz:Fuzzing Trusted Applications on COTS Android Devices[C]//2023 IEEE Symposium on Security and Privacy.San Francisc:IEEE,2023:1204-1219.
[34]BECHMANN M,STEFFAN J.Coverage-Guided Fuzzing ofEmbedded Systems Leveraging Hardware Tracing[C]//European Symposium on Research in Computer Security.Copenhagen:Springer International Publishing,2022:362-378.
[35]LI W,SHI J,LI F,et al.μAFL:Non-intrusive Feedback-driven Fuzzing for Microcontroller Firmware[C]//Proceedings of the 44th International Conference on Software Engineering.New York:Association for Computing Machinery,2022:1-12.
[36]EISELE M,EBERT D,HUTH C,et al.Fuzzing Embedded Systems using Debug Interfaces[C]//Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis.New York:Association for Computing Machinery,2023:1031-1042.
[37]MERA A,LIU C,SUN R,et al.SHiFT:Semi-hosted Fuzz Testing for Embedded Applications[C]//33rd USENIX Security Symposium.Berkeley:USENIX Association,2024:5323-5340.
[38]ASMITA,OLIINYK Y,SCOTT M,et al.Fuzzing BusyBox:Leveraging LLM and Crash Reuse for Embedded Bug Unearthing[C]//33rd USENIX Security Symposium.Berkeley:USENIX Association,2024:883-900.
[39]KAMMERSTEETTR M,BURIAN D,KSASTNER W.Embedded security testing with peripheral device caching and runtime program state approximation[C]//10th International Confe-rence on Emerging Security Information,Systems and Technologies.Heidelberg:Springer Verlag,2016:21-26.
[40]ZADDACH J,BRUNO L,FRANCILLON A,et al.AVATAR:a framework to support dynamic security analysis of embedded systems' firmwares[C]//Network and Distributed Systems Security Symposium.San Diego:ISOC,2014:1-16.
[41]KAMMERSTETTER M,PLATZER C,KASTNER W.Prospect:peripheral proxying supported embedded code testing[C]//Proceedings of the 9th ACM Symposium on Information,Computer and Communications Security.New York:ACM,2014:329-340.
[42]KOSCHER K,KOHNO T,MOLNAR D.SURROGATES:enabling near-real-time dynamic analyses of embedded systems[J].WOOT,2015,15:7-16.
[43]MUENCH M,NISI D,FRANCILLON A,et al.AVATAR2:A multi-target orchestration platform[C]//Proceedings of 2018 Network and Distributed Systems Security Symposium.San Diego:ISOC,2018:1-11.
[44]CORTEGGIANI N,CAMURATI G,FRANCILLO A.Incep-tion:System-wide security testing of real-world embedded systems software[C]//Proceedings of the 27th USENIX Security Symposium.Berkeley:USENIX Association,2018:309-326.
[45]GUSTAFSON E,MUENCH M,SPENSKY C,et al.Toward the analysis of embedded firmware through automated re-hosting[C]//Proceedings of the 22nd Int Symp on Research in Attacks,Intrusions and Defenses.Berkeley:USENIX Association,2019:135-150.
[46]ZHENG Y,DAVANIAN A,YIN H,et al.FIRM-AFL:high-throughput greybox fuzzing of IoT firmware via augmented process emulation[C]//USENIX Security Symposium.Berkeley:USENIX Association,2019:1099-1114.
[47]KIM M,KIM D,KIM E,et al.FirmAE:Towards largescale emulation of IoT firmware for dynamic analysis[C]//Proceedings of Annual Computer Security Applications Conference.New York:ACM,2020:733-745.
[48]CHEN D D,WOO M,BRUMLEY D,et al.Towards automated dynamic analysis for Linux-based embedded firmware[C]//Proceedings of 2016 Network and Distributed Systems Security Symposium.San Diego:ISOC,2016.
[49]CLEMENTS A A,GUSTAFSON E,SCHARNOWSKI T,et al.HALucinator:Firmware Re-hosting through abstraction layer emulation[C]//Proceedings of the 29th USENIX Security Symposium.Berkeley: USENIX Association,2020:1201-1218.
[50]CHEN C,LE G,JIANG M,et al.Device-agnostic firmware execution is possible:A concolic execution approach for peripheral emulation[C]//Proceedings of In Annual Computer Security Applications Conference.New York:ACM,2020:746-759.
[51]ZHOU W,GUAN L,LIU P,et al.Automatic firmware emulation through invalidity-guided knowledge inference[C]//Proceedings of the 30th USENIX Security Symposium.Berkeley:USENIX Association,2021:2007-2024.
[52]JOHNSON E,BLAND M,ZHU Y F,et al.Jetset:targeted firmware rehosting for embedded systems[C]//USENIX Security Symposium.Berkeley:USENIXAssociation,2021:321-338.
[53]FENG B,MERA A,LU L.P2im:Scalable and hardware-inde-pendent firmware testing via automatic peripheral interface modeling[C]//Proceedings of the 29th USENIX Conference on Security Symposium.Berkeley:USENIXAssociation,2020:1237-1254.
[54]MERA A,FENG B,LU L,et al.DICE:Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis[C]//IEEE Symposium on Security and Privacy.San Francisco:IEEE,2021:1938-1954.
[55]GAO J,XU Y,JIANG Y,et al.Em-fuzz:augmented firmware fuzzing via memory checking[J].IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems,2020,39(11):3420-3432.
[56]SCHARNOWSKI T,BARS N,SCHLOEGEL M,et al.Fuzz-ware:Using precise MMIO modeling for effective firmware fu-zzing[C]//Proceedings of the 31st USENIX Security Sympo-sium.Berkeley:USENIX Association,2022:1239-1256.
[57]SCHARNOWSKI T,WÖRNER S,BUCHMANN F,et al.Hoedur:Embedded Firmware Fuzzing using Multi-Stream Inputs[C]//USENIX Security Symposium 2023.Berkeley:USENIX Association,2023:2885-2902.
[58]CHESSER M,NEPAL S,RANASINGHE D C.Icicle:a re-designed emulator for grey-box firmware fuzzing[C]//Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis.New York:Association for Computing Machinery,2023:76-88.
[59]FARRELLY G,CHESSER M,RANASINGHE D C.Ember-IO:effective firmware fuzzing with model-free memory mapped IO[C]//Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security.New York:Association for Computing Machinery,2023:401-414.
[60]CHESSER M,NEPAL S,RANASINGHE D C.MULTIFUZZ:A Multi-Stream Fuzzer For Testing Monolithic Firmware[C]//33rd USENIX Security Symposium.Berkeley:USENIX Association,2024:5359-5376.
[61]ZHOU W,ZHANG L,GUAN L,et al.What your firmware tells you is not how you should emulate it:A specification-guided approach for firmware emulation[C]//Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security.New York:ACM,2022:3269-3283.
[62]GUI Z,SHU H,KANG F,et al.Firmcorn:vulnerability-oriented fuzzing of IOT firmware via optimized virtual execution[J].IEEE Access,2020,8:29826-29841.
[63]KIM H,OZMEN M O,BIANCHI A,et al.PGFUZZ:policy-guided fuzzing vehicles[C]//Network and Distributed Systems Security Symposium.San Diego:ISOC,2021:1-15.
[64]KIM J,YU J,KIM H,et al.FIRM-COV:high-coverage greybox fuzzing for IoT firmware via optimized process emulation[J].IEEE Access,2021,9:101627-101642.
[65]HERNANDEZ G,MUENCH M,MAIER D,et al.FIRMWIRE:Transparent dynamic analysis for cellular baseband firmware[C]//Network and Distributed Systems Security Symposium.San Diego:ISOC,2022:1117-1134.
[66]ZHENG Y,LI Y,ZHANG C,et al.Efficient greybox fuzzing of applications in Linux-based IoT devices via enhanced user-mode emulation[C]//Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis.New York:Association for Computing Machinery,2022:417-428.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed