Computer Science

Computer Science ›› 2025, Vol. 52 ›› Issue (7): 13-25.doi: 10.11896/jsjkx.240800068

• Computer Software • Previous Articles     Next Articles

Survey on Fuzzing of Embedded Software

SUN Qiming1, HOU Gang1, JIN Wenjie1, HUANG Chen2, KONG Weiqiang1   

  1. 1 College of Software, Dalian University of Technology, Dalian, Liaoning 116620, China
    2 Beijing Institute of Control Engineering, Beijing 100190, China
  • Received:2024-08-12 Revised:2024-11-11 Published:2025-07-17
  • About author:SUN Qiming,born in 2000,postgra-duate.His main research interest is fuz-zing test.
    HOU Gang,born in 1982,Ph.D,asso-ciate professor,is a member of CCF(No.33349M).His main research interests include fuzzy testing and trusted software.
  • Supported by:
    Lab of High Confidence Embedded Software Engineering Technology Open Fund Project(LHCESET202306).

PDF (PC)

24

Abstract: Embedded software is now widely used in various safety-critical systems,such as national defense,aerospace,and IoT communications,which face increasingly severe security challenges.Therefore,it is crucial to quickly identify and fix security vulnerabilities in embedded software.Fuzz testing,as an efficient software testing technique,can automatically generate a large amount of random data to test the reliability of software systems and has gradually been applied to the discovery of vulnerabilities in various embedded software.This paper first introduces the concepts of fuzz testing,embedded systems,and their firmware devices.Then,it provides an overview of the fuzz testing process for embedded software,analyzes the differences from traditional software fuzz testing and the faced challenges.Following that,it systematically introduces the current research status and main methods of fuzz testing for embedded software,including direct fuzz testing and simulation-based fuzz testing.Finally,this paper discusses optimization methods that can be used to improve the effectiveness of embedded software fuzz testing and looks ahead to potential future technological directions.

Key words: Embedded software, Firmware devices, Security vulnerability, Direct fuzz testing, Simulation-based fuzz testing

CLC Number: 

  • TP309
[1]LI D.Analysis of the Stuxnet Virus Incident and Insights forEnhancing Industrial Control Security Protection[J].Network Security Technology & Application,2019,1:9-10,24.
[2]ANTONAKAKIS M,APRIL T,BAILEY M,et al.Understanding the mirai botnet[C]//Proceedings of the 26th USENIX Conference on Security Symposium.Berkeley:USENIX Association,2017:1093-1110.
[3]MILLER B P,FREDRIKSEN L,SO B.An empirical study of the reliability of UNIX utilities[J].Communications of the ACM,1990,33(12):32-44.
[4]KAKSONEN R,LAAKSO M,TAKANEN A.Software Security Assessment Through Specification Mutations and Fault Injection[M].Berlin:Springer,2001:173-183.
[5]GODEFROID P.Random testing for security:blackbox vs.whitebox fuzzing[C]//Proceedings of the 2nd International Workshop on Random testing:Co-Located with the 22nd IEEE/ACM International Conference on Automated Software Engineering.Los Alamitos:IEEE Computer Society Press,2007:206-215.
[6]ZALEWSKI M.American fuzzy lop[EB/OL].(2020-11-11)[2023-08-18].https://lcamtuf.coredump.cx/afl/.
[7]LI J,ZHAO B,ZHANG C.Fuzzing:a survey[J].Cybersecurity,2018,1:1-13.
[8]NIDHRA S,DONDETI J.Black box and white box testing techniques-a literature review[J].International Journal of Embedded Systems and Applications,2012,2(2):29-50.
[9]BÖHME M,PHAM V T,NGUYEN M D,et al.Directed greybox fuzzing[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.New York:Association for Computing Machinery,2017:2329-2344.
[10]BÖHME M,PHAM V T,ROYCHOUDHURY A.Coverage-based Greybox Fuzzing as Markov Chain[J].IEEE Transactions on Software Engineering,2019,45(5):489-506.
[11]CHEN P,CHEN H.Angora:Efficient fuzzing by principledsearch[C]//2018 IEEE Symposium on Security and Privacy.San Francisco:IEEE,2018:711-725.
[12]NAGY S,HICKS M.Full-speed fuzzing reducing fuzzing overhead through coverage-guided tracing[C]//Proceedings of 2019 IEEE Symp on Security and Privacy.San Francisco:IEEE,2019:787-802.
[13]BELLARD F.QEM U.a fast and portable dynamic translator[C]//USENIX Annual Technical Conference.Berkeley:USENIX Association,2005:41-46.
[14]SCHWARTZ E J,AVGERINOS T,BRUMLEY D.All you ever wanted to know about dynamic taint analysis and forward symbolic execution(but might have been afraid to ask)[C]//Proceedings of 2010 IEEE Symp on Security and Privacy.San Francisco:IEEE,2010:317-331.
[15]KIM J,KIM T,IM E G.Survey of dynamic taint analysis[C]//4th IEEE International Conference on Network Infrastructure and Digital Content.Beijing:IEEE,2014:269-272.
[16]MAGNUSSON P S,CHRISTENSSON M,ESKILSON J,et al.Simics:A full system simulation platform[J].Computer,2002,35(2):50-58.
[17]QUYNH N A.Unicorn Engine[EB/OL].[2023-08-18].https://www.unicornengine.org/.
[18]NGUYEN A Q,ZALEWSKI M.Qiling Framework Documentation[EB/OL].[2024-07-10].https://docs.qiling.io/en/latest/.
[19]CHEN D D,WOO M,BRUMLEY D,et al.Towards automated dynamic analysis for linux-based embedded firmware[C]//23rd Annual Network and Distributed Systems Security Symposium.San Diego:ISOC,2016:1-16.
[20]STEPANOV E,SEREBRYANY K.Memory- Sanitizer:Fast detector of uninitialized memory use in C++[C]//2015 IEEE/ACM International Symposium on Code Generation and Optimization.Los Alamitos:IEEE COMPUTER SOC,2015:46-55.
[21]SEREBRYANY K,BRUENING D,A POTAPENKO,et al.AddressSanitizer:A fast address sanity checker[C]//Proceedings of the 2012 USENIX Conference on Annual Technical Confe-rence.Berkeley:USENIX Association,2012:309-318.
[22]SEREBRYANY K,ISKHODZHANOV T.ThreadSanitizer:Data race detection in practice[C]//Proceedings of the Workshop on Binary Instrumentation and Applications.New York:Asso-ciation for Computing Machinery,2009:62-71.
[23]NORHUZAIMIN J,MAIMUN H H.The design of high speed UART[C]//2005 Asia-Pacific Conference on Applied Electromagnetics.Johor:IEEE,2005.
[24]ROSENFELD K,KARRI R.Attacks and defenses for JTAG[J].IEEE Design & Test of Computers,2010,27(1):36-47.
[25]GOSAIN A,SHARMA G.A survey of dynamic program analysis techniques and tools[C]//Proceedings of the 3rd International Conference on Frontiers of Intelligent Computing:Theory and Applications.Berlin:Springer Verlag,2015:113-122.
[26]ZHANG Y,HUO W,JIAN K,et al.SRFuzzer:An AutomaticFuzzing Framework for Physical SOHO Router Devices to Discover Multi-Type Vulnerabilities[C]//Proceedings of the 35th Annual Computer Security Applications Conference.New York:Association for Computing Machinery,2019:544-556.
[27]ZHANG Y,HUO W,JIAN K,et al.ESRFuzzer:an enhanced fuzzing framework for physical SOHO router devices to discover multi-Type vulnerabilities[J].Cybersecurity,2021,4:1-22.
[28]FENG X,SUN R,ZHU X,et al.Snipuzz:Black-box Fuzzing of IoT Firmware via Message Snippet Inference[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.New York:Association for Computing Machinery,2021:337-350.
[29]REDINI N,CONTINELLA A,DAS D,et al.DIANE:Identif-ying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices[C]//2021 IEEE Symposium on Security and Privacy.San Francisco:IEEE,2021:484-500.
[30]GAO Z,DONG W,CHANG R.Fw-fuzz:A code coverage-guided fuzzing framework for network protocols on firmware[J].Concurrency and Computation:Practice and Experience,2020,34(16):5756.
[31]SONG D,HETZELT F,DAS D,et al.PeriScope:An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary[C]//2019 Network and Distributed Systems Security Symposium.San Diego:Internet Society,2019:1-15.
[32]LU S,KUANG X,NIE Y,et al.A Hybrid Interface Recovery Method for Android Kernels Fuzzing[C]//2020 IEEE 20th International Conference on Software Quality,Reliability and Security.New York:IEEE,2020:335-346.
[33]BUSCH M,MACHIRY A,SPENSKY C,et al.TEEzz:Fuzzing Trusted Applications on COTS Android Devices[C]//2023 IEEE Symposium on Security and Privacy.San Francisc:IEEE,2023:1204-1219.
[34]BECHMANN M,STEFFAN J.Coverage-Guided Fuzzing ofEmbedded Systems Leveraging Hardware Tracing[C]//European Symposium on Research in Computer Security.Copenhagen:Springer International Publishing,2022:362-378.
[35]LI W,SHI J,LI F,et al.μAFL:Non-intrusive Feedback-driven Fuzzing for Microcontroller Firmware[C]//Proceedings of the 44th International Conference on Software Engineering.New York:Association for Computing Machinery,2022:1-12.
[36]EISELE M,EBERT D,HUTH C,et al.Fuzzing Embedded Systems using Debug Interfaces[C]//Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis.New York:Association for Computing Machinery,2023:1031-1042.
[37]MERA A,LIU C,SUN R,et al.SHiFT:Semi-hosted Fuzz Testing for Embedded Applications[C]//33rd USENIX Security Symposium.Berkeley:USENIX Association,2024:5323-5340.
[38]ASMITA,OLIINYK Y,SCOTT M,et al.Fuzzing BusyBox:Leveraging LLM and Crash Reuse for Embedded Bug Unearthing[C]//33rd USENIX Security Symposium.Berkeley:USENIX Association,2024:883-900.
[39]KAMMERSTEETTR M,BURIAN D,KSASTNER W.Embedded security testing with peripheral device caching and runtime program state approximation[C]//10th International Confe-rence on Emerging Security Information,Systems and Technologies.Heidelberg:Springer Verlag,2016:21-26.
[40]ZADDACH J,BRUNO L,FRANCILLON A,et al.AVATAR:a framework to support dynamic security analysis of embedded systems' firmwares[C]//Network and Distributed Systems Security Symposium.San Diego:ISOC,2014:1-16.
[41]KAMMERSTETTER M,PLATZER C,KASTNER W.Prospect:peripheral proxying supported embedded code testing[C]//Proceedings of the 9th ACM Symposium on Information,Computer and Communications Security.New York:ACM,2014:329-340.
[42]KOSCHER K,KOHNO T,MOLNAR D.SURROGATES:enabling near-real-time dynamic analyses of embedded systems[J].WOOT,2015,15:7-16.
[43]MUENCH M,NISI D,FRANCILLON A,et al.AVATAR2:A multi-target orchestration platform[C]//Proceedings of 2018 Network and Distributed Systems Security Symposium.San Diego:ISOC,2018:1-11.
[44]CORTEGGIANI N,CAMURATI G,FRANCILLO A.Incep-tion:System-wide security testing of real-world embedded systems software[C]//Proceedings of the 27th USENIX Security Symposium.Berkeley:USENIX Association,2018:309-326.
[45]GUSTAFSON E,MUENCH M,SPENSKY C,et al.Toward the analysis of embedded firmware through automated re-hosting[C]//Proceedings of the 22nd Int Symp on Research in Attacks,Intrusions and Defenses.Berkeley:USENIX Association,2019:135-150.
[46]ZHENG Y,DAVANIAN A,YIN H,et al.FIRM-AFL:high-throughput greybox fuzzing of IoT firmware via augmented process emulation[C]//USENIX Security Symposium.Berkeley:USENIX Association,2019:1099-1114.
[47]KIM M,KIM D,KIM E,et al.FirmAE:Towards largescale emulation of IoT firmware for dynamic analysis[C]//Proceedings of Annual Computer Security Applications Conference.New York:ACM,2020:733-745.
[48]CHEN D D,WOO M,BRUMLEY D,et al.Towards automated dynamic analysis for Linux-based embedded firmware[C]//Proceedings of 2016 Network and Distributed Systems Security Symposium.San Diego:ISOC,2016.
[49]CLEMENTS A A,GUSTAFSON E,SCHARNOWSKI T,et al.HALucinator:Firmware Re-hosting through abstraction layer emulation[C]//Proceedings of the 29th USENIX Security Symposium.Berkeley: USENIX Association,2020:1201-1218.
[50]CHEN C,LE G,JIANG M,et al.Device-agnostic firmware execution is possible:A concolic execution approach for peripheral emulation[C]//Proceedings of In Annual Computer Security Applications Conference.New York:ACM,2020:746-759.
[51]ZHOU W,GUAN L,LIU P,et al.Automatic firmware emulation through invalidity-guided knowledge inference[C]//Proceedings of the 30th USENIX Security Symposium.Berkeley:USENIX Association,2021:2007-2024.
[52]JOHNSON E,BLAND M,ZHU Y F,et al.Jetset:targeted firmware rehosting for embedded systems[C]//USENIX Security Symposium.Berkeley:USENIXAssociation,2021:321-338.
[53]FENG B,MERA A,LU L.P2im:Scalable and hardware-inde-pendent firmware testing via automatic peripheral interface modeling[C]//Proceedings of the 29th USENIX Conference on Security Symposium.Berkeley:USENIXAssociation,2020:1237-1254.
[54]MERA A,FENG B,LU L,et al.DICE:Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis[C]//IEEE Symposium on Security and Privacy.San Francisco:IEEE,2021:1938-1954.
[55]GAO J,XU Y,JIANG Y,et al.Em-fuzz:augmented firmware fuzzing via memory checking[J].IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems,2020,39(11):3420-3432.
[56]SCHARNOWSKI T,BARS N,SCHLOEGEL M,et al.Fuzz-ware:Using precise MMIO modeling for effective firmware fu-zzing[C]//Proceedings of the 31st USENIX Security Sympo-sium.Berkeley:USENIX Association,2022:1239-1256.
[57]SCHARNOWSKI T,WÖRNER S,BUCHMANN F,et al.Hoedur:Embedded Firmware Fuzzing using Multi-Stream Inputs[C]//USENIX Security Symposium 2023.Berkeley:USENIX Association,2023:2885-2902.
[58]CHESSER M,NEPAL S,RANASINGHE D C.Icicle:a re-designed emulator for grey-box firmware fuzzing[C]//Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis.New York:Association for Computing Machinery,2023:76-88.
[59]FARRELLY G,CHESSER M,RANASINGHE D C.Ember-IO:effective firmware fuzzing with model-free memory mapped IO[C]//Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security.New York:Association for Computing Machinery,2023:401-414.
[60]CHESSER M,NEPAL S,RANASINGHE D C.MULTIFUZZ:A Multi-Stream Fuzzer For Testing Monolithic Firmware[C]//33rd USENIX Security Symposium.Berkeley:USENIX Association,2024:5359-5376.
[61]ZHOU W,ZHANG L,GUAN L,et al.What your firmware tells you is not how you should emulate it:A specification-guided approach for firmware emulation[C]//Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security.New York:ACM,2022:3269-3283.
[62]GUI Z,SHU H,KANG F,et al.Firmcorn:vulnerability-oriented fuzzing of IOT firmware via optimized virtual execution[J].IEEE Access,2020,8:29826-29841.
[63]KIM H,OZMEN M O,BIANCHI A,et al.PGFUZZ:policy-guided fuzzing vehicles[C]//Network and Distributed Systems Security Symposium.San Diego:ISOC,2021:1-15.
[64]KIM J,YU J,KIM H,et al.FIRM-COV:high-coverage greybox fuzzing for IoT firmware via optimized process emulation[J].IEEE Access,2021,9:101627-101642.
[65]HERNANDEZ G,MUENCH M,MAIER D,et al.FIRMWIRE:Transparent dynamic analysis for cellular baseband firmware[C]//Network and Distributed Systems Security Symposium.San Diego:ISOC,2022:1117-1134.
[66]ZHENG Y,LI Y,ZHANG C,et al.Efficient greybox fuzzing of applications in Linux-based IoT devices via enhanced user-mode emulation[C]//Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis.New York:Association for Computing Machinery,2022:417-428.
[1] ZHANG Ying-li, MA Jia-li, LIU Zi-ang, LIU Xin, ZHOU Rui. Overview of Vulnerability Detection Methods for Ethereum Solidity Smart Contracts [J]. Computer Science, 2022, 49(3): 52-61.
[2] LI Mi, ZHUANG Yi, HU Xin-wen. Embedded Software Reliability Model and Evaluation Method Combining AADL and Z [J]. Computer Science, 2019, 46(8): 217-223.
[3] . Research on Sequential PLD Security Vulnerability Detection Method [J]. Computer Science, 2012, 39(5): 53-56.
[4] GUO Li-juan,HU Jun,ZHANG Jian. Improved Design and Implementation of T-CBESD Based on On-the-Fly Verification Methods [J]. Computer Science, 2011, 38(10): 145-151.
[5] XU Bing-feng,HU Jun,CAO Dong,HUANG Zhi-qiu,GUO Li-juan,ZHANG Jian. Tool Implementation of Non-functional Verification for Component-based Embedded Software Designs [J]. Computer Science, 2010, 37(8): 156-163.
[6] TIAN Shuo, LIANG Hong-liang. Survey of Static Analysis Methods for Binary Code Vulnerability [J]. Computer Science, 2009, 36(7): 8-14.
[7] XIA Yuan ,ZHANG Wei-qun (College of Computer and Information Science,Southwest China University,Chongqing 400715,China). [J]. Computer Science, 2009, 36(1): 279-281.
[8] . [J]. Computer Science, 2008, 35(8): 277-280.
[9] LI Tao, DONG Yun-Wei (Northwestern Polytechnic University, Xi'an 710072). [J]. Computer Science, 2006, 33(11): 259-262.
[10] . [J]. Computer Science, 2006, 33(10): 283-287.
[11] XIA Yi-Min,LUO Jun,ZHANG Min-Xuan (School of Computer Science, National University of Defense Technology, Changsha 410073). [J]. Computer Science, 2006, 33(10): 279-282.
[12] . [J]. Computer Science, 2005, 32(12): 16-23.
[13] GU You-Peng, SANG Nan ,XIONG Guang-Ze (School of Computer Science and Engineering, UEST of China,Chengdu 610054). [J]. Computer Science, 2005, 32(10): 216-218.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.