Fuzzware: Automatic Vulnerability Discovery in Embedded Systems via Rehosting-based Fuzzing
Description
Fuzzing is the process of automatically finding security vulnerabilities and stability issues in software by testing millions of inputs. Fuzzing has uncovered thousands of vulnerabilities in widely used and well-tested systems such as google chrome and operating systems. However, for firmware, the software that runs on embedded systems, applying fuzzing is notoriously hard. The traditional approach of on-device testing is ineffective, as constrained devices are too slow to process the required number of test inputs. This presentation introduces a new, cutting-edge technology called firmware rehosting, which completely changes how firmware security testing can be scaled and automated. Rehosting allows scaling fuzzing firmware to high-performance clusters, achieving billions of test inputs. Rehosting makes this possible by automatically generating a virtual execution environment for firmware. Based on 6 years of academic research [1,2,3], we developed Fuzzware, which automatically rehosts and fuzz tests firmware to find security vulnerabilities. Fuzzware auto-generates hardware models by analyzing which hardware behavior the target firmware expects. Fuzzware then provides such behavior and then fuzz tests the input processing for critical communication interfaces. As the analysis is based purely on binary firmware code, no access to source code or physical devices is required. We have used Fuzzware to find more than 50 security vulnerabilities in embedded systems such as IoT devices, real-time operating systems (RTOS), and satellites. Our presentation is split into two parts: First, we will provide an introduction to firmware rehosting and detail how Fuzzware works under the hood. In the second part, we will showcase different bugs that we found via fuzzing that could not have been found by other techniques including manual code audits, static analysis tools, or traditional fuzzing approaches. We will also show a demo of how we built an end-to-end exploit for an issue that Fuzzware found in the core USB stack of STM32, allowing us to compromise any device that uses the affected STMicroelectronics chips, simply by inserting a USB cable. [1] Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing (https://www.usenix.org/conference/usenixsecurity22/presentation/scharnowski) [2] Hoedur: Embedded Firmware Fuzzing using Multi-Stream Inputs (https://www.usenix.org/conference/usenixsecurity23/presentation/scharnowski) [3] A Case Study on Fuzzing Satellite Firmware (https://www.ndss-symposium.org/ndss-paper/auto-draft-412/)
.png)
