Abstract
A recent trend for assessing the security of an embedded system’s firmware is rehosting, the art of running the firmware in a virtualized environment, rather than on the original hardware platform. One significant use case for firmware rehosting is fuzzing to dynamically uncover security vulnerabilities.
However, state-of-the-art implementations suffer from high emulator-induced overhead, leading to less-than-optimal execution speeds. Instead of emulation, we propose near-native rehosting: running embedded firmware as a Linux userspace process on a high-performance system that shares the instruction set family with the targeted device. We implement this approach with SAFIREFUZZ, a throughput-optimized rehosting and fuzzing framework for ARM Cortex-M firmware. SAFIREFUZZ takes monolithic binary-only firmware images and uses high-level emulation (HLE) and dynamic binary rewriting to run them on far more powerful hardware with low overhead. By replicating experiments of HALucinator, the state-of-the-art HLE-based rehosting system for binary firmware, we show that SAFIREFUZZ can provide a 690x throughput increase on average during 24-hour fuzzing campaigns while covering up to 30% more basic blocks.
However, state-of-the-art implementations suffer from high emulator-induced overhead, leading to less-than-optimal execution speeds. Instead of emulation, we propose near-native rehosting: running embedded firmware as a Linux userspace process on a high-performance system that shares the instruction set family with the targeted device. We implement this approach with SAFIREFUZZ, a throughput-optimized rehosting and fuzzing framework for ARM Cortex-M firmware. SAFIREFUZZ takes monolithic binary-only firmware images and uses high-level emulation (HLE) and dynamic binary rewriting to run them on far more powerful hardware with low overhead. By replicating experiments of HALucinator, the state-of-the-art HLE-based rehosting system for binary firmware, we show that SAFIREFUZZ can provide a 690x throughput increase on average during 24-hour fuzzing campaigns while covering up to 30% more basic blocks.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 32nd USENIX Security Symposium |
| Publisher | USENIX Association |
| Pages | 2903-2920 |
| Number of pages | 18 |
| ISBN (Print) | 9781939133373 |
| Publication status | Published - 9 Aug 2023 |
| Event | 32nd USENIX Security Symposium - Anaheim, United States Duration: 9 Aug 2023 → 11 Aug 2023 |
Conference
| Conference | 32nd USENIX Security Symposium |
|---|---|
| Country/Territory | United States |
| City | Anaheim |
| Period | 9/08/23 → 11/08/23 |
Bibliographical note
Acknowledgments:This work was supported by the European Union’s Horizon 2020 research and innovation programme under project TESTABLE, grant agreement No. 101019206, the Dutch Ministry of Economic Affairs and Climate through the AVR program (Memo project) and the Dutch Science Organization NWO through projects Theseus and NWA ORC Intersect.