Go to DBLP homepageValue Peripheral Register Values for Fuzzing MCU Firmware
Abstract: Analyzing the security of MCU firmware is important. Fuzzing with peripheral model emulation is proven successful due to its independence of hardware and practicality. However, prior efforts such as DICE and P 2 IM expose two issues: insufficient exploration of peripheral states and inadequate handling of abnormal behaviors. Our key insight is that peripheral register values are vital for fuzzing MCU firmware. We present a novel approach called VeRa which introduces several techniques: peripheral state triage, rollback explorative execution, low-frequency-first schedule for control-status register values, and random selection for status register values. We integrated VeRa to a state-of-the-art firmware analyzer DICE and evaluated on 122 firmware covering 11 MCU platforms. Evaluation results show that 1) on modeling peripherals, VeRa passed more 45 out of 99 sample firmware than DICE; 2) VeRa outperforms DICE on fuzzing 23 real-world firmware, with 1.4× basic block coverage and 3.1× path coverage on average (up to 13.2× and 33.7×, respectively); 3) The overhead of VeRa is fairly low, adding 5.6% and 1.2% on average to modeling time and fuzzing time respectively; 4) VeRa discovered 3 unique new bugs that DICE cannot find.
Loading