Ember-IO: Effective Firmware Fuzzing with Model-Free Memory Mapped IO

TL;DR

Ember-IO introduces a novel firmware fuzzing approach that leverages model-free memory-mapped IO to efficiently explore peripheral interactions, significantly improving code coverage and bug detection in embedded firmware testing.

Contribution

The paper presents Ember-IO, a new fuzzing framework that enhances firmware testing by addressing input-space challenges without relying on hardware models, outperforming existing methods.

Findings

Up to 255% increase in code coverage compared to state-of-the-art.

Discovered 6 new bugs in real-world firmware.

Integrated with Fuzzware, maintains or improves coverage and reproduces key bugs.

Abstract

Exponential growth in embedded systems is driving the research imperative to develop fuzzers to automate firmware testing to uncover software bugs and security vulnerabilities. But, employing fuzzing techniques in this context present a uniquely challenging proposition; a key problem is the need to deal with the diverse and large number of peripheral communications in an automated testing framework. Recent fuzzing approaches: i) employ re-hosting methods by executing code in an emulator because fuzzing on resource limited embedded systems is slow and unscalable; and ii) integrate models of hardware behaviour to overcome the challenges faced by the massive input-space to be explored created by peripheral devices and to generate inputs that are effective in aiding a fuzzer to make progress. Our efforts expounds upon program execution behaviours unique to firmware to address the resulting input-space search problem. The techniques we propose improve the fuzzer's ability to generate values likely to progress execution and avoids time consumed on mutating inputs that are functionally equivalent to other test cases. We demonstrate the methods are highly efficient and effective at overcoming the input-space search problem. Our emulation-based implementation, Ember-IO, when compared to the existing state-of-the-art fuzzing framework across 21 firmware binaries, demonstrates up to 255% improvement in blocks covered. Further Ember-IO discovered 6 new bugs in the real-world firmware, previously not identified by state-of-the-art fuzzing frameworks. Importantly, Ember-IO integrated with the state-of-the-art fuzzer, Fuzzware, demonstrates similar or improved coverage across all firmware binaries whilst reproducing 3 of the 6 new bugs discovered by Ember-IO.