EmbedFuzz: High Speed Fuzzing Through Transplantation

TL;DR

EmbedFuzz is a novel framework that significantly improves fuzzing speed and efficiency for embedded MCU firmware by transplanting firmware to high-end devices, enabling native execution and advanced analysis.

Contribution

It introduces a firmware transplantation technique that allows MCU firmware to run on high-end devices, achieving high-speed fuzzing and better crash analysis capabilities.

Findings

Up to eight-fold increase in fuzzing throughput.

Consumes at most a quarter of the energy compared to state-of-the-art methods.

Enables native execution and advanced introspection for embedded firmware.

Abstract

Dynamic analysis and especially fuzzing are challenging tasks for embedded firmware running on modern low-end Microcontroller Units (MCUs) due to performance overheads from instruction emulation, the difficulty of emulating the vast space of available peripherals, and low availability of open-source embedded firmware. Consequently, efficient security testing of MCU firmware has proved to be a resource- and engineering-heavy endeavor. EmbedFuzz introduces an efficient end-to-end fuzzing framework for MCU firmware. Our novel firmware transplantation technique converts binary MCU firmware to a functionally equivalent and fuzzing-enhanced version of the firmware which executes on a compatible high-end device at native performance. Besides the performance gains, our system enables advanced introspection capabilities based on tooling for typical Linux user space processes, thus simplifying analysis of crashes and bug triaging. In our evaluation against state-of-the-art MCU fuzzers, EmbedFuzz exhibits up to eight-fold fuzzing throughput while consuming at most a fourth of the energy thanks to its native execution.