SysFuSS: System-Level Firmware Fuzzing with Selective Symbolic Execution

TL;DR

SysFuSS is a novel system-level firmware fuzzing framework that combines emulation-based fuzzing with selective symbolic execution to improve vulnerability detection and coverage in embedded firmware.

Contribution

It introduces an integrated approach that transitions from fuzzing to symbolic execution upon coverage plateau, enhancing firmware vulnerability detection efficiency.

Findings

Outperforms state-of-the-art fuzzers in coverage and vulnerability detection.

Detects 118 known vulnerabilities, compared to 13 by existing tools.

Reduces testing time by up to 3.3 times.

Abstract

Firmware serves as the critical interface between hardware and software in computing systems, making any bugs or vulnerabilities particularly dangerous as they can cause catastrophic system failures. While fuzzing is a promising approach for identifying design flaws and security vulnerabilities, traditional fuzzers are ineffective at detecting firmware vulnerabilities. For example, existing fuzzers focus on user-level fuzzing, which is not suitable for detecting kernel-level vulnerabilities. Existing fuzzers also face a coverage plateau problem when dealing with complex interactions between firmware and hardware. In this paper, we present an efficient firmware verification framework, SysFuSS, that integrates system-level fuzzing with selective symbolic execution. Our approach leverages system-level emulation for initial fuzzing, and automatically transitions to symbolic execution when coverage reaches a plateau. This strategy enables us to generate targeted test cases that can trigger previously unexplored regions in firmware designs. We have evaluated SysFuSS on real-world embedded firmware, including OpenSSL, WolfBoot, WolfMQTT, HTSlib, MXML, and libIEC. Experimental evaluation demonstrates that SysFuSS significantly outperforms state-of-the-art fuzzers in terms of both branch coverage and detection of firmware vulnerabilities. Specifically, SysFuSS can detect 118 known vulnerabilities while state-of-the-art can cover only 13 of them. Moreover, SysFuSS takes significantly less time (up to 3.3X, 1.7X on average) to activate these vulnerabilities.