隨著物聯網設備的普及，設備的數量與複雜度都與日俱增。然而，許多物聯網產品在生產時未考慮到安全性問題，使得惡意軟體能夠利用這些設備中的漏洞進行攻擊。為了在惡意攻擊者發現漏洞前進行修補，資訊安全研究人員使用靜態分析和動態分析的技術來發現漏洞並提出韌體更新。
然而，由於物聯網韌體的架構多樣性，無法直接在一般個人電腦上對韌體進行模糊測試。因此，使用模擬技術建立虛擬環境並在其中進行漏洞檢測成為一種常見的做法。隨之而來的問題是，現有基於模擬的模糊測試工具為了提高檢測效率避免使用全系統模擬，這導致這些系統只能針對單一程式進行檢測，無法檢測多個程式交互之下的深層漏洞。
為了解決這個問題，我們提出了一種基於全系統模擬的模糊測試方法，稱為 Firmulti Fuzzer。該方法使用現有的模擬系統進行第一次模擬，以獲取韌體全系統模擬時的配置。接著，使用具有虛擬機自我檢查功能的模擬器進行第二次模擬，以實現全系統環境的監控。在模糊測試過程中，Firmulti Fuzzer 能夠監控環境中所有程式執行的狀況，並在檢測到異常時發出警訊，以檢測多程式類型的漏洞。我們的方法克服了現有方法中只能對單一程式進行檢測的限制，並提供了一種有效檢測物聯網設備漏洞的解決方案。
實驗結果顯示，Firmulti Fuzzer 能有效檢測出一般漏洞與 multi-process 的漏洞。且對於多個行程溝通時所產生的漏洞，檢測能力優於其他模糊器。Firmulti Fuzzer 是一個極具潛力的工具，可用於提高物聯網設備的安全性，防止惡意攻擊者利用漏洞進行攻擊。

With the growth of Internet of Things devices, the number and complexity of these devices are increasing rapidly. Nevertheless, many IoT products are developed without sufficient consideration for security, leaving them vulnerable to exploitation by malware. To proactively address these vulnerabilities before they are discovered by malicious attackers, information security researchers use both static and dynamic analysis techniques to identify vulnerabilities and propose firmware updates.
Due to the variety of IoT firmware architectures, conducting fuzzing tests directly on firmware using a general personal computer is challenging. As a solution, emulation techniques are commonly applied to create virtual environments for vulnerability detection. However, existing emulation-based fuzzing test tools often prioritize efficiency and avoid utilizing full-system emulation. These tools are limited to detecting vulnerabilities in individual programs and are unable to identify deep-seated vulnerabilities that arise from interactions across multiple processes.
To solve this challenge, we have proposed Firmulti Fuzzer, a fuzzing framework leverages full system emulation. In our approach, we do emulation for two times. The first emulation utilizes the existing emulation system to acquire the full system emulation configuration of the firmware. Next, the second emulation uses an emulator with virtual machine introspection (VMI) function to monitor the entire system environment. With Firmulti Fuzzer, we can track the execution status of all programs within the environment and generate notifications upon detecting exceptions, thereby identifying vulnerabilities stemming from interactions among multiple processes.
Experiments have shown the effectiveness of Firmulti Fuzzer in detecting both general vulnerabilities and multi-process vulnerabilities. Most importantly, Firmulti Fuzzer outperforms other fuzzers in identifying multi-process vulnerabilities. Firmulti Fuzzer holds promising potential as a tool for enhancing the security of IoT devices and mitigating the exploitation of vulnerabilities by malicious attackers.

[1] T. Alladi, V. Chamola, B. Sikdar, and K.-K. R. Choo, “Consumer IoT: Security vulnerability case studies and solutions,” IEEE Trans. Consum. Electron.,vol. 9, no. 2, pp. 17–25, Feb. 2020.
[2] W. H. Hassan et al., “Current research on internet of things (IoT) security: Asurvey,” Computer networks, vol. 148, pp. 283–294, 2019.
[3] B. Tushir, H. Sehgal, R. Nair, B. Dezfouli, and Y. Liu, “The impact of DoS attacks on resource-constrained IoT devices:a study on the Mirai attack,” 2021.
[4] M. Eceiza, J. L. Flores, and M. Iturbe, “Fuzzing the internet of things: A review on the techniques and challenges for efficient vulnerability discovery in embedded systems,” IEEE Internet of Things Journal, vol. 8, no. 13, pp. 10 390–10 411, 2021.
[5] T. Muske and U. P. Khedker, “Efficient elimination of false positives using static analysis,” in Proc. IEEE 26th International Symposium on Software Reliability Engineering (ISSRE 2015), 2015, pp. 270–280.
[6] Google. American fuzzy lop. [Online]. Available: https://lcamtuf.coredump.cx/afl/
[7] J. Yun, F. Rustamov, J. Kim, and Y. Shin, “Fuzzing of embedded systems: A survey,” ACM Computing Surveys, vol. 55, no. 7, pp. 1–33, 2022.
[8] J. Chen, W. Diao et al., “IoTFuzzer: Discovering memory corruptions in IoT through App-based fuzzing,” in Proc. NDSS 2018, Jan. 2018.
[9] Z. Wang, Y. Zhang, and Q. Liu, “RPFuzzer: A framework for discovering router protocols vulnerabilities based on fuzzing,” KSII Transactions on Internet and Information Systems (TIIS), vol. 7, no. 8, pp. 1989–2009, 2013.
[10] C. Zhang, Y. Wang, and L. Wang, “Firmware fuzzing: The state of the art,” in Proc. 12th Asia-Pacific Symposium on Internetware, 2020, pp. 110–115.
[11] D. D. Chen, M. Egele, M. Woo, and D. Brumley, “Towards automated dynamic analysis for linux-based embedded firmware,” in Proc. NDSS 2016, vol. 1, Feb. 2016.
[12] M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim, “FirmAE: Towards large-scale emulation of IoT firmware for dynamic analysis,” in Proc. ACSAC 2020, Dec. 2020, pp. 733–745.
[13] Y. Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “FIRM-AFL: High-throughput greybox fuzzing of IoT firmware via augmented process emulation,” in Proc. USENIX Security Symposium 2019, 2019, pp. 1099–1114.
[14] Y. Zheng, Y. Li, C. Zhang, H. Zhu, Y. Liu, and L. Sun, “Efficient greybox fuzzing of applications in linux-based IoT devices via enhanced user-mode emulation,” in Proc. 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 2022, pp. 417–428.
[15] N. Redini, A. Machiry, R. Wang, C. Spensky, A. Continella, Y. Shoshitaishvili, C. Kruegel, and G. Vigna, “Karonte: Detecting insecure multi-binary interactions in embedded firmware,” in Proc. 41th IEEE Symposium on Security and Privacy (SP 2020), 2020, pp. 1544–1561.
[16] W. Xie, J. Chen, Z. Wang, C. Feng, E. Wang, Y. Gao, B. Wang, and K. Lu, “Game of hide-and-seek: Exposing hidden interfaces in embedded web applications of IoT devices,” in Proc. the ACM Web Conference 2022, 2022, p. 524–532.
[17] L. Yu, H. Wang, L. Li, and H. He, “Towards automated detection of higherorder command injection vulnerabilities in IoT devices: Fuzzing with dynamic data flow analysis,” International Journal of Digital Crime and Forensics (IJDCF), vol. 13, no. 6, pp. 1–14, 2021.
[18] Q. Feng and W. Dong, “CinfoFuzz: Fuzzing method based on web service correlation information of embedded devices,” in 10th IEEE International Conference on Information, Communication and Networks (ICICN 2022), 2022, pp. 242–249.
[19] C.-Y. Chung, “Integrating taint analysis with symbolic execution for IoT peripheral modeling,” Master’s thesis, National Taiwan University of Science and Technology, Jul. 2022. [Online]. Available: https://hdl.handle.net/11296/bjc948
[20] C.-Y. Chung, N.-J. Tsai, and S.-M. Cheng, “FirmSE: Integrating taint analysis with symbolic execution for IoT peripheral modeling,” (Paper submitted to) IEEE Transactions on Dependable and Secure Computing Mar 2023.
[21] A. Henderson, A. Prakash, L. K. Yan, X. Hu, X. Wang, R. Zhou, and H. Yin, “Make it work, make it right, make it fast: building a platform-neutral wholesystem dynamic binary analysis platform,” in Proc. 23th International Symposium on Software Testing and Analysis (ISSTA 2014), 2014, pp. 248–258.
[22] L. Chen, Y. Wang, Q. Cai, Y. Zhan, H. Hu, J. Linghu, Q. Hou, C. Zhang, H. Duan, and Z. Xue, “Sharing more and checking less: Leveraging common input keywords to detect bugs in embedded systems.” in Proc. 30th USENIX Security Symposium, 2021, pp. 303–319.
[23] L. Yu, L. Li, H. Wang, X. Wang, H. He, and X. Gong, “Towards automated detection of higher-order memory corruption vulnerabilities in embedded devices,” in Design, Automation & Test in Europe Conference & Exhibition (DATE 2021), 2021, pp. 1707–1710.
[24] Y. Zhang, W. Huo, K. Jian, J. Shi, H. Lu, L. Liu, C. Wang, D. Sun, C. Zhang, and B. Liu, “SRFuzzer: an automatic fuzzing framework for physical SOHO router devices to discover multi-type vulnerabilities,” in Proc. 35th annual computer security applications conference, 2019, pp. 544–556.
[25] QEMU, A generic and open source machine emulator and virtualizer. [Online]. Available: https://www.qemu.org/
[26] B. Feng, A. Mera, and L. Lu, “P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling,” in Proc. 29th USENIX Security Symposium, Aug. 2020, pp. 1237–1254.
[27] W. Zhou, L. Guan, P. Liu, and Y. Zhang, “Automatic firmware emulation through invalidity-guided knowledge inference,” in Proc. 30th USENIX Security Symposium, Aug. 2021.
[28] C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation,” in Proc. ACSAC 2020, Dec. 2020, p. 746–759.
[29] E. Johnson, M. Bland, Y. Zhu, J. Mason, S. Checkoway, S. Savage, and K. Levchenko, “Jetset: Targeted firmware rehosting for embedded systems,” in Proc. USENIX Security 2021, Aug. 2021, pp. 321–338.
[30] NCC-Group. TriforceAFL. [Online]. Available: https://github.com/nccgroup/TriforceAFL
[31] decaf project. Dynamic executable code analysis framework. [Online]. Available: https://github.com/decaf-project/DECAF
[32] Ghidra. (2021) Ghidra. [Online]. Available: https://ghidra-sre.org/