𝜇AFL: Non-intrusive Feedback-driven Fuzzing for Microcontroller Firmware

Wenqiang Li, Jiameng Shi, Fengjun Li, Jingqiang Lin, Wei Wang, Le Guan

ICSE ‘22: Proceedings of the 44th International Conference on Software Engineering, Pages 1 - 12

Q&A (link)

What are the motivations for this work?

See Introduction.
There are limitations in the existing firmware security testing approaches when applied to embedded firmware testing:

What is the proposed solution?

See Introduction, Section 2.
Use ARM ETM (Embedded Trace Macrocell) for non-intrusive feedback collection.
ETM is a hardware instruction trace feature for ARM. The design of ETM is: A dedicated hardware component emits a stream of control flow packets, a decoder reconstructs a unique execution path by matching the control flow data to the disassembled machine code.

What is the work’s evaluation of the proposed solution?

See Section 4.

Implemented a prototype of 𝜇AFL on top of AFL2.56 by adding ∼2,000 lines of C code on the PC side.
Used the SEGGER J-Trace Pro debug dongle to control the communication between the host PC and the target ARM Cortex-M evaluation boards.
Experiments were done to NXP TWR-K64F120M and STM32H7B3I-EVAL. Used the sample code provided in NXP SDK and STM32 SDK.

What is your analysis of the identified problem, idea and evaluation?

NONE

What are the contributions?

See Introduction.
𝜇AFL, the first fuzzing tool that is applicable to the driver code of MCU firmware.
Some bugs detected.

What are future directions for this research?

NONE

What questions are you left with?

NONE

What is your take-away message from this paper?

NONE

Written on