LLM WikiAccess-protected knowledge portal

WIKI

Source Extract — FIRM-COV (IEEE Access 2021)

AI Summary Purpose Structured, faithful extraction of the FIRM COV paper for downstream wiki pages. Key points FIRM COV high coverage greybox fuzzer for Linux based IoT firmware via optimized process emulation. Published IEEE Access, Vol. 9

경로ai/sources/academic/firm-cov-extract.md
카테고리Source
태그#academic #cov #extract #firm #fuzzing #infra #security #source #sources #vulnerability

# Source Extract — FIRM-COV (IEEE Access 2021)

AI Summary

Purpose:

Key points:

Relevant when:

Do not read full document unless:

Linked documents:

Open Questions

Details

Bibliographic

- ¹ Dept. of Computer and Information Security, and Convergence Engineering for Intelligent Drone, Sejong University, Seoul - ² Dept. of Computer and Information Security, Sejong University, Seoul - Corresponding author: Joobeom Yun ([email protected])

Problem / motivation

- C1 Structured input values: network IoT programs (e.g., CGI over HTTP) discard unstructured input; CGI programs read data via getenv() rather than stdin, so malformed method/header values are dropped server-side, blocking deep-path exploration. - C2 Panic state: emulation does not fully implement hardware; reads/writes to peripherals (e.g., NVRAM) can crash the emulator, non-responding inputs get misclassified as crashes, and user→kernel access can force reboot. Paper calls these emulator weaknesses the "panic state." - C3 Code coverage: prior IoT fuzzers do not achieve high coverage; cited result — a 1% increase in code coverage can increase bug discovery by 0.92% (ref [35]).

Background: emulation techniques surveyed (all QEMU-related)

  1. User-mode emulation — fast cross-arch execution from main(); used by AFL-QEMU; does not recreate crashing hardware devices; not a perfect abstraction.
  2. System-mode (full-system) emulation — full VM with peripherals; used by FIRMADYNE, DECAF, PANDA; high compatibility but heavy performance overhead.
  3. Unicorn engine — QEMU-based CPU-only emulator; lighter; used by FIRMCORN; but requires dumping CPU context from real devices, so needs physical devices.
  4. Augmented process emulation — proposed by FIRM-AFL; combines user- and system-mode for efficiency + compatibility; runs target as emulated user, switches to system-mode for unhandled syscalls; but does not recover from infinite loops/reboots → needs stable emulation.

Design goals (four, simultaneous)

Approach — three core techniques

(A) Dictionary generation algorithm (Pre-analysis phase, Layer 1)

1. Reference mining — pick an address; check if any instruction references it (string used as a function argument); use chaining to collect all instructions propagated by that string. 2. Fine-grained instructions — check whether the string is used as a function argument (e.g., MIPS args in registers $a0–$a3). 3. Library function analysis — check whether the string is used as an argument to specific uClibc library APIs (Table 2) that take strings and affect addresses (common sources of buffer overflow / out-of-bounds). If yes, the string becomes a dictionary syntax-token; else discard.

(B) Optimized process emulation (Layer 2a)

1. Generate entry state for IoT program — set the target's network-packet-receiving entry point as the fork point; abstractly store state (memory, registers, open files) = "entry state." Initialized in full-system emulation using state-of-the-art QEMU (DECAF) dynamic introspection: a custom callback captures target state when the client request packet is received, synchronizing it to user-mode emulation. 2. Snapshot for scalability — user-mode uses fork() to copy the target (cheap); full-system VM is expensive to copy/reboot, so it uses a snapshot, loading the entry state via snapshot on each fuzzing input. 3. Eliminate panic state — handle page faults by requesting new memory mapping from full-system emulation; periodic liveness check detects when emulators fall out of sync (panic state); on detection, re-synchronize the two emulators and discard the triggering input. 4. Handle hardware-dependent functions — functions accessing peripherals (e.g., nvram_get() reading NVRAM at boot) would crash the emulator; FIRM-COV implements a library (manually analyzing all evaluated firmware) loaded via LD_PRELOAD to hijack NVRAM-related functions and return fake data, keeping emulation stable.

(C) Coverage-oriented fuzzing (Layer 2b)

- Seed scheduling: low-frequency-based algorithm (inspired by AFLFast [25]); modified power-schedule performance score p(i) = min( (α(i)/β) · (2^{s(i)} / f(i)), M ), where s(i)=times input i selected from queue, f(i)=number of inputs executed on same paths as i. Generates more inputs for low-reachability test cases. - Mutation scheduling: custom particle-swarm-optimization (PSO) algorithm (inspired by MOpt-AFL [28]) to find optimal mutation-operator probability distribution; AFL has 11 mutation operators across deterministic/havoc/splicing stages. FIRM-COV performs sufficient dictionary-based mutation during the deterministic stage but skips it for test cases if no new paths/crashes for 5 minutes, accelerating fuzzing.

Architecture / implementation

Evaluation

- Baseline = FIRM-AFL (AFL + augmented process emulation). - FIRM-AFLFast = baseline with AFL power schedule replaced by AFLFast (low-frequency path guidance). - FIRM-MOptAFL = baseline with mutation scheduling replaced by MOpt-AFL; skips deterministic stage if no paths/crashes for 5 min. - FIRM-COV = optimized process emulation + synergy scheduling on AFL.

Key results (textually stated):

- Buffer overflow in D-Link DIR-825 (firmware 2.02NA to 2.10NA) — crafting the URI in httpd. - Buffer overflow in Trendnet TEW-632BRP (firmware 1.10B32) — crafting the URI in httpd.

Contributions (as stated)

Limitations / future work (as stated)

Related work cited (NOT authored by the wiki owner — background only)

연결 문서