LLM WikiAccess-protected knowledge portal

WIKI

FIRM-COV

AI Summary Purpose Describe the FIRM COV research project a high coverage greybox fuzzer for IoT firmware via optimized process emulation, co authored by the wiki owner Hyunwook Kim . Key points Published in IEEE Access, Vol. 9, 2021 DOI 10

경로ai/wiki/academic/firm-cov.md
카테고리Project
태그#academic #cov #firm #fuzzing #project #security #vulnerability #wiki

# FIRM-COV

AI Summary

Purpose:

Key points:

Relevant when:

Do not read full document unless:

Linked documents:

Open Questions

Details

Bibliographic

Problem

IoT firmware is a high-value, easily reachable remote-attack target, yet hard to fuzz. The paper frames three challenges:

Approach

FIRM-COV pursues four goals at once — availability (no real device), accuracy (few false positives), stability (detect panic state), efficiency (high coverage + throughput) — via three techniques:

  1. Dictionary generation algorithm (static analysis). Extracts all string constants from the target binary, then keeps only "syntax-tokens" via three steps: reference mining (is the string referenced/used as an argument?), fine-grained instruction check (used as a function argument, e.g., MIPS $a0–$a3?), and library-function analysis (passed to specific uClibc string-handling APIs that often source buffer-overflow / out-of-bounds bugs?). Surviving strings form the AFL dictionary for structured-input generation. Low overhead (small fraction of strings tokenized; avg 37.8 s to build a dictionary).
  1. Optimized process emulation (improves FIRM-AFL's augmented process emulation). Runs the target in user-mode for speed, switching to full-system emulation only for exceptions. Features: (a) capture an "entry state" at the network-receive point via state-of-the-art QEMU/DECAF dynamic introspection, synchronized between full-system and user-mode; (b) user-mode forks copies while full-system uses snapshots for scalability; (c) panic-state elimination via page-fault handling + periodic liveness check and re-synchronization, discarding the offending input; (d) hijack hardware-dependent functions (e.g., NVRAM) with an LD_PRELOAD library returning fake data to keep emulation stable.
  1. Coverage-oriented fuzzing with synergy scheduling. Greybox coverage via AFL bitmap; dictionary-based mutation for structured inputs; "synergy scheduling" = improved seed scheduling (low-frequency power schedule inspired by AFLFast) combined with improved mutation scheduling (PSO-based operator selection inspired by MOpt-AFL, skipping deterministic-stage dictionary mutation for a test case after 5 min with no new path/crash).

Architecture

Two layers: (1) Pre-analysis IoT firmware — set up the emulation environment (Binwalk extraction, busybox arch detection, QEMU image, customized MIPSEL/MIPSEB/ARM kernel + virtual NIC; FIRMADYNE base with QEMU replaced by DECAF) and generate the dictionary (IDA Pro + IDAPython). (2) Emulation-based IoT greybox fuzzing — optimized process emulator (integrated user-mode QEMU + full-system DECAF) plus an AFL-based coverage-oriented fuzzer. Implemented in Python and C.

Evaluation

- Overhead: optimized process emulation adds little overhead vs augmented process emulation (nbench). - Stability: across 150 Linux IoT firmware, all booted normally; NVRAM-at-boot (~30 firmware) handled by the preloaded library; no real devices needed. - Throughput: FIRM-COV highest across all models (discards non-responding inputs). - Path coverage: most unique paths in every model (e.g., ~715% over baseline on one model). - Tuple coverage vs baseline: FIRM-AFLFast +18.5% avg, FIRM-MOptAFL +9.4% avg, FIRM-COV +78.8% avg (max +237.7% on DIR-815). - 1-day vulns: FIRM-COV found all identified 1-days, fastest, with near-zero false positives; baselines missed some and produced false positives (e.g., WR940N). - 0-day vulns: two found and reported — buffer overflow in D-Link DIR-825 (fw 2.02NA–2.10NA, crafted URI in httpd) and buffer overflow in Trendnet TEW-632BRP (fw 1.10B32, crafted URI in httpd).

Contributions

Limitations (as stated)

Relationship to the Korean paper (복합 에뮬레이션 …)

Sources

연결 문서