ES-FUZZ: Improving the Coverage of Firmware Fuzzing with Stateful and Adaptable MMIO Models
- URL: http://arxiv.org/abs/2403.06281v2
- Date: Sat, 14 Sep 2024 03:00:20 GMT
- Title: ES-FUZZ: Improving the Coverage of Firmware Fuzzing with Stateful and Adaptable MMIO Models
- Authors: Wei-Lun Huang, Kang G. Shin,
- Abstract summary: We propose ES-Fuzz to enhance the coverage of firmware fuzz-testing.
ES-Fuzz runs concurrently with a given fuzzer and starts a new run whenever the fuzzer's coverage stagnates.
It exploits the highest-coverage test case in each run and generates new stateful MMIO models that boost the fuzzer's coverage at that time.
- Score: 16.012578574279484
- License: http://creativecommons.org/licenses/by-nc-sa/4.0/
- Abstract: Grey-box fuzzing is widely used for testing embedded systems (ESes). The fuzzers often test the ES firmware in a fully emulated environment without real peripherals. To achieve decent code coverage, some state-of-the-art (SOTA) fuzzers infer the memory-mapped I/O (MMIO) behavior of peripherals from the firmware binary. We find the thus-generated MMIO models stateless, fixed, and poor at handling ES firmware's MMIO reads for retrieval of a data chunk. This leaves ample room for improving the code coverage. We propose ES-Fuzz to enhance the coverage of firmware fuzz-testing with stateful MMIO models that adapt to the fuzzer's coverage bottleneck. ES-Fuzz runs concurrently with a given fuzzer and starts a new run whenever the fuzzer's coverage stagnates. It exploits the highest-coverage test case in each run and generates new stateful MMIO models that boost the fuzzer's coverage at that time. We have implemented ES-Fuzz upon Fuzzware and evaluated it with 24 popular ES firmware. ES-Fuzz is shown to improve Fuzzware's coverage by up to $47\%$ and find new bugs in these firmware.
Related papers
- DyMA-Fuzz: Dynamic Direct Memory Access Abstraction for Re-hosted Monolithic Firmware Fuzzing [10.760871707398218]
We introduce DyMA-Fuzz to extend recent advances in stream-based fuzz input injection to DMA-driven interfaces in re-hosted environments.<n>It tackles key challenges--vendor-specific descriptors, heterogeneous DMA designs, and varying descriptor locations--using runtime analysis techniques.<n>DyMA-Fuzz reveals vulnerabilities and execution paths missed by state-of-the-art tools and achieves up to 122% higher code coverage.
arXiv Detail & Related papers (2026-02-09T14:52:57Z) - SysFuSS: System-Level Firmware Fuzzing with Selective Symbolic Execution [4.92575823723555]
Existing fuzzers focus on user-level fuzzing, which is not suitable for detecting kernel-level vulnerabilities.<n>We present an efficient firmware verification framework, SysFuSS, that integrates system-level fuzzing with selective symbolic execution.<n> SysFuSS significantly outperforms state-of-the-art fuzzers in terms of both branch coverage and detection of firmware vulnerabilities.
arXiv Detail & Related papers (2026-02-02T15:52:20Z) - SonicMoE: Accelerating MoE with IO and Tile-aware Optimizations [54.303301888915406]
Mixture of Experts (MoE) models have emerged as the de facto architecture for scaling up language models without significantly increasing the computational cost.<n>We propose a memory-efficient algorithm to compute the forward and backward passes of MoEs with minimal activation caching.<n>We also propose a novel "token rounding" method that minimizes the wasted compute due to padding in Grouped GEMM kernels.
arXiv Detail & Related papers (2025-12-16T04:39:10Z) - From Score Distributions to Balance: Plug-and-Play Mixture-of-Experts Routing [52.01745035243826]
Mixture-of-Experts (MoE) models can scale parameter capacity by routing each token to a subset of experts.<n> conditional routing shifts the burden on inference memory, limiting the number of experts per device.<n>We present LASER, a plug-and-play, inference-time routing algorithm that balances load while preserving accuracy.
arXiv Detail & Related papers (2025-09-29T16:29:17Z) - FuzzBox: Blending Fuzzing into Emulation for Binary-Only Embedded Targets [2.5193108033256117]
Coverage-guided fuzzing has been widely applied to address zero-day vulnerabilities in general-purpose software and operating systems.<n>Applying it to industrial systems remains challenging, due to proprietary and closed-source compiler toolchains and lack of access to source code.<n>FuzzBox addresses these limitations by integrating emulation with fuzzing.
arXiv Detail & Related papers (2025-09-06T08:31:36Z) - Sparse-dLLM: Accelerating Diffusion LLMs with Dynamic Cache Eviction [72.27673320976933]
Diffusion Large Language Models (dLLMs) enable breakthroughs in reasoning and parallel decoding.<n>Current caching techniques accelerate decoding by storing full-layer states, yet impose substantial memory usage.<n>We propose Sparse-dLLM, the first training-free framework integrating dynamic cache eviction with sparse attention.
arXiv Detail & Related papers (2025-08-04T16:14:03Z) - Testing SSD Firmware with State Data-Aware Fuzzing: Accelerating Coverage in Nondeterministic I/O Environments [3.9364231301962684]
Solid-State Drive (SSD) firmware manages complex internal states, including flash memory maintenance.<n>Traditional testing methods struggle to rapidly achieve coverage of firmware code areas that require extensive I/O accumulation.<n>We propose a state data-aware fuzzing approach that leverages SSD firmware's internal state to guide input generation under nondeterministic I/O conditions.
arXiv Detail & Related papers (2025-05-05T22:52:21Z) - MICE for CATs: Model-Internal Confidence Estimation for Calibrating Agents with Tools [54.63478102768333]
Well-calibrated model confidences can be used to weigh the risk versus reward of potential actions.
We propose a novel class of model-internal confidence estimators (MICE) to better assess confidence when calling tools.
arXiv Detail & Related papers (2025-04-28T18:06:38Z) - FuzzSense: Towards A Modular Fuzzing Framework for Autonomous Driving Software [1.3359321655273804]
This research proposes FuzzSense, a modular, black-box, mutation-based fuzzing framework that is architected to ensemble diverse AD fuzzing tools.
To validate the utility of FuzzSense, a LiDAR sensor fuzzer was developed as a plug-in, and the fuzzer was implemented in the new AD simulation platform AWSIM and Autoware.Universe AD software platform.
arXiv Detail & Related papers (2025-04-14T21:17:46Z) - Noisy Test-Time Adaptation in Vision-Language Models [73.14136220844156]
Test-time adaptation (TTA) aims to address distribution shifts between source and target data by relying solely on target data during testing.
This paper introduces Zero-Shot Noisy TTA (ZS-NTTA), focusing on adapting the model to target data with noisy samples during test-time in a zero-shot manner.
We introduce the Adaptive Noise Detector (AdaND), which utilizes the frozen model's outputs as pseudo-labels to train a noise detector.
arXiv Detail & Related papers (2025-02-20T14:37:53Z) - Your Fix Is My Exploit: Enabling Comprehensive DL Library API Fuzzing with Large Language Models [49.214291813478695]
Deep learning (DL) libraries, widely used in AI applications, often contain vulnerabilities like overflows and use buffer-free errors.
Traditional fuzzing struggles with the complexity and API diversity of DL libraries.
We propose DFUZZ, an LLM-driven fuzzing approach for DL libraries.
arXiv Detail & Related papers (2025-01-08T07:07:22Z) - EmbedFuzz: High Speed Fuzzing Through Transplantation [21.875588930207943]
This paper introduces EmbedFuzz, an efficient fuzzing framework for embedded firmware on low-end Microcontroller Units (MCUs)
Our novel firmware transplantation technique converts binary MCU firmware to a functionally equivalent and fuzzing-enhanced version of the firmware which executes on a compatible high-end device at native performance.
In our evaluation against state-of-the-art MCU fuzzers, EmbedFuzz exhibits up to eight-fold fuzzing throughput while consuming at most a fourth of the energy thanks to its native execution.
arXiv Detail & Related papers (2024-12-17T10:09:55Z) - FuzzWiz -- Fuzzing Framework for Efficient Hardware Coverage [2.1626093085892144]
We create an automated hardware fuzzing framework called FuzzWiz.
It includes parsing the RTL design module, converting it into C/C++ models, creating generic testbench with assertions, linking, and fuzzing.
Our benchmarking results show that we could achieve around 90% of the coverage 10 times faster than traditional simulation regression based approach.
arXiv Detail & Related papers (2024-10-23T10:06:08Z) - G-Fuzz: A Directed Fuzzing Framework for gVisor [48.85077340822625]
G-Fuzz is a directed fuzzing framework for gVisor.
G-Fuzz has been deployed in industry and has detected multiple serious vulnerabilities.
arXiv Detail & Related papers (2024-09-20T01:00:22Z) - $\mathbb{USCD}$: Improving Code Generation of LLMs by Uncertainty-Aware Selective Contrastive Decoding [64.00025564372095]
Large language models (LLMs) have shown remarkable capabilities in code generation.
The effects of hallucinations (e.g., output noise) make it challenging for LLMs to generate high-quality code in one pass.
We propose a simple and effective textbfuncertainty-aware textbfselective textbfcontrastive textbfdecoding.
arXiv Detail & Related papers (2024-09-09T02:07:41Z) - Comment on Revisiting Neural Program Smoothing for Fuzzing [34.32355705821806]
MLFuzz, a work accepted at ACM FSE 2023, revisits the performance of a machine learning-based fuzzer, NEUZZ.
We demonstrate that its main conclusion is entirely wrong due to several fatal bugs in the implementation and wrong evaluation setups.
arXiv Detail & Related papers (2024-09-06T16:07:22Z) - FuzzCoder: Byte-level Fuzzing Test via Large Language Model [46.18191648883695]
We propose to adopt fine-tuned large language models (FuzzCoder) to learn patterns in the input files from successful attacks.
FuzzCoder can predict mutation locations and strategies locations in input files to trigger abnormal behaviors of the program.
arXiv Detail & Related papers (2024-09-03T14:40:31Z) - AIM: Automatic Interrupt Modeling for Dynamic Firmware Analysis [14.623460803437057]
We present AIM, a generic, scalable, and hardware-independent dynamic firmware analysis framework.
AIM covers interrupt-dependent code in firmware by a novel, firmware-guided, Just-in-Time Interrupt Firing technique.
Our framework covered up to 11.2 times more interrupt-dependent code than state-of-the-art approaches.
arXiv Detail & Related papers (2023-12-02T18:06:22Z) - Boot and Switch: Alternating Distillation for Zero-Shot Dense Retrieval [50.47192086219752]
$texttABEL$ is a simple but effective unsupervised method to enhance passage retrieval in zero-shot settings.
By either fine-tuning $texttABEL$ on labelled data or integrating it with existing supervised dense retrievers, we achieve state-of-the-art results.
arXiv Detail & Related papers (2023-11-27T06:22:57Z) - Revisiting Neural Program Smoothing for Fuzzing [8.861172379630899]
This paper presents the most extensive evaluation of NPS fuzzers against standard gray-box fuzzers.
We implement Neuzz++, which shows that addressing the practical limitations of NPS fuzzers improves performance.
We present MLFuzz, a platform with GPU access for easy and reproducible evaluation of ML-based fuzzers.
arXiv Detail & Related papers (2023-09-28T17:17:11Z) - Fuzzing with Quantitative and Adaptive Hot-Bytes Identification [6.442499249981947]
American fuzzy lop, a leading fuzzing tool, has demonstrated its powerful bug finding ability through a vast number of reported CVEs.
We propose an approach called toolwhich is designed based on the following principles.
Our evaluation results on 10 real-world programs and LAVA-M dataset show that toolachieves sustained increases in branch coverage and discovers more bugs than other fuzzers.
arXiv Detail & Related papers (2023-07-05T13:41:35Z) - Recurrent Dynamic Embedding for Video Object Segmentation [54.52527157232795]
We propose a Recurrent Dynamic Embedding (RDE) to build a memory bank of constant size.
We propose an unbiased guidance loss during the training stage, which makes SAM more robust in long videos.
We also design a novel self-correction strategy so that the network can repair the embeddings of masks with different qualities in the memory bank.
arXiv Detail & Related papers (2022-05-08T02:24:43Z) - Virtual Data Augmentation: A Robust and General Framework for
Fine-tuning Pre-trained Models [51.46732511844122]
Powerful pre-trained language models (PLM) can be fooled by small perturbations or intentional attacks.
We present Virtual Data Augmentation (VDA), a general framework for robustly fine-tuning PLMs.
Our approach is able to improve the robustness of PLMs and alleviate the performance degradation under adversarial attacks.
arXiv Detail & Related papers (2021-09-13T09:15:28Z) - Gaussian MRF Covariance Modeling for Efficient Black-Box Adversarial
Attacks [86.88061841975482]
We study the problem of generating adversarial examples in a black-box setting, where we only have access to a zeroth order oracle.
We use this setting to find fast one-step adversarial attacks, akin to a black-box version of the Fast Gradient Sign Method(FGSM)
We show that the method uses fewer queries and achieves higher attack success rates than the current state of the art.
arXiv Detail & Related papers (2020-10-08T18:36:51Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.