Ability to test firmware on embedded devices is critical to discovering vulnerabilities prior to their adversarial exploitation. State-of-the-art automated testing methods rehost firmware in emulators and attempt to facilitate inputs from a diversity of methods (interrupt driven, status polling) and a plethora of devices (such as modems and GPS units). Despite recent progress to tackle peripheral input generation challenges in rehosting, a firmware's expectation of multi-byte magic values supplied from peripheral inputs for string operations still pose a significant roadblock. We solve the impediment posed by multi-byte magic strings in monolithic firmware. We propose feedback mechanisms for input-to-state mapping and retaining seeds for targeted replacement mutations with an efficient method to solve multi-byte comparisons. The feedback allows an efficient search over a combinatorial solution-space. We evaluate our prototype implementation, SplITS, with a diverse set of 21 real-world monolithic firmware binaries used in prior works, and 3 new binaries from popular open source projects. SplITS automatically solves 497% more multi-byte magic strings guarding further execution to uncover new code and bugs compared to state-of-the-art. In 11 of the 12 real-world firmware binaries with string comparisons, including those extensively analyzed by prior works, SplITS outperformed, statistically significantly. We observed up to 161% increase in blocks covered and discovered 6 new bugs that remained guarded by string comparisons. Significantly, deep and difficult to reproduce bugs guarded by comparisons, identified in prior work, were found consistently. To facilitate future research in the field, we release SplITS, the new firmware data sets, and bug analysis at https://github.com/SplITS-Fuzzer

翻译：在嵌入式设备上进行固件测试对于在漏洞被恶意利用之前发现它们至关重要。最先进的自动化测试方法在仿真器中重托管固件，并尝试从多种方式（中断驱动、状态轮询）和大量设备（如调制解调器和GPS单元）中促进输入。尽管最近在解决重托管中外设输入生成挑战方面取得了进展，但固件期望通过外设输入提供用于字符串操作的多字节魔数这一需求仍然构成重大障碍。我们解决了单体固件中多字节魔数字符串带来的阻碍。我们提出了用于输入到状态映射的反馈机制以及保留种子进行目标替换变异的方法，结合一种高效解决多字节比较问题的方案。该反馈机制允许对组合解空间进行高效搜索。我们使用先前工作中使用的21个真实世界单体固件二进制文件，以及来自热门开源项目的3个新二进制文件，对我们的原型实现SplITS进行了评估。与最先进方法相比，SplITS自动解决了497%更多阻碍进一步执行的多字节魔数字符串，从而发现了新的代码和漏洞。在12个包含字符串比较的真实世界固件二进制文件（包括先前工作广泛分析过的文件）中，有11个中，SplITS在统计上显著优于现有方法。我们观察到覆盖的块数增加了161%，并发现了6个受字符串比较保护的新漏洞。值得注意的是，先前工作中识别的、受比较保护且难以复现的深层漏洞被一致地发现。为促进该领域的未来研究，我们在https://github.com/SplITS-Fuzzer 发布了SplITS、新固件数据集及漏洞分析。