The rise of smart devices in critical domains--including automotive, medical, industrial--demands robust firmware testing. Fuzzing firmware in re-hosted environments is a promising method for automated testing at scale, but remains difficult due to the tight coupling of code with a microcontroller's peripherals. Existing fuzzing frameworks primarily address input challenges in providing inputs for Memory-Mapped I/O or interrupts, but largely overlook Direct Memory Access (DMA), a key high-throughput interface used that bypasses the CPU. We introduce DyMA-Fuzz to extend recent advances in stream-based fuzz input injection to DMA-driven interfaces in re-hosted environments. It tackles key challenges--vendor-specific descriptors, heterogeneous DMA designs, and varying descriptor locations--using runtime analysis techniques to infer DMA memory access patterns and automatically inject fuzzing data into target buffers, without manual configuration or datasheets. Evaluated on 94 firmware samples and 8 DMA-guarded CVE benchmarks, DyMA-Fuzz reveals vulnerabilities and execution paths missed by state-of-the-art tools and achieves up to 122% higher code coverage. These results highlight DyMA-Fuzz as a practical and effective advancement in automated firmware testing and a scalable solution for fuzzing complex embedded systems.
翻译:随着智能设备在汽车、医疗、工业等关键领域的广泛应用,对固件进行鲁棒性测试的需求日益迫切。在重托管环境中对固件进行模糊测试是一种具有前景的大规模自动化测试方法,但由于代码与微控制器外设的紧耦合,该方法仍面临诸多困难。现有的模糊测试框架主要致力于解决为内存映射I/O或中断提供输入时的挑战,却普遍忽视了直接内存访问(DMA)这一绕过CPU的关键高吞吐量接口。本文提出DyMA-Fuzz,旨在将近期基于流的模糊测试输入注入技术扩展至重托管环境中的DMA驱动接口。它通过运行时分析技术推断DMA内存访问模式,并自动将模糊测试数据注入目标缓冲区,从而解决了供应商特定描述符、异构DMA设计以及描述符位置多变等关键挑战,整个过程无需手动配置或数据手册。在94个固件样本和8个基于DMA防护的CVE基准测试上的评估表明,DyMA-Fuzz能够发现现有先进工具所遗漏的漏洞和执行路径,并将代码覆盖率最高提升122%。这些结果凸显了DyMA-Fuzz作为自动化固件测试领域一项实用且有效的进展,以及作为模糊测试复杂嵌入式系统的可扩展解决方案的价值。