In recent years, fuzzing has been widely applied not only to application software but also to system software, including the Linux kernel and firmware, and has become a powerful technique for vulnerability discovery. Among these approaches, Coverage-based grey-box fuzzing, which utilizes runtime code coverage information, has become the dominant methodology. Conventional fuzzing techniques primarily target a single software component and have paid little attention to cooperative execution with other software. However, modern system software architectures commonly consist of firmware and an operating system that operate cooperatively through well-defined interfaces, such as OpenSBI in the RISC-V architecture and OP-TEE in the ARM architecture. In this study, we investigate fuzzing techniques for architectures in which an operating system and firmware operate cooperatively. In particular, we propose a fuzzing method that enables deeper exploration of the system by leveraging the code coverage of each cooperating software component as feedback, compared to conventional Single-target fuzzing. To observe the execution of the operating system and firmware in a unified manner, our method adopts QEMU as a virtualization environment and executes fuzzing by booting the system within a virtual machine. This enables the measurement of code coverage across software boundaries. Furthermore, we implemented the proposed method as a Multi-target Coverage-based Greybox Fuzzer called MTCFuzz and evaluated its effectiveness.

翻译：近年来，模糊测试不仅广泛应用于应用软件，还被应用于包括Linux内核和固件在内的系统软件，并已成为一种强大的漏洞发现技术。在这些方法中，利用运行时代码覆盖信息的覆盖引导灰盒模糊测试已成为主流技术。传统的模糊测试主要针对单个软件组件，很少关注与其他软件的协同执行。然而，现代系统软件架构通常由固件和操作系统通过明确定义的接口（例如RISC-V架构中的OpenSBI和ARM架构中的OP-TEE）协同运作。在本研究中，我们探讨了操作系统与固件协同运作架构的模糊测试技术。具体而言，我们提出了一种模糊测试方法，该方法通过利用各协同软件组件的代码覆盖作为反馈，相较于传统的单目标模糊测试，能更深入地探索系统。为统一观察操作系统和固件的执行，我们的方法采用QEMU作为虚拟化环境，并通过在虚拟机内启动系统来执行模糊测试，从而能够跨软件边界测量代码覆盖。此外，我们将提出的方法实现为名为MTCFuzz的多目标覆盖引导灰盒模糊测试器，并评估了其有效性。