Firmware serves as the critical interface between hardware and software in computing systems, making any bugs or vulnerabilities particularly dangerous as they can cause catastrophic system failures. While fuzzing is a promising approach for identifying design flaws and security vulnerabilities, traditional fuzzers are ineffective at detecting firmware vulnerabilities. For example, existing fuzzers focus on user-level fuzzing, which is not suitable for detecting kernel-level vulnerabilities. Existing fuzzers also face a coverage plateau problem when dealing with complex interactions between firmware and hardware. In this paper, we present an efficient firmware verification framework, SysFuSS, that integrates system-level fuzzing with selective symbolic execution. Our approach leverages system-level emulation for initial fuzzing, and automatically transitions to symbolic execution when coverage reaches a plateau. This strategy enables us to generate targeted test cases that can trigger previously unexplored regions in firmware designs. We have evaluated SysFuSS on real-world embedded firmware, including OpenSSL, WolfBoot, WolfMQTT, HTSlib, MXML, and libIEC. Experimental evaluation demonstrates that SysFuSS significantly outperforms state-of-the-art fuzzers in terms of both branch coverage and detection of firmware vulnerabilities. Specifically, SysFuSS can detect 118 known vulnerabilities while state-of-the-art can cover only 13 of them. Moreover, SysFuSS takes significantly less time (up to 3.3X, 1.7X on average) to activate these vulnerabilities.

翻译：固件作为计算系统中硬件与软件之间的关键接口，其存在的任何缺陷或漏洞都尤为危险，可能导致灾难性的系统故障。虽然模糊测试是识别设计缺陷和安全漏洞的一种有效方法，但传统模糊测试工具在检测固件漏洞方面效果不佳。例如，现有模糊测试工具主要关注用户级模糊测试，不适用于检测内核级漏洞。此外，在处理固件与硬件之间复杂交互时，现有模糊测试工具还面临覆盖率停滞问题。本文提出一种高效的固件验证框架SysFuSS，它将系统级模糊测试与选择性符号执行相结合。我们的方法利用系统级仿真进行初始模糊测试，并在覆盖率进入平台期时自动切换至符号执行。这一策略使我们能够生成有针对性的测试用例，从而触发固件设计中先前未被探索的区域。我们在真实嵌入式固件（包括OpenSSL、WolfBoot、WolfMQTT、HTSlib、MXML和libIEC）上对SysFuSS进行了评估。实验结果表明，SysFuSS在分支覆盖率和固件漏洞检测方面均显著优于现有最先进的模糊测试工具。具体而言，SysFuSS能够检测118个已知漏洞，而现有最优工具仅能覆盖其中的13个。此外，SysFuSS激活这些漏洞所需的时间显著更短（最多快3.3倍，平均快1.7倍）。