The security of microcontrollers, which drive modern IoT and embedded devices, continues to raise major concerns. Within a microcontroller (MCU), the firmware is a monolithic piece of software that contains the whole software stack, whereas a variety of peripherals represent the hardware. As MCU firmware contains vulnerabilities, it is ideal to test firmware with off-the-shelf software testing techniques, such as dynamic symbolic execution and fuzzing. Nevertheless, no emulator can emulate the diverse MCU peripherals or execute/test the firmware. Specifically, the interrupt interface, among all I/O interfaces used by MCU peripherals, is extremely challenging to emulate. In this paper, we present AIM -- a generic, scalable, and hardware-independent dynamic firmware analysis framework that supports unemulated MCU peripherals by a novel interrupt modeling mechanism. AIM effectively and efficiently covers interrupt-dependent code in firmware by a novel, firmware-guided, Just-in-Time Interrupt Firing technique. We implemented our framework in angr and performed dynamic symbolic execution for eight real-world MCU firmware. According to testing results, our framework covered up to 11.2 times more interrupt-dependent code than state-of-the-art approaches while accomplishing several challenging goals not feasible previously. Finally, a comparison with a state-of-the-art firmware fuzzer demonstrates dynamic symbolic execution and fuzzing together can achieve better firmware testing coverage.

翻译：微控制器驱动着现代物联网与嵌入式设备，其安全性持续引发重大关切。在微控制器中，固件作为包含完整软件栈的单一软件实体，而各种外设则代表硬件部分。由于MCU固件存在漏洞，理想情况下应采用现成软件测试技术（如动态符号执行与模糊测试）对其进行检测。然而，现有仿真器均无法模拟多样化的MCU外设，亦无法执行/测试固件。尤其在MCU外设使用的所有输入输出接口中，中断接口的仿真极具挑战性。本文提出AIM——一种通用、可扩展且与硬件无关的动态固件分析框架，通过创新的中断建模机制支持未仿真的MCU外设。AIM采用新型固件引导的及时中断触发技术，高效覆盖固件中依赖中断的代码。我们在angr平台上实现该框架，并对八款真实世界MCU固件执行动态符号分析。测试结果表明，相比现有最优方法，本框架对中断依赖代码的覆盖率提升达11.2倍，同时实现了多项此前不可行的极具挑战性目标。最后，与当前最优固件模糊测试工具的对比表明，动态符号执行与模糊测试的协同可显著提升固件测试覆盖率。