Emulation-based fuzzers enable testing binaries without source code, and facilitate testing embedded applications where automated execution on the target hardware architecture is difficult and slow. The instrumentation techniques added to extract feedback and guide input mutations towards generating effective test cases is at the core of modern fuzzers. But, modern emulation-based fuzzers have evolved by re-purposing general-purpose emulators; consequently, developing and integrating fuzzing techniques, such as instrumentation methods, are difficult and often added in an ad-hoc manner, specific to an instruction set architecture (ISA). This limits state-of-the-art fuzzing techniques to few ISAs such as x86/x86-64 or ARM/AArch64; a significant problem for firmware fuzzing of diverse ISAs. This study presents our efforts to re-think emulation for fuzzing. We design and implement a fuzzing-specific, multi-architecture emulation framework -- Icicle. We demonstrate the capability to add instrumentation once, in an architecture agnostic manner, with low execution overhead. We employ Icicle as the emulator for a state-of-the-art ARM firmware fuzzer -- Fuzzware -- and replicate results. Significantly, we demonstrate the availability of new instrumentation in Icicle enabled the discovery of new bugs. We demonstrate the fidelity of Icicle and efficacy of architecture agnostic instrumentation by discovering LAVA-M benchmark bugs, requiring a known and specific operational capability of instrumentation techniques, across a diverse set of instruction set architectures (x86-64, ARM/AArch64, RISC-V, MIPS). Further, to demonstrate the effectiveness of Icicle to discover bugs in a currently unsupported architecture in emulation-based fuzzers, we perform a fuzzing campaign with real-world MSP430 firmware binaries and discovered 7 new bugs.

翻译：摘要：基于模拟的模糊测试工具可在无源码情况下测试二进制程序，并促进对在目标硬件架构上难以实现自动化执行的嵌入式应用进行测试。为提取反馈并引导输入变异以生成有效测试用例而添加的插桩技术，是现代模糊测试工具的核心。然而，现代基于模拟的模糊测试工具是通过改造通用模拟器演变而来，导致模糊测试技术（如插桩方法）的开发与集成十分困难，且常以特定于指令集架构（ISA）的临时方式实现。这导致最先进的模糊测试技术仅适用于x86/x86-64或ARM/AArch64等少数ISA，对涉及多种ISA的固件模糊测试构成重大挑战。本研究提出对模糊测试场景下模拟机制的重构思路，设计并实现了一个面向模糊测试的多架构模拟框架——Icicle。我们证明了能够以架构无关的方式一次性添加插桩功能，且执行开销极低。通过将Icicle作为先进ARM固件模糊测试工具Fuzzware的模拟器，我们复现了其结果，并重点展示了Icicle中新插桩能力可发现新漏洞。通过检测LAVA-M基准测试中需要特定插桩技术能力的漏洞，我们验证了Icicle的保真度及架构无关插桩的有效性，覆盖x86-64、ARM/AArch64、RISC-V、MIPS等多种ISA。此外，为证明Icicle在基于模拟的模糊测试工具当前不支持的架构上发现漏洞的能力，我们针对真实MSP430固件二进制文件开展模糊测试，成功发现7个新漏洞。