AidFuzzer: Adaptive Interrupt-Driven Firmware Fuzzing via Run-Time State Recognition

Fuzzing has proven to be an effective method for discovering vulnerabilities in firmware images. However, several hard-to-bypass obstacles still block the way for fuzzers to achieve higher code coverage in the firmware fuzzing process. One major issue is interrupt handling, which is fundamental to emulate the firmware: If interrupts are triggered incorrectly, the firmware may crash or get stuck, even at an early stage. Thus, a proper mechanism for triggering and handling interrupts is a crucial yet under-researched aspect of firmware fuzzing. In this paper, we present AidFuzzer, an adaptive interrupt-driven firmware fuzzing method, to tackle the interrupt triggering problem. The key observation is that firmware images commonly exhibit a consistent run-time state transition cycle. In each state, the firmware may require specific interrupts to continue running, or it may not need any interrupts to continue processing data. Based on this observation, we model the type and status of the interrupts to verify that they are exactly the interrupts that the firmware needs at a specific point in time. Moreover, we monitor the run-time state of the firmware and trigger certain interrupts when the firmware expects them or let the firmware run when it does not require interrupts. We have implemented a prototype of AidFuzzer and evaluated it on 10 open-source firmware projects, including well-known real-time operating systems such as RT-Thread and Apache Mynewt-OS. The experiment demonstrates that our framework outperforms state-of-the-art works in terms of coverage when dealing with complex interrupt handling. We also discovered eight previously unknown vulnerabilities in the tested firmware images.