PHI: Pseudo-HAL Identification for Scalable Firmware Fuzzing

PHI: Pseudo-HAL Identification for Scalable Firmware Fuzzing

연구 분야: Analysis

학회: International Conference on Information Security and Cryptology

Firmware fuzzing aims to detect vulnerabilities in firmware by emulating peripherals at different levels: hardware, register, and function. HAL-FUZZ, which emulates peripherals through HAL function handling, is a remarkable firmware fuzzer. However, its effectiveness is confined to firmware solely relying on HAL functions, and it necessitates intricate firmware information for best outcomes, thereby limiting its target firmware range. Notably, in commercial firmware, both HAL and non-HAL (which we call “pseudo-HAL”) functions are prevalent. Identifying and addressing both is crucial for comprehensive peripheral control in fuzzing. In this paper, we present PHI, a tool designed to identify HAL and pseudo-HAL functions at the register-level. Using PHI, we develop PHI-Fuzz, an enhanced firmware fuzzer operating at the function-level. This fuzzer efficiently manages HAL and pseudo-HAL functions, demanding minimal prior knowledge yet delivering substantial results. Our evaluation demonstrates that PHI identifies HAL functions accessing the MMIO range as effectively as LIBMATCH of HAL-FUZZ, while overcoming its constraints in detecting pseudo-HAL functions. Significantly, when benchmarked against HAL-FUZZ, PHI-Fuzz showcases superior bug-finding capabilities, uncovering crashes that HAL-FUZZ missed.