Mr. Wei Chen Profile

Wei Chen

at North China Electric Power Research Institute Co., Ltd.

SPIE Involvement:

Author

Publications (3)

Proceedings Article | 19 July 2024 Paper

TAIFuzz: taint analysis instrumentation-based firmware fuzzing system

Lin Li, Leran Chen, Cong Hou, Guanlin Si, Wei Chen, Xiaotian Xu

Proceedings Volume 13181, 131814D (2024) https://doi.org/10.1117/12.3031105

KEYWORDS: Binary data, Device simulation, Information security, Internet of things, Mining, Raster graphics, Instrument modeling, Detection and tracking algorithms, Data modeling, Target detection

Read Abstract +

With the development of 5G technology, Internet of thing (IoT) devices are widely used and the exposed number in the network is growing. IoT devices bring many security issues and mature security analysis techniques cannot be applied because of its poor performance and diverse architecture, which makes vulnerability mining less efficient for IoT devices.

This paper proposes a taint analysis instrumentation based firmware fuzzing system (TAIFuzz) to solve vulnerability exploration problem of firmware binary programs for IoT devices. The work mainly includes: 1) proposing a dynamic instrumentation method for firmware binary programs based on remote cross-debugging, running the firmware program through QEMU on an x86 host, making the program independent of real device, and using mature x86 architecture analysis tools to perform binary instrumentation on the emulated firmware through remote cross-debugging technology. 2) proposing a taint analysis method based on dynamic binary instrumentation, which only instruments the simulation execution results through taint analysis-related information, further reducing the impact of instrumentation points on vulnerability exploration efficiency. The feedback information from the instrumentation can be transferred to the test case generation work, making the test set able to reach dangerous paths that can be exposed to external input data. 3) proposing a feedback-based fuzzing case mutation algorithm based on model constraints with the taint information obtained from binary dynamic instrumentation technology and the constraints of model constraint files and selecting an appropriate test case mutation algorithm to process test cases. Guiding the seed mutation process of fuzzing, generated test cases are more effective, thereby improving the coverage of main dangerous paths in fuzzing.

Through experimental comparisons, TAIFuzz proposed can complete vulnerability exploration in a shorter time than the commonly used protocol fuzzing tools Boofuzz and Peach, thereby improving the efficiency of fuzzing for IoT devices.