From: Embedded fuzzing: a review of challenges, tools, and solutions
Environment | Framework | Source Code Agnostic | Available | Key contributions | Limitations | |
---|---|---|---|---|---|---|
Hardware-based | Instrumentation | ARM-AFL (Fan 2020) | ✗ | ✗ | Static instrumentation for ARM code | On-target fuzzing only |
Frida (FRIDA 2020) | ✓ | ✓ | Dynamic instrumentation for various OSes | Application on the target required | ||
Harzer Roller (Bogad and Huber 2019) | ✓ | ✗ | Static instrumentation for object files | Function traces only | ||
Os-less DBI (Oh et al. 2015) | ✗ | ✗ | Dynamic instrumentation with breakpoints | Manual selection of breakpoint locations | ||
ESP32 Fuzzing (Börsig et al. 2020) | ✗ | ✓ | Static instrumentation for ESP32 applications | Slow coverage data transmission | ||
ICSFuzz (Tychalas et al. 2021) | ✓ | ✓ | Static instrumentation for PLC binaries | Dedicated to PLCs | ||
PERIFUZZ (Song et al. 2019) | ✗ | ✓ | Fuzzing at hw-os boundary, driver monitoring | Must be compiled into the kernel | ||
PHMon (Delshadtehrani et al. 2020) | ✓ | ✓ | Hardware module for gathering coverage data | Specific hardware required | ||
Side-Channel | Side-Channel Aware Fuzzing (Sperl and Böttinger 2019) | ✓ | ✗ | Code-coverage derived from power analysis | Calibration needed | |
Certified Side Channels (García et al. 2020) | ✓ | ✗ | EM and timing side-channels | For crypto libraries only | ||
Message Interface Reusing | IoTFuzzer (Chen et al. 2018) | ✓ | ✓ | Reuse of accompanying mobile applications | Not feedback driven, Android only | |
DIANE (Redini et al. 2021) | ✓ | ✓ | Enhanced IoTFuzzer mechanism | Not feedback driven, Android only | ||
Snipuzz (Feng et al. 2021) | ✓ | ✓ | Communication analysis for feedback | For unencrypted channels only | ||
Android TV Fuzzing (Aafer et al. 2021) | ✓ | ✗ | Using log output for feedback | Detailed logs needed, Android only | ||
Emulation-based | User Mode Emulation | Firmadyne (Chen et al. 2016) | ✓ | ✓ | Custom kernel for emulation | Linux-based applications only |
FirmAE (Kim et al. 2020) | ✓ | ✓ | Enhanced Firmadyne mechanism | Linux-based applications only | ||
FirmFuzz (Srivastava et al. 2019) | ✓ | ✓ | Fuzzing of IoT configuration webpages | Linux-based applications only | ||
Firm-AFL (Zheng et al. 2019) | ✓ | ✓ | Speedup by hybrid user and system emulation | Linux-based applications only | ||
Full-System Emulation | TriforceAFL (Hertz and Newsham 2021) | ✓ | ✓ | Coverage-guided fuzzing with QEMU | Target must be emulatable by QEMU | |
SystemC VP Fuzzing (Herdt et al. 2020) | ✓ | ✗ | Coverage-guided fuzzing on VP | Virtual prototype required | ||
HALucinator (Clements et al. 2020) | ✓ | ✓ | Re-hosting at HAL | Stubs for HALs required | ||
RVFuzzer (Kim et al. 2019) | ✓ | ✗ | Fuzzing controller for robotic vehicles | Rich physical simulation required | ||
Peripheral Proxying | PROSPECT (Kammerstetter et al. 2014) | ✓ | ✗ | Peripherals proxying through TCP/IP | Requires pthreads and TCP/IP support on target | |
SURROGATES (Koscher et al. 2015) | ✓ | ✗ | Proxying through a custom FPGA | JTAG connection required | ||
Charm (Talebi et al. 2018) | ✗ | ✓ | Proxying through USB | Recompilation needed | ||
Avatar\(^{2}\) (Muench et al. 2018) | ✓ | ✓ | Flexible, multi-purpose orchestrating framework | Any access to device required | ||
Peripheral Modeling | PRETENDER (Gustafson et al. 2019) | ✓ | ✓ | Peripheral modeling by recording and learning of peripheral behavior | Unseen peripheral behavior is not modeled | |
Conware (Spensky et al. 2021) | ✓ | ✓ | Additional modeling of unseen peripheral behavior | Program for recording must be executed on the target | ||
P\(^{2}\)IM (Feng et al. 2020) | ✓ | ✓ | Peripheral modeling by automated classification of requests | Missing DMA support | ||
DICE (Mera et al. 2020) | ✓ | ✓ | Modeling of DMA-based peripherals | DMA buffer size not identifiable in advance | ||
Jetset (Johnson et al. 2021) | ✓ | ✓ | Peripheral modeling by symbolic execution and manual guidance | Manual guidance required | ||
µEmu (Zhou et al. 2021) | ✓ | ✓ | Peripheral modeling by concolic execution | Caching can cause false hardware modeling | ||
Fuzzware (Scharnowski et al. 2020) | ✓ | ✓ | Peripheral modeling by detailed classification | Not for complex systems | ||
Sandboxing | MIASM (Guedou 2017) | ✓ | ✓ | Multi-purpose reverse engineering tool | Reverse engineering required | |
BaseSAFE (Maier et al. 2020) | ✓ | ✓ | Coverage-guided fuzzing of baseband chips | Manually assembled environment | ||
PartEMU (Harrison et al. 2020) | ✓ | ✗ | Coverage-guided fuzzing of TrustZones | Manually assembled environment | ||
Frankenstein (Ruge et al. 2020) | ✓ | ✓ | Coverage-guided fuzzing of wireless firmwares | Customized for one specific device | ||
FIRMCORN (Gui et al. 2020) | ✓ | ✓ | Automated sandboxing of functions | Linux-based applications only | ||
Abstraction-based | Symbolic Execution | FIE (Davidson et al. 2013) | ✗ | ✓ | Symbolic execution for MSP430 microcontrollers | Complex programs lead to state explosion |
Inception (Corteggiani et al. 2018) | ✗ | ✓ | Symbolic execution, even for handwritten assembly and binary libraries | Complex programs lead to state explosion | ||
Concolic Execution | Concolic Testing on VP (Herdt et al. 2019) | ✓ | ✓ | Concolic testing of RISC-V virtual prototypes | Target must be prototyped | |
Concolic Execution on Proxy (Ai et al. 2020) | ✓ | ✗ | Symbolic execution on host combined with concrete execution on target | For unix-like systems only |