面向云边协同场景中固件的模糊测试方法

doi:10.3969/j.issn.1671-1122.2025.10.005

摘要/Abstract

摘要：

在云边协同场景中，保障海量边缘设备固件安全面临状态感知困难和执行效率低下的双重挑战。由于固件通常以二进制形式发布，依赖源码插桩的状态感知方法不再适用。同时，在x86平台上对ARM等异构架构固件进行高效全系统仿真成为现有技术的瓶颈，严重限制了模糊测试的吞吐量。针对这些问题，文章提出一种面向ARM架构固件的高效模糊测试框架。为突破跨架构仿真的性能瓶颈，文章将fork机制应用于QEMU内部，设计并实现了一种不依赖特定硬件（如Intel VT-x）的轻量级、跨架构全系统虚拟机快照技术。为实现无源码下的状态感知，文章实现了基于网络数据包、内存数据聚类和调用堆栈分析的多种状态识别方法。此外，统一的代理模块还支持对网络服务等复杂目标的透明测试。实验结果表明，该框架在测试效率上取得近19%的提升，成功复现了CVE-2019-15232等已知漏洞，并验证了其在无源码条件下对程序进行状态建模的能力，为云边协同安全测试提供了有效的解决方案。

关键词: 云边协同, 固件模糊测试, RM模拟, 系统级快照, 状态感知

Abstract:

In the context of cloud-edge collaboration, ensuring the security of firmware for massive edge devices faces dual challenges: difficulties in state perception and low execution efficiency. As firmware is typically released in binary form, state perception methods relying on source code instrumentation are no longer applicable. Meanwhile, efficient full-system emulation of heterogeneous architectures such as ARM on x86 platforms represents a bottleneck in existing technologies, significantly limiting the throughput of fuzz testing. To address these issues, this paper proposed an efficient fuzz testing framework tailored for ARM architecture firmware. To overcome the performance bottleneck of cross-architecture emulation, this work the fork mechanism internally within QEMU, designing and implementing a lightweight, cross-architecture full-system virtual machine snapshot technology that did not rely on specific hardware (e.g., Intel VT-x), significantly enhancing testing efficiency. To achieve state perception without source code, this paper implemented multiple state identification methods based on network packet analysis, memory data clustering, and call stack analysis. Additionally, a unified proxy module supported transparent testing of complex targets such as network services. Experimental results demonstrate that the proposed framework achieves approximately a 19% improvement in testing efficiency, successfully reproduces known vulnerabilities such as CVE-2019-15232, and validates its capability to model program states under source-code-absent conditions, providing an effective solution for security testing in cloud-edge collaborative scenarios.

Key words: cloud-edge collaboration, firmware fuzz testing, ARM emulation, system-level snapshot, state awareness

中图分类号:

TP309

陶慈, 王逸, 张蕾, 陈平. 面向云边协同场景中固件的模糊测试方法[J]. 信息网络安全, 2025, 25(10): 1537-1545.

TAO Ci, WANG Yi, ZHANG Lei, CHEN Ping. Fuzz Testing Method for Firmware in Cloud-Edge Collaborative Scenarios[J]. Netinfo Security, 2025, 25(10): 1537-1545.

图/表 7

图1

图2

表1

图3

图4

图5

图6

参考文献 22

[1]	RAHMANOVIĆ A, HAKIĆ E, SARAČEVIĆ M, et al. Application and Development of Embedded Systems with IoT Components: Aspect of Safety and Reliability[EB/OL]. (2023-12-25)[2025-06-10]. https://doi.org/10.18421/SAR64-03.
[2]	Palo Alto Networks. 2020 Unit 42 Iot Threat Report[EB/OL]. (2020-03-10)[2025-06-10]. https://unit42.paloaltonetworks.com/iot-threat-Rep.-2020/.
[3]	NETGEAR Security Team. The 2024 Iot Security Landscape Report[EB/OL]. [2025-06-10]. https://www.netgear.com/hub/network/2024-iot-threat-report/.
[4]	MILLER B P, FREDRIKSEN L, SO B. An Empirical Study of the Reliability of Unix Utilities[J]. Communications of the ACM, 1990, 33(12): 32-44. doi: 10.1145/96267.96279 URL
[5]	PHAM V T, BÖHME M, ROYCHOUDHURY A. AFLNet: A Greybox Fuzzer for Network Protocols[C]// IEEE. 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST). New York: IEEE, 2020: 460-465.
[6]	NATELLA R. StateAFL: Greybox Fuzzing for Stateful Network Servers[EB/OL]. (2022-10-04)[2025-06-10]. https://doi.org/10.1007/s10664-022-10233-3.
[7]	GAO Jian, XU Yiwen, JIANG Yu, et al. EM-Fuzz: Augmented Firmware Fuzzing via Memory Checking[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2020, 39(11): 3420-3432. doi: 10.1109/TCAD.43 URL
[8]	ZHANG Chi, WANG Yu, WANG Linzhang, Firmware Fuzzing: The State of the Art[C]// ACM. The 12th Asia-Pacific Symposium on Internetware. New York: ACM, 2020: 110-115.
[9]	ZHENG Yaowen, DAVANIAN A, YIN Heng, et al. FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation[C]// USENIX. 28th USENIX Security Symposium (USENIX Security’19). Berkely: USENIX, 2019: 1099-1114.
[10]	SHAN Haoqi, NISSANKARARAO S, LIU Yujia, et al. LightEMU: Hardware Assisted Fuzzing of Trusted Applications[C]// IEEE. 2024 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). New York: IEEE, 2024: 1-11.
[11]	SCHUMILO S, ASCHERMANN C, ABBASI A, et al. Nyx: Greybox Hypervisor Fuzzing Using Fast Snapshots and Affine Types[C]// USENIX. 30th USENIX Security Symposium (USENIX Security’21). Berkely: USENIX, 2021: 2597-2614.
[12]	BASICEVIC I, POPOVIC M, VELIKIC I. Use of Finite State Machine Based Framework in Implementation of Communication Protocols-A Case Study[C]// IEEE. 2010 Sixth Advanced International Conference on Telecommunications. New York: IEEE, 2010: 161-166.
[13]	DRUMEA A, POPESCU C. Finite State Machines and Their Applications in Software for Industrial Control[C]// IEEE. 27th International Spring Seminar on Electronics Technology:Meeting the Challenges of Electronics Technology Progress. New York: IEEE, 2004: 25-29.
[14]	CHEN Yurong, LAN Tian, VENKATARAMANI G. Exploring Effective Fuzzing Strategies to Analyze Communication Protocols[C]// ACM. The 3rd ACM Workshop on Forming an Ecosystem Around Software Transformation. New York: ACM, 2019: 17-23.
[15]	QIN Shisong, HU Fan, MA Zheyu, et al. NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing[J]. ACM Transactions on Software Engineering and Methodology, 2023, 32(6): 1-26.
[16]	BELLARD F. QEMU, A Fast and Portable Dynamic Translator[C]// USENIX. USENIX Annual Technical Conference. Berkely: USENIX, 2005: 41-46.
[17]	LI Wenqiang, SHI Jiameng, LI Fengjun, et al. μAFL: Non-Intrusive Feedback-Driven Fuzzing for Microcontroller Firmware[C]// ACM. The 44th International Conference on Software Engineering. New York: ACM, 2022: 1-12.
[18]	SCHUMILO S, ASCHERMANN C, GAWLIK R, et al. kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels[C]// USENIX. 26th USENIX Security Symposium (USENIX Security’17). Berkely: USENIX, 2017: 167-182.
[19]	SONG D, HETZELT F, KIM J, et al. Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints[C]// USENIX. 29th USENIX Security Symposium (USENIX Security’20). Berkely: USENIX, 2020: 2541-2557.
[20]	DENNING D E. A Lattice Model of Secure Information Flow[J]. Communications of the ACM, 1976, 19(5): 236-243. doi: 10.1145/360051.360056 URL
[21]	LIANG Jie, WANG Mingzhe, ZHOU Chijin, et al. Pata: Fuzzing with Path Aware Taint Analysis[C]// IEEE. 2022 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2022: 1-17.
[22]	HOSSAIN M M, DIPU N F, AZAR K Z, et al. TaintFuzzer: SoC Security Verification Using Taint Inference-Enabled Fuzzing[C]// IEEE. 2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD). New York: IEEE, 2023: 1-9.

实验轮次/轮	执行总数（无快照）/（次·h^-1）	执行总数（启用快照）/（次·h^-1）	提升率
1	7732	9291	20.16%
2	8033	8956	11.49%
3	7524	9436	25.41%
4	8112	9673	19.24%
5	7344	8740	18.99%
平均值	7749	9219	18.97%