Fuzz Testing Method for Firmware in Cloud-Edge Collaborative Scenarios

doi:10.3969/j.issn.1671-1122.2025.10.005

Abstract

Abstract:

In the context of cloud-edge collaboration, ensuring the security of firmware for massive edge devices faces dual challenges: difficulties in state perception and low execution efficiency. As firmware is typically released in binary form, state perception methods relying on source code instrumentation are no longer applicable. Meanwhile, efficient full-system emulation of heterogeneous architectures such as ARM on x86 platforms represents a bottleneck in existing technologies, significantly limiting the throughput of fuzz testing. To address these issues, this paper proposed an efficient fuzz testing framework tailored for ARM architecture firmware. To overcome the performance bottleneck of cross-architecture emulation, this work the fork mechanism internally within QEMU, designing and implementing a lightweight, cross-architecture full-system virtual machine snapshot technology that did not rely on specific hardware (e.g., Intel VT-x), significantly enhancing testing efficiency. To achieve state perception without source code, this paper implemented multiple state identification methods based on network packet analysis, memory data clustering, and call stack analysis. Additionally, a unified proxy module supported transparent testing of complex targets such as network services. Experimental results demonstrate that the proposed framework achieves approximately a 19% improvement in testing efficiency, successfully reproduces known vulnerabilities such as CVE-2019-15232, and validates its capability to model program states under source-code-absent conditions, providing an effective solution for security testing in cloud-edge collaborative scenarios.

Key words: cloud-edge collaboration, firmware fuzz testing, ARM emulation, system-level snapshot, state awareness

CLC Number:

TP309

TAO Ci, WANG Yi, ZHANG Lei, CHEN Ping. Fuzz Testing Method for Firmware in Cloud-Edge Collaborative Scenarios[J]. Netinfo Security, 2025, 25(10): 1537-1545.

Figures/Tables 7

References 22

[1]	RAHMANOVIĆ A, HAKIĆ E, SARAČEVIĆ M, et al. Application and Development of Embedded Systems with IoT Components: Aspect of Safety and Reliability[EB/OL]. (2023-12-25)[2025-06-10]. https://doi.org/10.18421/SAR64-03.
[2]	Palo Alto Networks. 2020 Unit 42 Iot Threat Report[EB/OL]. (2020-03-10)[2025-06-10]. https://unit42.paloaltonetworks.com/iot-threat-Rep.-2020/.
[3]	NETGEAR Security Team. The 2024 Iot Security Landscape Report[EB/OL]. [2025-06-10]. https://www.netgear.com/hub/network/2024-iot-threat-report/.
[4]	MILLER B P, FREDRIKSEN L, SO B. An Empirical Study of the Reliability of Unix Utilities[J]. Communications of the ACM, 1990, 33(12): 32-44. doi: 10.1145/96267.96279 URL
[5]	PHAM V T, BÖHME M, ROYCHOUDHURY A. AFLNet: A Greybox Fuzzer for Network Protocols[C]// IEEE. 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST). New York: IEEE, 2020: 460-465.
[6]	NATELLA R. StateAFL: Greybox Fuzzing for Stateful Network Servers[EB/OL]. (2022-10-04)[2025-06-10]. https://doi.org/10.1007/s10664-022-10233-3.
[7]	GAO Jian, XU Yiwen, JIANG Yu, et al. EM-Fuzz: Augmented Firmware Fuzzing via Memory Checking[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2020, 39(11): 3420-3432. doi: 10.1109/TCAD.43 URL
[8]	ZHANG Chi, WANG Yu, WANG Linzhang, Firmware Fuzzing: The State of the Art[C]// ACM. The 12th Asia-Pacific Symposium on Internetware. New York: ACM, 2020: 110-115.
[9]	ZHENG Yaowen, DAVANIAN A, YIN Heng, et al. FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation[C]// USENIX. 28th USENIX Security Symposium (USENIX Security’19). Berkely: USENIX, 2019: 1099-1114.
[10]	SHAN Haoqi, NISSANKARARAO S, LIU Yujia, et al. LightEMU: Hardware Assisted Fuzzing of Trusted Applications[C]// IEEE. 2024 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). New York: IEEE, 2024: 1-11.
[11]	SCHUMILO S, ASCHERMANN C, ABBASI A, et al. Nyx: Greybox Hypervisor Fuzzing Using Fast Snapshots and Affine Types[C]// USENIX. 30th USENIX Security Symposium (USENIX Security’21). Berkely: USENIX, 2021: 2597-2614.
[12]	BASICEVIC I, POPOVIC M, VELIKIC I. Use of Finite State Machine Based Framework in Implementation of Communication Protocols-A Case Study[C]// IEEE. 2010 Sixth Advanced International Conference on Telecommunications. New York: IEEE, 2010: 161-166.
[13]	DRUMEA A, POPESCU C. Finite State Machines and Their Applications in Software for Industrial Control[C]// IEEE. 27th International Spring Seminar on Electronics Technology:Meeting the Challenges of Electronics Technology Progress. New York: IEEE, 2004: 25-29.
[14]	CHEN Yurong, LAN Tian, VENKATARAMANI G. Exploring Effective Fuzzing Strategies to Analyze Communication Protocols[C]// ACM. The 3rd ACM Workshop on Forming an Ecosystem Around Software Transformation. New York: ACM, 2019: 17-23.
[15]	QIN Shisong, HU Fan, MA Zheyu, et al. NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing[J]. ACM Transactions on Software Engineering and Methodology, 2023, 32(6): 1-26.
[16]	BELLARD F. QEMU, A Fast and Portable Dynamic Translator[C]// USENIX. USENIX Annual Technical Conference. Berkely: USENIX, 2005: 41-46.
[17]	LI Wenqiang, SHI Jiameng, LI Fengjun, et al. μAFL: Non-Intrusive Feedback-Driven Fuzzing for Microcontroller Firmware[C]// ACM. The 44th International Conference on Software Engineering. New York: ACM, 2022: 1-12.
[18]	SCHUMILO S, ASCHERMANN C, GAWLIK R, et al. kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels[C]// USENIX. 26th USENIX Security Symposium (USENIX Security’17). Berkely: USENIX, 2017: 167-182.
[19]	SONG D, HETZELT F, KIM J, et al. Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints[C]// USENIX. 29th USENIX Security Symposium (USENIX Security’20). Berkely: USENIX, 2020: 2541-2557.
[20]	DENNING D E. A Lattice Model of Secure Information Flow[J]. Communications of the ACM, 1976, 19(5): 236-243. doi: 10.1145/360051.360056 URL
[21]	LIANG Jie, WANG Mingzhe, ZHOU Chijin, et al. Pata: Fuzzing with Path Aware Taint Analysis[C]// IEEE. 2022 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2022: 1-17.
[22]	HOSSAIN M M, DIPU N F, AZAR K Z, et al. TaintFuzzer: SoC Security Verification Using Taint Inference-Enabled Fuzzing[C]// IEEE. 2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD). New York: IEEE, 2023: 1-9.

实验轮次/轮	执行总数（无快照）/（次·h^-1）	执行总数（启用快照）/（次·h^-1）	提升率
1	7732	9291	20.16%
2	8033	8956	11.49%
3	7524	9436	25.41%
4	8112	9673	19.24%
5	7344	8740	18.99%
平均值	7749	9219	18.97%