Multi-target Coverage-based Greybox Fuzzing
About
In recent years, fuzzing has been widely applied not only to application software but also to system software, including the Linux kernel and firmware, and has become a powerful technique for vulnerability discovery. Among these approaches, Coverage-based grey-box fuzzing, which utilizes runtime code coverage information, has become the dominant methodology. Conventional fuzzing techniques primarily target a single software component and have paid little attention to cooperative execution with other software. However, modern system software architectures commonly consist of firmware and an operating system that operate cooperatively through well-defined interfaces, such as OpenSBI in the RISC-V architecture and OP-TEE in the ARM architecture. In this study, we investigate fuzzing techniques for architectures in which an operating system and firmware operate cooperatively. In particular, we propose a fuzzing method that enables deeper exploration of the system by leveraging the code coverage of each cooperating software component as feedback, compared to conventional Single-target fuzzing. To observe the execution of the operating system and firmware in a unified manner, our method adopts QEMU as a virtualization environment and executes fuzzing by booting the system within a virtual machine. This enables the measurement of code coverage across software boundaries. Furthermore, we implemented the proposed method as a Multi-target Coverage-based Greybox Fuzzer called MTCFuzz and evaluated its effectiveness.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Fuzzing | OpenSBI (Set 1) | Average Code Coverage Rate6.34 | 2 | |
| Fuzzing | OpenSBI (Set 2) | Average Code Coverage Rate6.14 | 2 | |
| Fuzzing | OpenSBI Overall | Average Code Coverage Rate6.24 | 2 | |
| Fuzzing | OpenSBI Base Extension (Set 1) | Full Coverage Campaigns Count27 | 2 | |
| Fuzzing | OpenSBI Base Extension (Set 2) | Full Coverage Campaigns Count28 | 2 | |
| Fuzzing | OpenSBI Base Extension (Total) | Full Coverage Campaigns Count55 | 2 |