| 引用本文: |
-
江川,洪征,张国敏,李昱萱,申晴.Firmgo:基于污点分析的固件定向模糊测试方法[J].信息安全学报,已采用 [点击复制]
- JiangChuan,HongZheng,ZhangGuoMin,LiYuXuan,ShenQing.Firmgo:Firmware Directed Fuzzing Method Based on Taint Analysis[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 随着物联网设备的广泛部署,固件作为运行于物联网设备底层、直接负责网络通信、业务逻辑处理与安全机制实现的核心软件,其安全性直接关系到设备自身以及网络环境的整体安全。现有模糊测试方法在固件漏洞挖掘领域面临输入质量较低、定向能力不足等问题,难以高效触达固件的深层敏感位置。针对上述问题,本文提出了一种基于污点分析的固件定向模糊测试方法Firmgo。Firmgo通过污点分析跟踪外部输入在程序执行时的传播路径,刻画输入字段与敏感函数参数之间的数据依赖关系,再从目标敏感函数出发进行反向控制依赖分析,识别通向敏感函数须满足的路径条件。在此基础上,Firmgo将固件中的输入解析与合法性校验映射为输入层面的格式与语义约束,生成结构合法、语义上能够通过校验并到达敏感函数的高质量用例。同时,Firmgo采用基本块级的距离度量,利用污点分析得到执行路径信息,与控制流定向引导相结合,实现对敏感函数的高效定向模糊测试。在多款主流物联网设备固件上的实验结果表明,Firmgo在漏洞发现数量、漏洞复现效率等方面均优于现有模糊测试工具,成功发现了8个零日漏洞。同时,Firmgo能够有效提升固件定向模糊测试效率,相比AFL、Snipuzz的漏洞发现速度平均提升2.49倍和1.51倍。 |
| 关键词: 固件安全 定向模糊测试 污点分析 漏洞挖掘 |
| DOI: |
| 投稿时间:2026-03-23修订日期:2026-05-25 |
| 基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目) |
|
| Firmgo:Firmware Directed Fuzzing Method Based on Taint Analysis |
|
JiangChuan, HongZheng, ZhangGuoMin, LiYuXuan, ShenQing
|
| (Command and Control Engineering College, Army Engineering University of PLA) |
| Abstract: |
| With the widespread deployment of Internet of Things devices, firmware serves as the core software that runs at the lowest layer of the devices, directly responsible for network communication, business logic processing, and security mechanism implementation. Its security is therefore critical to both the devices themselves and the overall security of the networks they are connected to. Existing fuzzing techniques for firmware suffer from insufficient targeting capability and low input quality, rendering it difficult to efficiently reach deep and sensitive execution paths. To address the challenges, this paper proposes Firmgo, a taint analysis based directed fuzzing approach for firmware.In the absence of source code, Firmgo per-forms taint analysis to track the propagation of external inputs during program execution, characterizing data dependency between input fields and parameters of sensitive functions. Starting from target sensitive functions, Firmgo conducts backward dependency analysis to identify the input related branch conditions that must be satisfied to reach the functions. Based on the analysis, Firmgo maps firmware input parsing and validation logic to input level format and semantic con-straints, thereby generating high quality test cases that are structurally valid, semantically capable of passing validation and reaching sensitive functions.In addition, Firmgo adopts a basic block level distance metric and leverages execution path information related to input obtained through taint analysis. By combining the information with directed guidance, Firmgo achieves efficient directed fuzzing toward sensitive functions. Experimental results on mainstream firmware im-ages demonstrate that Firmgo outperforms existing fuzzing tools in terms of the number of vulnerabilities discovered and vulnerability reproduction efficiency, successfully uncovering 8 0-day vulnerabilities. Furthermore, Firmgo significantly improves the efficiency of directed firmware fuzzing, achieving an average speedup of 2.49 times and 1.51 times in vul-nerability reproduction compared with AFL and Snipuzz respectively. |
| Key words: Firmware Security Directed fuzzing Taint analysis Vulnerability discovery |
