Real-Time Operating System (RTOS) has become the main category of embedded systems. It is widely used to support tasks requiring real-time response such as printers and switches. The security of RTOS has been long overlooked as it was running in special environments isolated from attackers. However, with the rapid development of IoT devices, tremendous RTOS devices are connected to the public network. Due to the lack of security mechanisms, these devices are extremely vulnerable to a wide spectrum of attacks. Even worse, the monolithic design of RTOS combines various tasks and services into a single binary, which hinders the current program testing and analysis techniques working on RTOS. In this paper, we propose SFuzz, a novel slice-based fuzzer, to detect security vulnerabilities in RTOS. Our insight is that RTOS usually divides a complicated binary into many separated but single-minded tasks. Each task accomplishes a particular event in a deterministic way and its control flow is usually straightforward and independent. Therefore, we identify such code from the monolithic RTOS binary and synthesize a slice for effective testing. Specifically, SFuzz first identifies functions that handle user input, constructs call graphs that start from callers of these functions, and leverages forward slicing to build the execution tree based on the call graphs and pruning the paths independent of external inputs. Then, it detects and handles roadblocks within the coarse-grain scope that hinder effective fuzzing, such as instructions unrelated to the user input. And then, it conducts coverage-guided fuzzing on these code snippets. Finally, SFuzz leverages forward and backward slicing to track and verify each path constraint and determine whether a bug discovered in the fuzzer is a real vulnerability. SFuzz successfully discovered 77 zero-day bugs on 35 RTOS samples, and 67 of them have been assigned CVE or CNVD IDs. Our empirical evaluation shows that SFuzz outperforms the state-of-the-art tools (e.g., UnicornAFL) on testing RTOS.

Supplementary Material

MP4 File (CCS22-fp0236.mp4)

In this talk, we present SFuzz, a novel slice-based fuzzing method, to detect security vulnerabilities in RTOS. Based on the insight that an RTOS monolithic system can be split into meaningful code slices, SFuzz leverages forward slicing to construct a tailored execution tree that is small enough to drive greybox fuzzing on the emulator and utilizes forward and backward slicing to perform concolic testing to verify unique crashes from fuzzing. SFuzz has discovered 77 zero-day software vulnerabilities in 20 RTOS devices, and most have been assigned bug IDs.

Download
40.66 MB

References

[1]

Saswat Anand, Patrice Godefroid, and Nikolai Tillmann. 2008. Demand-Driven Compositional Symbolic Execution. In 2008 14th Tools and Algorithms for the Construction and Analysis of Systems (TACAS). ETAPS, 367--381.

Abstract

Supplementary Material

References

Cited By

Index Terms

Recommendations

A Survey of WCET Analysis of Real-Time Operating Systems

WCET Analysis of the mC/OS-II Real-Time Kernel

Rtkaller: State-aware Task Generation for RTOS Fuzzing

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations