Coverage-Guided Fuzzing of Embedded Systems Leveraging Hardware Tracing

Fuzz testing (fuzzing) is a well-established method for identifying security weaknesses in input-data processing applications. For the analysis of conventional software, coverage-guided greybox fuzzing has proven to be particularly effective. Here, code coverage obtained through instrumentation or emulation is used to detect fuzz inputs that triggered previously unseen application behavior. These inputs are then used as seeds for subsequent mutations. However, when testing an embedded system, in particular a smaller device with monolithic firmware, software instrumentation or emulation in many cases is not feasible, either for technical reasons, owing to the unavailability of the sources and build-chain, or an unjustifiably large setup effort.
We explore the use of hardware tracing interfaces integrated into many modern microcontroller units (MCUs), as an alternative feedback channel for coverage-guided fuzzing which requires practically no setup effort or changes to the target system. In contrast to related work, we use the single wire output (SWO) interface, which is frequently available in the widely used ARM Cortex-M product line. However, this tracing mechanism suffers from severe information loss due to its limited bandwidth, obstructing the immediate distinction of application behavior. Therefore, a heuristic seed selection strategy was developed to facilitate the reliable detection of novel application behavior by leveraging hardware breakpoints and lightweight static analysis, to enable coverage-guided fuzzing from erratic traces.
Our resulting coverage-guided fuzzing framework consistently outperforms a similar blackbox setup, even under aggravated conditions.