ABSTRACT
Extensive testing of IoT SW is very important to prevent errors and security vulnerabilities. In the SW domain the automated concolic testing technique has been shown very effective.
In this paper we propose an approach for concolic testing of binaries targeting RISC-V systems with peripherals. Our approach works by integrating the Concolic Testing Engine (CTE) with the architecture specific Instruction Set Simulator (ISS) inside of a Virtual Prototype (VP). We provide a designated CTE-interface to integrate (SystemC-based) peripherals into the concolic testing by means of SW models. This combination enables a high simulation performance at binary level with comparatively little effort to integrate peripherals with concolic execution capabilities. Our approach has been effective in finding several buffer overflow related security vulnerabilities in the FreeRTOS TCP/IP stack.
- FreeRTOS TCP/IP stack vulnerabilities put a wide range of devices at risk of compromise: From smart homes to critical infrastructure systems. https://blog.zimperium.com/freertos-tcpip-stack-vulnerabilities-put-wide-range-devices-risk-compromise-smart-homes-critical-infrastructure-systems.Google Scholar
- Porting FreeRTOS+TCP to a different microcontroller. https://www.freertos.org/FreeRTOS-Plus/FreeRTOS_Plus_TCP/Embedded_Ethernet_Porting.html.Google Scholar
- RISC-V Foundation. https://riscv.org/.Google Scholar
- A. Ahmed, F. Farahmandi, and P. Mishra. Directed test generation using concolic testing on RTL models. In DATE, pages 1538--1543, 2018.Google Scholar
- S. Ahn and S. Malik. Automated firmware testing using firmware-hardware interaction patterns. In CODES+ISSS, pages 25:1--25:10, 2014. Google ScholarDigital Library
- C. Cadar, D. Dunbar, and D. R. Engler. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, pages 209--224, 2008. Google ScholarDigital Library
- S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In IEEE S & P, pages 380--394, 2012. Google ScholarDigital Library
- V. Chipounov, V. Kuznetsov, and G. Candea. S2E: a platform for in-vivo multi-path analysis of software systems. In ASPLOS, pages 265--278, 2011. Google ScholarDigital Library
- N. Corteggiani, G. Camurati, and A. Francillon. Inception: System-wide security testing of real-world embedded systems software. In USENIX Security, pages 309--326, 2018. Google ScholarDigital Library
- D. Davidson, B. Moench, T. Ristenpart, and S. Jha. FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In USENIX Security, pages 463--478, 2013. Google ScholarDigital Library
- P. Godefroid, M. Y. Levin, and D. A. Molnar. Automated whitebox fuzz testing. In NDSS, 2008.Google Scholar
- D. Große and R. Drechsler. Quality-Driven SystemC Design. Springer, 2010.Google ScholarCross Ref
- V. Herdt, D. Große, H. M. Le, and R. Drechsler. Extensible and configurable RISC-V based virtual prototype. In FDL, pages 5--16, 2018.Google ScholarCross Ref
- V. Herdt, H. M. Le, D. Große, and R. Drechsler. Compiled symbolic simulation for SystemC. In ICCAD, pages 52:1--52:8, 2016. Google ScholarDigital Library
- V. Herdt, H. M. Le, D. Große, and R. Drechsler. Verifying SystemC using intermediate verification language and stateful symbolic simulation. TCAD, 2018.Google ScholarCross Ref
- A. Horn, M. Tautschnig, C. G. Val, L. Liang, T. Melham, J. Grundy, and D. Kroening. Formal co-validation of low-level hardware/software interfaces. In FMCAD, pages 121--128, 2013.Google ScholarCross Ref
- B. Huang, S. Ray, A. Gupta, J. M. Fung, and S. Malik. Formal security verification of concurrent firmware in SoCs using instruction-level abstraction for hardware. In DAC, pages 91:1--91:6, 2018. Google ScholarDigital Library
- IEEE. IEEE Standard SystemC Language Reference Manual. IEEE Std. 1666, 2011.Google Scholar
- B. Lin, K. Cong, Z. Yang, Z. Liao, T. Zhan, C. Havlicek, and F. Xie. Concolic testing of SystemC designs. In ISQED, pages 1--7, 2018.Google ScholarCross Ref
- R. Mukherjee, M. Purandare, R. Polig, and D. Kroening. Formal techniques for effective co-verification of hardware/software co-designs. In DAC, pages 35:1--35:6, 2017. Google ScholarDigital Library
- S. Pinto and M. S. Hsiao. RTL functional test generation using factored concolic execution. In ITC, pages 1--10, 2017.Google ScholarCross Ref
- Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Krügel, and G. Vigna. SOK: (state of) the art of war: Offensive techniques in binary analysis. In IEEE S & P, pages 138--157, 2016.Google ScholarCross Ref
- A. Waterman and K. Asanović. The RISC-V Instruction Set Manual; Volume I: User-Level ISA. SiFive Inc. and CS Division, EECS Department, University of California, Berkeley, 2017.Google Scholar
- A. Waterman and K. Asanović. The RISC-V Instruction Set Manual; Volume II: Privileged Architecture. SiFive Inc. and CS Division, EECS Department, University of California, Berkeley, 2017.Google Scholar
- J. Zaddach, L. Bruno, A. Francillon, and D. Balzarotti. AVATAR: A framework to support dynamic security analysis of embedded systems' firmwares. In NDSS, 2014.Google ScholarCross Ref
Recommendations
Grey-box concolic testing on binary code
ICSE '19: Proceedings of the 41st International Conference on Software EngineeringWe present grey-box concolic testing, a novel path-based test case generation method that combines the best of both white-box and grey-box fuzzing. At a high level, our technique systematically explores execution paths of a program under test as in ...
Hybrid Concolic Testing
ICSE '07: Proceedings of the 29th international conference on Software EngineeringWe present hybrid concolic testing, an algorithm that interleaves random testing with concolic execution to obtain both a deep and a wide exploration of program state space. Our algorithm generates test inputs automatically by interleaving random ...
Concolic testing
ASE '07: Proceedings of the 22nd IEEE/ACM International Conference on Automated Software EngineeringConcolic testing automates test input generation by combining the concrete and symbolic (concolic) execution of the code under test. Traditional test input generation techniques use either (1) concrete execution or (2) symbolic execution that builds ...
Comments