Eunkyu Lee (KAIST), Junyoung Park (KAIST), Insu Yun (KAIST)
Real-Time Operating System (RTOS) is widely used in embedded systems with its various subsystems such as Bluetooth and Wi-Fi. As its functionalities grow, its attack surface also expands, exposing it to more security threats. To address this, dynamic testing techniques like fuzzing have been widely applied to embedded systems. However, for RTOS, these techniques struggle to effectively test deeply located functions within the kernel due to their complexity.
In this paper, we present RTCon, a context-adaptive function-level fuzzer for RTOS kernels. RTCon performs function-level fuzzing on any target functions within the RTOS kernel by adaptively generating function contexts during fuzzing. Additionally, RTCon employs Multi-layer Classification to classify crashes by confidence levels, helping analysts focus on high-confidence crashes. We implemented the prototype of RTCon and evaluated it on four popular RTOS kernels: Zephyr, RIOT, FreeRTOS, and ThreadX. As a result, RTCon discovered 27 bugs, including 25 new bugs. We reported all of them to maintainers and received 14 CVEs. RTCon also demonstrated its effectiveness in crash classification, achieving a 92.7% precision for high-confidence crashes, compared to a 5.8% precision for low-confidence crashes.