Abraham Clements, Abel Gomez Rivera (Sandia National Laboratories), Richard Jiayang Liu, Kirill Levchenko (University of Illinois Urbana-Champaign), Rick Kennell (Purdue University), Gabriela Ciocarlie (The Cybersecurity Manufacturing Innovation Institute and Stevens Institute of Technology)
Embedded systems are integral to modern society and are increasingly being attacked, necessitating improved techniques to identifying and mitigating vulnerabilities. Fuzzing has proven to be a useful technique for identifying vulnerabilities. Nevertheless, the complexity of embedded systems using realtime operating systems (RTOSes) has limited the ability to even observe their execution, much less effectively fuzz them. Rehosting these systems’ firmware in an emulator has emerged as a technique to solve challenges with inspectability and parallelizing fuzzing, but challenges remain for complex RTOS-based systems. We present RT-Fuzzer, a technique that leverages the modularization of RTOS-based embedded systems into tasks to simplify re-hosting and enable effective feedback-directed fuzzing of complex embedded systems. RT-Fuzzer creates a custom initialization for the RTOS and core services in the emulator and then starts only the target task(s) for fuzzing. This simplifies rehosting and enables the fuzzing effort to be focused on a selected task. We illustrate this technique on an open source RTOS and a commercial PLC discovering and reporting vulnerabilities in both.