PHI: Pseudo-HAL Identification for Scalable Firmware Fuzzing
- Authors
- Jeong, Seyeon; Hwang, Eunbi; Cho, Yeongpil; Kwon, Taekyoung
- Issue Date
- Mar-2024
- Publisher
- Springer Verlag
- Keywords
- Firmware; Fuzzing; Hardware Abstraction Layer; Security
- Citation
- Lecture Notes in Computer Science, v.14562 LNCS, pp 60 - 80
- Pages
- 21
- Indexed
- SCOPUS
- Journal Title
- Lecture Notes in Computer Science
- Volume
- 14562 LNCS
- Start Page
- 60
- End Page
- 80
- URI
- https://scholarworks.bwise.kr/hanyang/handle/2021.sw.hanyang/194740
- DOI
- 10.1007/978-981-97-1238-0_4
- ISSN
- 0302-9743
1611-3349
- Abstract
- Firmware fuzzing aims to detect vulnerabilities in firmware by emulating peripherals at different levels: hardware, register, and function. HAL-Fuzz, which emulates peripherals through HAL function handling, is a remarkable firmware fuzzer. However, its effectiveness is confined to firmware solely relying on HAL functions, and it necessitates intricate firmware information for best outcomes, thereby limiting its target firmware range. Notably, in commercial firmware, both HAL and non-HAL (which we call “pseudo-HAL”) functions are prevalent. Identifying and addressing both is crucial for comprehensive peripheral control in fuzzing. In this paper, we present PHI, a tool designed to identify HAL and pseudo-HAL functions at the register-level. Using PHI, we develop PHI-Fuzz, an enhanced firmware fuzzer operating at the function-level. This fuzzer efficiently manages HAL and pseudo-HAL functions, demanding minimal prior knowledge yet delivering substantial results. Our evaluation demonstrates that PHI identifies HAL functions accessing the MMIO range as effectively as LibMatch of HAL-Fuzz, while overcoming its constraints in detecting pseudo-HAL functions. Significantly, when benchmarked against HAL-Fuzz, PHI-Fuzz showcases superior bug-finding capabilities, uncovering crashes that HAL-Fuzz missed.
- Files in This Item
-
Go to Link
- Appears in
Collections - 서울 공과대학 > 서울 컴퓨터소프트웨어학부 > 1. Journal Articles

Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.