The Research Of Automated Fuzz Test To UEFI Driver

UEFI firmware is the lowest level software in modern computer,it controls the interaction with hardware,performs the booting process before entering operating system.In UEFI environment,UEFI driver provides interface to access hardware,which could be used by operating system.And UEFI driver itself stores in non-volatile memory,so updating to it is very difficult,most of the case it will never be updated during the lifetime.This causes the great requirement to its stability and security.As a common and effective method to test stability and security of software,Fuzzing also works effectively in UEFI field.It tests software by generating random data and performs lots of testing to find the potential problem in software.Fuzzing is always combined with static analysis to automatically generate valid data,which is called automated fuzzing.But nowadays Fuzzing is always performed manually in UEFI environment,there is no so called automated Fuzzing.Because there are dynamic data type(void*)and function pointer in UEFI driver,which result in some obstacle to static analysis.In this thesis,we present an automated fuzzing method to UEFI driver,and solve the problem caused by dynamic data type and function pointer to some extent.This method is divided into three parts:driver interface extracting,data type extracting,parameter construction.The method performs static analysis in abstract syntax tree(AST)of UEFI source code,at first we extract the interface of UEFI driver according specific AST pattern,which will be the entry point of test.Then we extract the data type of this interface,finally the data type will be used to construct parameter automatically,which will be the input of test.To deal with the dynamic type in data type extracting,we trace the function call relationship,that is,control flow analysis,to find the possible data type in function body.When meeting function pointer during control flow analysis,we will deal with the most common function pointer in UEFI,that is the interface provided by other UEFI driver.We leverage the feature provided by LLVM to implement above method,and use the fuzzing framework provided by TriforceAFL to fuzzing some UEFI driver.The result shows that the method gets a relatively good effect and can partly replace for manually testing.