Research On UEFI Driver Fuzzing Technology Based On Firmware Emulation Environment

UEFI firmware plays an important role in trust transfer during platform boot,firmware update,remote operation and maintenance,and OS loading.UEFI firmware provides services to other UEFI drivers and applications in the form of Protocol interfaces in the execution environment.The Protocol interface is generally composed of a state structure pointer and a function pointer.The caller can access the driver service through the function pointer.The access process has timing dependencies or state transition dependencies.Existing UEFI firmware analysis methods are mainly based on reverse engineering and real machine testing,which are very difficult and time-consuming.In response to the above problems,this paper proposes a UEFI driver module test method for the Protocol interface.The method is divided into three parts,namely,the dependency analysis technology between firmware modules in the UEFI firmware image,the UEFI binary firmware simulation environment construction technology,and the instant feedback and sample generation technology method.Dependency analysis technology is used to identify and complete the relevant feature functions of Protocol registration,use,and cancellation,and analyze the dependencies between modules.The resolved inter-module dependencies can reduce the number of modules that need to be executed in a single test by compressing the simulation environment and the time for manually trying to configure the simulation environment.Based on the UEFI firmware binary dependencies and binary program characteristics,it can be determined whether it is similar to the known historical vulnerability related functions,and the binary programs that may contain risks are prioritized to be tested,so as to introduce an effective introduction in the UEFI firmware fuzzing scenario.How historical vulnerability information improves the efficiency of firmware image fuzzing.The experimental results show that all kinds of vulnerabilities can be detected on the public evaluation sample set,and the corresponding vulnerabilities can be detected successfully on the UEFI firmware with known CVE.Moreover,our analysis proves that our method can achieve better code coverage and requires fewer preconditions than existing methods.