Anatomist: Enhanced Firmware Vulnerability Discovery Based on Program State Abnormality Determination with Whole-System Replay.

With the widespread deployment of Internet of Things (IoT) devices, firmware vulnerabilities can result in considerable damage. However, existing firmware fuzzing methods, which rely on program exception signals, can only find memory corruption vulnerabilities that lead to program crashes. Fuzzing also misses vulnerabilities that exist in the execution path but are not triggered. To solve this problem, we propose Anatomist, the first enhanced firmware vulnerability discovery method based on program state abnormality determination with whole-system replay. The Anatomist first identifies the dangerous operation candidates during whole-system replay. Using single-path symbolic tracing, Anatomist determines whether the program states of dangerous operation candidates are abnormal. Also, Anatomist identifies vulnerabilities on the execution path based on program state abnormality determination. We implemented Anatomist and compared the results of Anatomist with those of FirmAFL, the most advanced firmware vulnerability discovery method, on the FirmAFL dataset. The experimental results showed that Anatomist increased the vulnerability discovery speed by 741.64% on average. Additionally, Anatomist successfully found 3 0-day vulnerabilities in 3 firmware, including 2 memory corruption vulnerabilities and 1 logic vulnerability. The experimental results demonstrated that Anatomist augments firmware vulnerability discovery in two aspects. Anatomist can detect untriggered vulnerabilities on the execution path that are missed by fuzzing. In addition, Anatomist can also identify logic vulnerabilities that cannot be detected by fuzzing.