报告标题:Deep System Management Mode Fuzz Testing in Fully Featured UEFI Runtime Environment
报告时间:6月1日14:00-16:00
报告地点:理科大楼217
报告摘要:
As part of the UEFI standard, System Management Mode (SMM) was introduced on x86 processors to handle critical hardware events. With strict access control to this operating mode, SMM applications run at a high privilege level (known as Ring -2), in which they have (almost) unlimited access to system resources. However, vendors commonly use memory-unsafe system programming languages to develop SMM applications, which makes them vulnerable to memory corruption and an appealing target for attackers. Fuzzing is an effective method for detecting memory corruption vulnerabilities across a wide range of applications. Unfortunately, existing approaches for testing SMM applications lack a UEFI runtime environment to properly support SMM application execution. Without this environment, application data is often not correctly initialized. Once such uninitialized data is accessed during fuzzing, it causes premature exits or unintentional crashes. As a result, existing methods can only explore shallow parts and often produce high false-positive rates. In this paper, we propose SmuFuzz, a fuzzing framework designed to detect vulnerabilities in closed-source SMM applications distributed by vendors. SmuFuzz overcomes prior limitations by partially rehosting SMM applications within a custom infrastructure that provides a fully featured UEFI runtime environment. This infrastructure provides the necessary dependencies and runtime for SMM application preparation, initialization, and finalization. In addition, SmuFuzz automatically infers the complex SMM application input semantics for deep exploration. In our experiment, SmuFuzz achieved 4.45x higher unique basic block coverage compared to state-of-the-art fuzzers. It also found more vulnerabilities while significantly reducing false positives. Using SmuFuzz, we identified 38 new vulnerabilities in firmware from major vendors, all of which were disclosed responsibly.
报告人简介:
Wang Jianqiang (王健强) is a postdoc researcher at MPI-SP. Since December 2022, he have been working at CISPA as a PhD student under the supervision of Prof. Thorsten Holz with a focus on system security. Before joining Holz's group, he was supervised by Prof. Ahmad-Reza Sadeghi at TU Darmstadt for his first-year PhD and Prof. Zhang Yuanyuan at Shanghai Jiao Tong University for his master.
