Directed grey box fuzzy testing for power terminal device firmware with intermediate representation similarity comparison

Abstract

The proliferation of heterogeneous devices in power IoT terminals significantly increases security risks due to firmware vulnerabilities, thereby threatening the stability and reliability of power systems. However, existing Directed Greybox Fuzzing (DGF) methods face challenges, such as the need for manual identification of vulnerable code and limitations to specific architectures. This paper proposes a DGF approach, guided by intermediate representation similarity comparison, comprising two main components: objective function localization and directed greybox fuzzing. In the objective function localization phase, support for multiple architectures is achieved by lifting the binary code to LLVM Intermediate Representation (IR). Given that functions may vary in both structure and semantics, we represent functions using both structural and semantic features. We employ word embedding techniques based on Natural Language Processing (NLP) and graph neural network models to construct feature vectors. By calculating the feature similarity between each function and known vulnerable functions, we automatically identify highly similar functions as targets. In the directed greybox fuzzing phase, to address issues like high false positive rates and unreachable targets, we designed a target scheduling mechanism. This mechanism permanently blocks targets that have been sufficiently covered and periodically blocks those that have not been covered, thereby further improving the efficiency of fuzzing. Experimental results on two datasets demonstrate the effectiveness of this method in identifying vulnerabilities in power terminal equipment.