SymEx-VP: An open source virtual prototype for OS-agnostic concolic testing of IoT firmware

Abstract

Constrained Internet of Things (IoT) devices with limited computing resource are increasingly employed in security critical areas. Therefore, it is important for the firmware of these devices to be tested sufficiently. On non-constrained conventional devices, dynamic testing techniques (e.g. fuzzing, symbolic execution, or concolic testing) are successfully utilized to discover critical bugs in tested software. Unfortunately, the diverse ecosystem and the dependence on low-level details of a wide range of peripherals makes it difficult to use these techniques in the IoT context. In order to address these challenges, we present SymEx-VP an open source emulation-based approach for concolic testing of IoT firmware. SymEx-VP is a virtual prototype for RISC-V hardware platforms and allows concolic testing of RISC-V machine code. To support a wide range of different peripherals, SymEx-VP utilizes SystemC, a hardware modeling language for C++. By employing a SystemC extension mechanism, SymEx-VP can inject concolic inputs into the emulated firmware through the memory-mapped I/O peripheral interface of existing SystemC peripheral models. This allows us to support different operating systems and libraries used in the IoT with minimal integration effort. We provide an extensive description of SymEx-VP, illustrate peripheral modeling and firmware testing using it by example, and perform tests with four operating systems to demonstrate the advantages of our OS-agnostic firmware testing method.