Signal Breaker: Fuzzing Digital Signal Processors

Abstract

Fuzzing is one of the most popular ways to find vulnerabilities in software. A fuzzer uses feedback from the execution of previous test cases to create new test cases through random mutation and the software under test executes these generated test cases to find crashes. Applications, operating systems, processors, and network protocols have been subjected to fuzzing to discover security vulnerabilities, making fuzzing one of the most successful software testing methodologies. Despite its vast application, fuzzing has yet to make its way to Digital Signal Processor (DSP) software. DSPs sit at the border between hardware and software systems: they transform analog signals external to a system into digital signals for internal processing. Many important societal applications including telecommunication, transportation, and defense rely on DSPs, making their testing a critical problem. Addressing this need, I introduce a DSP fuzzer SBFUZZ. Because of the cyber-physical nature of DSPs, SBFUZZ takes a semi-hosted approach to DSP fuzzing: strategically decomposing the traditional coverage-guided fuzzing loop into host-based and DSP-based components. Our driving insight is that the DSP can perform most of fuzzing's duties, but due to its limited resources, it requires periodic assistance from a more powerful host computer. This allows a single host to control the fuzzing of multiple physical DSPs. I implement SBFUZZ using a Texas Instruments TMS320C5515 to find vulnerabilities in nine DSP benchmark programs. My evaluation using nine real-world DSP programs shows that SBFUZZ performs over 2.5x better in throughput and code coverage compared to naively using embedded fuzzers for DSP software on its way to revealing five bugs