网络安全与数据治理2025,Vol.44Issue(4):19-23,51,6.DOI:10.19358/j.issn.2097-1788.2025.04.003
UEFI固件Double-fetch条件竞争漏洞模糊测试技术研究
Research on fuzzing techniques for UEFI firmware Double-fetch race condition vulnerability
尹嘉伟 1史记 2张禹 2戴戈 2王琛 2湛蓝蓝2
作者信息
- 1. 中电网络空间研究院有限公司,北京 100043||中国科学院信息工程研究所,北京 100084
- 2. 中电网络空间研究院有限公司,北京 100043
- 折叠
摘要
Abstract
The firmware implemented based on the Unified Extensible Firmware Interface(UEFI)standard has been widely a-dopted in personal computers,cloud servers,and network equipment.Vulnerabilities in UEFI firmware services can pose severe security threats.Fuzzing testing serves as a primary method for vulnerability detection.However,constrained by traditional memo-ry vulnerability mechanisms,current UEFI firmware fuzzing approaches fail to detect special-type vulnerabilities such as Double-fetch race condition vulnerabilities in UEFI firmware.This paper proposes a Double-fetch-aware fuzzing methodology for UEFI firmware services and implements a prototype system named UEFIDFFuzzer.Through testing 114 UEFI firmware service drivers from Intel-based vendors,UEFIDFFuzzer successfully identified two previously undetected UEFI firmware Double-fetch zero-day vulnerabilities that existing UEFI fuzzing tools(RSFuzzer)and static analysis tools(efiXplorer)had missed.关键词
UEFI/Double-fetch漏洞/模糊测试Key words
UEFI/Double-fetch vulnerability/fuzzing分类
信息技术与安全科学引用本文复制引用
尹嘉伟,史记,张禹,戴戈,王琛,湛蓝蓝..UEFI固件Double-fetch条件竞争漏洞模糊测试技术研究[J].网络安全与数据治理,2025,44(4):19-23,51,6.
