Researchers Unveil SMUZZ: A New Fuzzing Framework for Detecting SMM Vulnerabilities

🎬 The presentation at Black Hat Europe, delivered by Wen Chang from NPI Security and Privacy in Germany alongside collaborators from Shanghai Jiao Tong University, focuses on uncovering memory corruption vulnerabilities in System Management Mode (SMM) through fuzzing. SMM, a highly privileged x86 execution mode (ring -2), is protected by the processor and accessible only via System Management Interrupts (SMIs), making it a critical target for privilege escalation attacks. The research introduces SMUZZ, a fuzzing framework designed to rehost BIOS firmware modules by embedding vendor-provided SMM code into a compatible runtime environment, addressing challenges like proprietary protocol dependencies and inter-modular semantics. The tool employs a three-phase approach—composing, initialization, and fuzzing—to load and test SMM handlers, achieving four times higher coverage than prior work (e.g., Fuzzware) and detecting vulnerabilities such as double fetches, out-of-bounds memory access, and division-by-zero errors. Key innovations include automated grouping of dependent handlers and dynamic interception of memory accesses to infer pointer structures without static analysis. The evaluation demonstrated SMUZZ’s effectiveness across firmware from vendors like Alienware, ASUS, and HP, reducing false positives compared to static analysis tools like EFI Explorer. The talk concluded with a demo of a double-fetch vulnerability found in a BIOS firmware handler.