Fuzzing BusyBox: Leveraging LLM and Crash Reuse for Embedded Bug Unearthing
Asmita, Yaroslav Oliinyk, Michael Scott, Ryan Tsang, Chongzhou Fang, Houman Homayoun
TL;DR
The paper probes the security of BusyBox in embedded Linux by introducing two techniques to strengthen fuzz testing: (i) using Large Language Models to generate target-specific initial seeds, and (ii) reusing crashes from previous fuzzing across different BusyBox variants. Through a proof-of-concept with AFL++ in QEMU mode on real-world BusyBox ELF targets, the authors demonstrate that LLM-derived seeds yield more crashes and broader code coverage, and that crash reuse can reveal vulnerabilities in newer BusyBox versions without exhaustive fuzzing. They also perform manual crash triaging, uncovering DoS-related patterns in GLIBC (linked to known CVEs) and outlining a practical workflow for automated fuzzing, crash collection, triage, and cross-target testing. The findings highlight significant time and resource savings for security testing in embedded firmware and point to broader applicability to other applets and targets. Overall, the work suggests that combining LLM-assisted seed generation with crash reuse can materially enhance vulnerability detection in resource-constrained embedded systems.
Abstract
BusyBox, an open-source software bundling over 300 essential Linux commands into a single executable, is ubiquitous in Linux-based embedded devices. Vulnerabilities in BusyBox can have far-reaching consequences, affecting a wide array of devices. This research, driven by the extensive use of BusyBox, delved into its analysis. The study revealed the prevalence of older BusyBox versions in real-world embedded products, prompting us to conduct fuzz testing on BusyBox. Fuzzing, a pivotal software testing method, aims to induce crashes that are subsequently scrutinized to uncover vulnerabilities. Within this study, we introduce two techniques to fortify software testing. The first technique enhances fuzzing by leveraging Large Language Models (LLM) to generate target-specific initial seeds. Our study showed a substantial increase in crashes when using LLM-generated initial seeds, highlighting the potential of LLM to efficiently tackle the typically labor-intensive task of generating target-specific initial seeds. The second technique involves repurposing previously acquired crash data from similar fuzzed targets before initiating fuzzing on a new target. This approach streamlines the time-consuming fuzz testing process by providing crash data directly to the new target before commencing fuzzing. We successfully identified crashes in the latest BusyBox target without conducting traditional fuzzing, emphasizing the effectiveness of LLM and crash reuse techniques in enhancing software testing and improving vulnerability detection in embedded systems. Additionally, manual triaging was performed to identify the nature of crashes in the latest BusyBox.