Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

EmbedFuzz: High Speed Fuzzing Through Transplantation

Florian Hofhammer, Qinying Wang, Atri Bhattacharyya, Majid Salehi, Bruno Crispo, Manuel Egele, Mathias Payer, Marcel Busch

TL;DR

EmbedFuzz tackles the core challenge of fuzzing MCU firmware by transplanting Cortex-M binaries to Cortex-A hosts for native-speed execution, preserving address space layout and essential MCU semantics through static binary rewriting and a specialized runtime. Its hybrid design combines transplantation with HAL-based high-level peripheral modeling, enabling scalable fuzzing while maintaining fidelity in instruction execution and interrupt handling. Evaluated against state-of-the-art MCU fuzzers, EmbedFuzz achieves up to 8x throughput and substantial energy savings, while still enabling OS-like introspection and robust crash triage. The approach reduces hardware dependency and engineering effort for test campaigns, offering practical gains for security testing of embedded firmware across many devices and HAL libraries.

Abstract

Dynamic analysis and especially fuzzing are challenging tasks for embedded firmware running on modern low-end Microcontroller Units (MCUs) due to performance overheads from instruction emulation, the difficulty of emulating the vast space of available peripherals, and low availability of open-source embedded firmware. Consequently, efficient security testing of MCU firmware has proved to be a resource- and engineering-heavy endeavor. EmbedFuzz introduces an efficient end-to-end fuzzing framework for MCU firmware. Our novel firmware transplantation technique converts binary MCU firmware to a functionally equivalent and fuzzing-enhanced version of the firmware which executes on a compatible high-end device at native performance. Besides the performance gains, our system enables advanced introspection capabilities based on tooling for typical Linux user space processes, thus simplifying analysis of crashes and bug triaging. In our evaluation against state-of-the-art MCU fuzzers, EmbedFuzz exhibits up to eight-fold fuzzing throughput while consuming at most a fourth of the energy thanks to its native execution.

EmbedFuzz: High Speed Fuzzing Through Transplantation

TL;DR

EmbedFuzz tackles the core challenge of fuzzing MCU firmware by transplanting Cortex-M binaries to Cortex-A hosts for native-speed execution, preserving address space layout and essential MCU semantics through static binary rewriting and a specialized runtime. Its hybrid design combines transplantation with HAL-based high-level peripheral modeling, enabling scalable fuzzing while maintaining fidelity in instruction execution and interrupt handling. Evaluated against state-of-the-art MCU fuzzers, EmbedFuzz achieves up to 8x throughput and substantial energy savings, while still enabling OS-like introspection and robust crash triage. The approach reduces hardware dependency and engineering effort for test campaigns, offering practical gains for security testing of embedded firmware across many devices and HAL libraries.

Abstract

Dynamic analysis and especially fuzzing are challenging tasks for embedded firmware running on modern low-end Microcontroller Units (MCUs) due to performance overheads from instruction emulation, the difficulty of emulating the vast space of available peripherals, and low availability of open-source embedded firmware. Consequently, efficient security testing of MCU firmware has proved to be a resource- and engineering-heavy endeavor. EmbedFuzz introduces an efficient end-to-end fuzzing framework for MCU firmware. Our novel firmware transplantation technique converts binary MCU firmware to a functionally equivalent and fuzzing-enhanced version of the firmware which executes on a compatible high-end device at native performance. Besides the performance gains, our system enables advanced introspection capabilities based on tooling for typical Linux user space processes, thus simplifying analysis of crashes and bug triaging. In our evaluation against state-of-the-art MCU fuzzers, EmbedFuzz exhibits up to eight-fold fuzzing throughput while consuming at most a fourth of the energy thanks to its native execution.

Paper Structure

This paper contains 60 sections, 3 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Performance.
  3. Peripheral Emulation.
  4. Binary-only Firmware.
  5. Our solution.
  6. Background
  7. MCU and General-purpose CPU
  8. HAL
  9. Re-hosting
  10. Grey-box Fuzzing
  11. Fuzzing MCU Firmware Challenges
  12. Challenge 1: Representation of the Physical Address Space.
  13. Challenge 2: MCU Architectural Features.
  14. Challenge 3: Peripheral Handling.
  15. Challenge 4: Correct Execution of Instructions.
  16. ...and 45 more sections

Figures (3)

  • Figure 1: The overview of EmbedFuzz's approach to MCU firmware fuzzing. Our contributions are shown in gray.
  • Figure 2: Box plot of fuzzing executions per second (i.e., throughput) on real-world firmware binaries across ten 24 hour runs.
  • Figure 3: Code coverage over time for real-world firmware binaries across ten 24 hour trials. The median percentage of uniquely discovered basic blocks, as well as the minima and maxima for each trial are illustrated.