SysFuSS: System-Level Firmware Fuzzing with Selective Symbolic Execution
Dakshina Tharindu, Aruna Jayasena, Prabhat Mishra
TL;DR
SysFuSS addresses the challenge of deep firmware security validation by integrating system-level emulation with selective symbolic execution to break through coverage plateaus that hinder traditional fuzzers. It leverages a QEMU-based full-system environment, memory-safety shadow memory, and a formal plateau-detection mechanism to trigger targeted constraint solving from frontier regions, enabling directed test generation. Across six real-world firmware benchmarks, SysFuSS delivers significant improvements in branch coverage and vulnerability detection, outperforming AFL, AFLFast, and EM-Fuzz by up to 3.3× in detection time and identifying 118 CVEs (vs 13 by prior state-of-the-art). The approach demonstrates practical impact for embedded devices by enabling deeper, faster security analysis of kernel-level firmware with scalable resource usage.
Abstract
Firmware serves as the critical interface between hardware and software in computing systems, making any bugs or vulnerabilities particularly dangerous as they can cause catastrophic system failures. While fuzzing is a promising approach for identifying design flaws and security vulnerabilities, traditional fuzzers are ineffective at detecting firmware vulnerabilities. For example, existing fuzzers focus on user-level fuzzing, which is not suitable for detecting kernel-level vulnerabilities. Existing fuzzers also face a coverage plateau problem when dealing with complex interactions between firmware and hardware. In this paper, we present an efficient firmware verification framework, SysFuSS, that integrates system-level fuzzing with selective symbolic execution. Our approach leverages system-level emulation for initial fuzzing, and automatically transitions to symbolic execution when coverage reaches a plateau. This strategy enables us to generate targeted test cases that can trigger previously unexplored regions in firmware designs. We have evaluated SysFuSS on real-world embedded firmware, including OpenSSL, WolfBoot, WolfMQTT, HTSlib, MXML, and libIEC. Experimental evaluation demonstrates that SysFuSS significantly outperforms state-of-the-art fuzzers in terms of both branch coverage and detection of firmware vulnerabilities. Specifically, SysFuSS can detect 118 known vulnerabilities while state-of-the-art can cover only 13 of them. Moreover, SysFuSS takes significantly less time (up to 3.3X, 1.7X on average) to activate these vulnerabilities.
