DyMA-Fuzz: Dynamic Direct Memory Access Abstraction for Re-hosted Monolithic Firmware Fuzzing

TL;DR

DyMA-Fuzz targets the gap in firmware fuzzing by automatically inferring and emulating DMA transfer descriptors in re-hosted environments, enabling fuzz data to reach DMA buffers without relying on vendor datasheets. It combines dynamic RAM/MMIO analysis with static analysis to generate emulated DMA transfer descriptors and injects data just-in-time into DMA buffers, while carefully handling in-memory descriptors and RAM-based lists. Evaluated on 94 binaries and 8 CVE benchmarks, it achieves up to 122% higher code coverage and reproduces known bugs more efficiently than prior DMA fuzzers, demonstrating practical scalability across diverse MCU families. The work provides a practical, scalable approach to fuzzing complex embedded systems with DMA, addressing a long-standing challenge in automated firmware testing and vulnerability discovery.

Abstract

The rise of smart devices in critical domains--including automotive, medical, industrial--demands robust firmware testing. Fuzzing firmware in re-hosted environments is a promising method for automated testing at scale, but remains difficult due to the tight coupling of code with a microcontroller's peripherals. Existing fuzzing frameworks primarily address input challenges in providing inputs for Memory-Mapped I/O or interrupts, but largely overlook Direct Memory Access (DMA), a key high-throughput interface used that bypasses the CPU. We introduce DyMA-Fuzz to extend recent advances in stream-based fuzz input injection to DMA-driven interfaces in re-hosted environments. It tackles key challenges--vendor-specific descriptors, heterogeneous DMA designs, and varying descriptor locations--using runtime analysis techniques to infer DMA memory access patterns and automatically inject fuzzing data into target buffers, without manual configuration or datasheets. Evaluated on 94 firmware samples and 8 DMA-guarded CVE benchmarks, DyMA-Fuzz reveals vulnerabilities and execution paths missed by state-of-the-art tools and achieves up to 122% higher code coverage. These results highlight DyMA-Fuzz as a practical and effective advancement in automated firmware testing and a scalable solution for fuzzing complex embedded systems.

Figures (7)

• Figure 1: Simplified overview of a MCU. Data-flow is indicated with solid lines, event triggers such as interrupts are denoted with dashed lines. External inputs are delivered through peripherals. Many existing emulation-based fuzzing frameworks neglect the interactions highlighted in red due to the complexity of emulating DMA interactions.
• Figure 2: (a) Example MMIO layout of a Multi-Channel DMA Controller (Based on STM32F0). A reserved region of memory is used to configure DMA transfers for all peripherals. Several transfers can be configured within a single controller, utilizing separate channels. (b) Example MMIO layout of an Integrated DMA interface within an SPI peripheral (Based on nRF51). DMA transfers for each peripheral are configured within the peripheral's own MMIO space. (c) Example MMIO and RAM layout of a list-based DMA interface (Based on SAM L10, the CC2538 uses an array of similar format, instead of a linked list).
• Figure 3: Overview of DyMA-Fuzz. We combine memory analysis techniques with data from static analysis to generate emulated transfer descriptors for fuzzer input streams to inject data into DMA peripherals.
• Figure 4: An example memory map demonstrating the limited range of RAM values within the address-space.
• Figure 5: Coverage over time achieved by different approaches. The shaded region indicates the range of coverage results observed across all ten trials. The MIDI Synth and Oscilloscope binaries are omitted for brevity, as more than 99% of the final coverage for each trial was reached within the first 15 minutes.