Protocol-Aware Firmware Rehosting for Effective Fuzzing of Embedded Network Stacks
- URL: http://arxiv.org/abs/2509.13740v1
- Date: Wed, 17 Sep 2025 06:48:19 GMT
- Title: Protocol-Aware Firmware Rehosting for Effective Fuzzing of Embedded Network Stacks
- Authors: Moritz Bley, Tobias Scharnowski, Simon Wörner, Moritz Schloegel, Thorsten Holz,
- Abstract summary: We introduce a novel method to automatically detect and handle the use of network protocols in firmware called Pemu.<n>Our approach enables a deeper, more targeted, and layer-by-layer analysis of firmware components that were previously difficult or impossible to test.
- Score: 17.74065470004981
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: One of the biggest attack surfaces of embedded systems is their network interfaces, which enable communication with other devices. Unlike their general-purpose counterparts, embedded systems are designed for specialized use cases, resulting in unique and diverse communication stacks. Unfortunately, current approaches for evaluating the security of these embedded network stacks require manual effort or access to hardware, and they generally focus only on small parts of the embedded system. A promising alternative is firmware rehosting, which enables fuzz testing of the entire firmware by generically emulating the physical hardware. However, existing rehosting methods often struggle to meaningfully explore network stacks due to their complex, multi-layered input formats. This limits their ability to uncover deeply nested software faults. To address this problem, we introduce a novel method to automatically detect and handle the use of network protocols in firmware called Pemu. By automatically deducing the available network protocols, Pemu can transparently generate valid network packets that encapsulate fuzzing data, allowing the fuzzing input to flow directly into deeper layers of the firmware logic. Our approach thus enables a deeper, more targeted, and layer-by-layer analysis of firmware components that were previously difficult or impossible to test. Our evaluation demonstrates that Pemu consistently improves the code coverage of three existing rehosting tools for embedded network stacks. Furthermore, our fuzzer rediscovered several known vulnerabilities and identified five previously unknown software faults, highlighting its effectiveness in uncovering deeply nested bugs in network-exposed code.
Related papers
- DyMA-Fuzz: Dynamic Direct Memory Access Abstraction for Re-hosted Monolithic Firmware Fuzzing [10.760871707398218]
We introduce DyMA-Fuzz to extend recent advances in stream-based fuzz input injection to DMA-driven interfaces in re-hosted environments.<n>It tackles key challenges--vendor-specific descriptors, heterogeneous DMA designs, and varying descriptor locations--using runtime analysis techniques.<n>DyMA-Fuzz reveals vulnerabilities and execution paths missed by state-of-the-art tools and achieves up to 122% higher code coverage.
arXiv Detail & Related papers (2026-02-09T14:52:57Z) - SysFuSS: System-Level Firmware Fuzzing with Selective Symbolic Execution [4.92575823723555]
Existing fuzzers focus on user-level fuzzing, which is not suitable for detecting kernel-level vulnerabilities.<n>We present an efficient firmware verification framework, SysFuSS, that integrates system-level fuzzing with selective symbolic execution.<n> SysFuSS significantly outperforms state-of-the-art fuzzers in terms of both branch coverage and detection of firmware vulnerabilities.
arXiv Detail & Related papers (2026-02-02T15:52:20Z) - Automated SBOM-Driven Vulnerability Triage for IoT Firmware: A Lightweight Pipeline for Risk Prioritization [0.0]
This paper presents a lightweight, automated pipeline designed to extract file systems from Linux-based IoT firmware.<n>It generates a comprehensive Software Bill of Materials, map identified components to known vulnerabilities, and apply a multi-factor triage scoring model.<n>We describe the architecture, the normalization challenges of embedded Linux, and a scoring methodology intended to reduce alert fatigue.
arXiv Detail & Related papers (2026-01-04T00:09:01Z) - Beyond Model Jailbreak: Systematic Dissection of the "Ten DeadlySins" in Embodied Intelligence [36.972586142931256]
Embodied AI systems integrate language models with real world sensing, mobility, and cloud connected mobile apps.<n>We conduct the first holistic security analysis of the Unitree Go2 platform.<n>We uncover ten cross layer vulnerabilities the "Ten Sins of Embodied AI Security"
arXiv Detail & Related papers (2025-12-06T10:38:00Z) - STAFF: Stateful Taint-Assisted Full-system Firmware Fuzzing [2.2780835314511116]
This article presents a firmware fuzzing framework for discovering bugs in Linux-based firmware built around three key ideas.<n>It identifies 42 bugs involving multiple network requests and different firmware daemons, significantly outperforming existing state-of-the-art fuzzing solutions in both the number and number of discovered bugs.
arXiv Detail & Related papers (2025-09-22T17:14:00Z) - Certifiably robust malware detectors by design [48.367676529300276]
We propose a new model architecture for robust malware detection by design.<n>We show that every robust detector can be decomposed into a specific structure, which can be applied to learn empirically robust malware detectors.<n>Our framework ERDALT is based on this structure.
arXiv Detail & Related papers (2025-08-10T09:19:29Z) - CryptoFormalEval: Integrating LLMs and Formal Verification for Automated Cryptographic Protocol Vulnerability Detection [41.94295877935867]
We introduce a benchmark to assess the ability of Large Language Models to autonomously identify vulnerabilities in new cryptographic protocols.
We created a dataset of novel, flawed, communication protocols and designed a method to automatically verify the vulnerabilities found by the AI agents.
arXiv Detail & Related papers (2024-11-20T14:16:55Z) - Fixing Security Vulnerabilities with AI in OSS-Fuzz [9.730566646484304]
OSS-Fuzz is the most significant and widely used infrastructure for continuous validation of open source systems.
We customise the well-known AutoCodeRover agent for fixing security vulnerabilities.
Our experience with OSS-Fuzz vulnerability data shows that LLM agent autonomy is useful for successful security patching.
arXiv Detail & Related papers (2024-11-03T16:20:32Z) - Swarm-Net: Firmware Attestation in IoT Swarms using Graph Neural Networks and Volatile Memory [10.970843729732703]
The Internet of Things (IoT) is a network of billions of interconnected, primarily low-end embedded devices.
Despite large-scale deployment, studies have highlighted critical security concerns in IoT networks.
Malicious activity on one node in a swarm can propagate to larger network sections.
We present Swarm-Net, a novel swarm attestation technique that exploits the inherent, interconnected, graph-like structure of IoT networks.
arXiv Detail & Related papers (2024-08-11T03:19:29Z) - JustSTART: How to Find an RSA Authentication Bypass on Xilinx UltraScale(+) with Fuzzing [12.338137154105034]
We investigate fuzzing for 7-Series and UltraScale(+) FPGA configuration engines.
Our goal is to examine the effectiveness of fuzzing to analyze and document the inner workings of FPGA configuration engines.
arXiv Detail & Related papers (2024-02-15T10:03:35Z) - Systematically Detecting Packet Validation Vulnerabilities in Embedded
Network Stacks [0.0]
This paper provides the first systematic characterization of cybersecurity vulnerabilities in Embedded Network Stacks (ENS)
We propose a novel systematic testing framework that focuses on the transport and network layers.
Our results suggest that fuzzing should be deferred until after systematic testing is employed.
arXiv Detail & Related papers (2023-08-21T18:23:26Z) - A survey on hardware-based malware detection approaches [45.24207460381396]
Hardware-based malware detection approaches leverage hardware performance counters and machine learning prowess.
We meticulously analyze the approach, unraveling the most common methods, algorithms, tools, and datasets that shape its contours.
The discussion extends to crafting mixed hardware and software approaches for collaborative efficacy, essential enhancements in hardware monitoring units, and a better understanding of the correlation between hardware events and malware applications.
arXiv Detail & Related papers (2023-03-22T13:00:41Z) - VELVET: a noVel Ensemble Learning approach to automatically locate
VulnErable sTatements [62.93814803258067]
This paper presents VELVET, a novel ensemble learning approach to locate vulnerable statements in source code.
Our model combines graph-based and sequence-based neural networks to successfully capture the local and global context of a program graph.
VELVET achieves 99.6% and 43.6% top-1 accuracy over synthetic data and real-world data, respectively.
arXiv Detail & Related papers (2021-12-20T22:45:27Z) - A Survey of Machine Learning Algorithms for Detecting Malware in IoT
Firmware [0.0]
This paper employs a number of machine learning algorithms to classify IoT firmware and the best performing models are reported.
Deep learning approaches including Convolutional and Fully Connected Neural Networks are also explored.
arXiv Detail & Related papers (2021-11-03T17:55:51Z) - D-Unet: A Dual-encoder U-Net for Image Splicing Forgery Detection and
Localization [108.8592577019391]
Image splicing forgery detection is a global binary classification task that distinguishes the tampered and non-tampered regions by image fingerprints.
We propose a novel network called dual-encoder U-Net (D-Unet) for image splicing forgery detection, which employs an unfixed encoder and a fixed encoder.
In an experimental comparison study of D-Unet and state-of-the-art methods, D-Unet outperformed the other methods in image-level and pixel-level detection.
arXiv Detail & Related papers (2020-12-03T10:54:02Z) - Adversarial EXEmples: A Survey and Experimental Evaluation of Practical
Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes.
We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks.
These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
arXiv Detail & Related papers (2020-08-17T07:16:57Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.