STAFF: Stateful Taint-Assisted Full-system Firmware Fuzzing
- URL: http://arxiv.org/abs/2509.18039v1
- Date: Mon, 22 Sep 2025 17:14:00 GMT
- Title: STAFF: Stateful Taint-Assisted Full-system Firmware Fuzzing
- Authors: Alessio Izzillo, Riccardo Lazzeretti, Emilio Coppa,
- Abstract summary: This article presents a firmware fuzzing framework for discovering bugs in Linux-based firmware built around three key ideas.<n>It identifies 42 bugs involving multiple network requests and different firmware daemons, significantly outperforming existing state-of-the-art fuzzing solutions in both the number and number of discovered bugs.
- Score: 2.2780835314511116
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: Modern embedded Linux devices, such as routers, IP cameras, and IoT gateways, rely on complex software stacks where numerous daemons interact to provide services. Testing these devices is crucial from a security perspective since vendors often use custom closed- or open-source software without documenting releases and patches. Recent coverage-guided fuzzing solutions primarily test individual processes, ignoring deep dependencies between daemons and their persistent internal state. This article presents STAFF, a firmware fuzzing framework for discovering bugs in Linux-based firmware built around three key ideas: (a) user-driven multi-request recording, which monitors user interactions with emulated firmware to capture request sequences involving application-layer protocols (e.g., HTTP); (b) intra- and inter-process dependency detection, which uses whole-system taint analysis to track how input bytes influence user-space states, including files, sockets, and memory areas; (c) protocol-aware taint-guided fuzzing, which applies mutations to request sequences based on identified dependencies, exploiting multi-staged forkservers to efficiently checkpoint protocol states. When evaluating STAFF on 15 Linux-based firmware targets, it identifies 42 bugs involving multiple network requests and different firmware daemons, significantly outperforming existing state-of-the-art fuzzing solutions in both the number and reproducibility of discovered bugs.
Related papers
- Boosting Device Utilization in Control Flow Auditing [47.36491265793223]
Control Flow (CFAud) is a mechanism wherein a remote verifier (Vrf) is guaranteed to received evidence about the control flow path taken on a prover (Prv) MCU, even when Prv software is compromised.<n>Current CFAud requires a busy-wait'' phase where root-of-anchored root-of-RoT in Prv retains execution to ensure delivery of flow evidence to Vrf.<n>CARAMEL is a hardware RoT co-design that enables Prv to resume while control flow evidence is transmitted to Vrf.
arXiv Detail & Related papers (2026-03-02T18:26:17Z) - Outrunning LLM Cutoffs: A Live Kernel Crash Resolution Benchmark for All [57.23434868678603]
Live-kBench is an evaluation framework for self-evolving benchmarks that scrapes and evaluates agents on freshly discovered kernel bugs.<n> kEnv is an agent-agnostic crash-resolution environment for kernel compilation, execution, and feedback.<n>Using kEnv, we benchmark three state-of-the-art agents, showing that they resolve 74% of crashes on the first attempt.
arXiv Detail & Related papers (2026-02-02T19:06:15Z) - SysFuSS: System-Level Firmware Fuzzing with Selective Symbolic Execution [4.92575823723555]
Existing fuzzers focus on user-level fuzzing, which is not suitable for detecting kernel-level vulnerabilities.<n>We present an efficient firmware verification framework, SysFuSS, that integrates system-level fuzzing with selective symbolic execution.<n> SysFuSS significantly outperforms state-of-the-art fuzzers in terms of both branch coverage and detection of firmware vulnerabilities.
arXiv Detail & Related papers (2026-02-02T15:52:20Z) - Automated SBOM-Driven Vulnerability Triage for IoT Firmware: A Lightweight Pipeline for Risk Prioritization [0.0]
This paper presents a lightweight, automated pipeline designed to extract file systems from Linux-based IoT firmware.<n>It generates a comprehensive Software Bill of Materials, map identified components to known vulnerabilities, and apply a multi-factor triage scoring model.<n>We describe the architecture, the normalization challenges of embedded Linux, and a scoring methodology intended to reduce alert fatigue.
arXiv Detail & Related papers (2026-01-04T00:09:01Z) - What Do They Fix? LLM-Aided Categorization of Security Patches for Critical Memory Bugs [46.325755802511026]
We developLM, a dual-method pipeline that integrates two approaches based on a Large Language Model (LLM) and a fine-tuned small language model.<n>LM successfully identified 111 of 5,140 recent Linux kernel patches addressing OOB or UAF vulnerabilities, with 90 true positives confirmed by manual verification.
arXiv Detail & Related papers (2025-09-26T18:06:36Z) - Protocol-Aware Firmware Rehosting for Effective Fuzzing of Embedded Network Stacks [17.74065470004981]
We introduce a novel method to automatically detect and handle the use of network protocols in firmware called Pemu.<n>Our approach enables a deeper, more targeted, and layer-by-layer analysis of firmware components that were previously difficult or impossible to test.
arXiv Detail & Related papers (2025-09-17T06:48:19Z) - DRIFT: Dynamic Rule-Based Defense with Injection Isolation for Securing LLM Agents [52.92354372596197]
Large Language Models (LLMs) are increasingly central to agentic systems due to their strong reasoning and planning capabilities.<n>This interaction also introduces the risk of prompt injection attacks, where malicious inputs from external sources can mislead the agent's behavior.<n>We propose a Dynamic Rule-based Isolation Framework for Trustworthy agentic systems, which enforces both control and data-level constraints.
arXiv Detail & Related papers (2025-06-13T05:01:09Z) - QUT-DV25: A Dataset for Dynamic Analysis of Next-Gen Software Supply Chain Attacks [4.045165357831481]
Existing datasets, which rely on metadata inspection and static code analysis, are inadequate for detecting such attacks.<n>We present QUT-DV25, a dynamic analysis dataset specifically designed to support and advance research on detecting and mitigating supply chain attacks.<n>This dataset captures install and post-install-time traces from 14,271 Python packages, of which 7,127 are malicious.
arXiv Detail & Related papers (2025-05-20T01:34:04Z) - LEMIX: Enabling Testing of Embedded Applications as Linux Applications (Extended Report) [8.073890244598601]
LEMIX is a framework enabling dynamic analysis of embedded applications by rehosting them as x86 Linux applications decoupled from hardware dependencies.<n>We develop various techniques to address the challenges involved in converting embedded applications to Linux applications.
arXiv Detail & Related papers (2025-03-22T00:14:47Z) - FirmRCA: Towards Post-Fuzzing Analysis on ARM Embedded Firmware with Efficient Event-based Fault Localization [37.29599884531106]
FirmRCA is a practical fault localization framework tailored specifically for embedded firmware.
We show that FirmRCA can effectively identify the root cause of crashing test cases within the top 10 instructions.
arXiv Detail & Related papers (2024-10-24T07:12:08Z) - BaseMirror: Automatic Reverse Engineering of Baseband Commands from Android's Radio Interface Layer [34.9710368289623]
This paper introduces a novel approach to unveil security issues in basebands from a unique perspective.
We have designed and developed BaseMirror, a static binary analysis tool to automatically reverse engineer baseband commands from vendor-specific RIL binaries.
Our methodology has been applied to 28 vendor RIL libraries, encompassing a wide range of Samsung Exynos smartphone models on the market.
arXiv Detail & Related papers (2024-08-31T15:14:56Z) - DeviceRadar: Online IoT Device Fingerprinting in ISPs using Programmable Switches [37.41464693677561]
Device fingerprinting can be used by Internet Service Providers (ISPs) to identify vulnerable IoT devices for early prevention of threats.
This paper proposes DeviceRadar, an online IoT device fingerprinting framework that achieves accurate, real-time processing in ISPs using programmable switches.
arXiv Detail & Related papers (2024-04-19T09:31:11Z) - An Investigation of Patch Porting Practices of the Linux Kernel
Ecosystem [39.80455045213432]
We investigate the responsiveness of patch porting in the Linux ecosystem.
We find diverse patch porting strategies and competence levels that help explain the phenomenon.
We offer recommendations based on our analysis of the general patch flow.
arXiv Detail & Related papers (2024-02-07T19:38:48Z) - SoK: Where's the "up"?! A Comprehensive (bottom-up) Study on the Security of Arm Cortex-M Systems [36.154629422941774]
Arm Cortex-M processors are the most widely used 32-bit microcontrollers among embedded and Internet-of-Things devices.
We analyze the hardware security limitations and issues of Cortex-M systems.
We categorize the reported bugs in Cortex-M software systems.
arXiv Detail & Related papers (2024-01-27T04:09:29Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.