DyMA-Fuzz: Dynamic Direct Memory Access Abstraction for Re-hosted Monolithic Firmware Fuzzing

• URL: http://arxiv.org/abs/2602.08750v1
• Date: Mon, 09 Feb 2026 14:52:57 GMT
• Title: DyMA-Fuzz: Dynamic Direct Memory Access Abstraction for Re-hosted Monolithic Firmware Fuzzing
• Authors: Guy Farrelly, Michael Chesser, Seyit Camtepe, Damith C. Ranasinghe,
• Abstract summary: We introduce DyMA-Fuzz to extend recent advances in stream-based fuzz input injection to DMA-driven interfaces in re-hosted environments.<n>It tackles key challenges--vendor-specific descriptors, heterogeneous DMA designs, and varying descriptor locations--using runtime analysis techniques.<n>DyMA-Fuzz reveals vulnerabilities and execution paths missed by state-of-the-art tools and achieves up to 122% higher code coverage.
• Score: 10.760871707398218
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: The rise of smart devices in critical domains--including automotive, medical, industrial--demands robust firmware testing. Fuzzing firmware in re-hosted environments is a promising method for automated testing at scale, but remains difficult due to the tight coupling of code with a microcontroller's peripherals. Existing fuzzing frameworks primarily address input challenges in providing inputs for Memory-Mapped I/O or interrupts, but largely overlook Direct Memory Access (DMA), a key high-throughput interface used that bypasses the CPU. We introduce DyMA-Fuzz to extend recent advances in stream-based fuzz input injection to DMA-driven interfaces in re-hosted environments. It tackles key challenges--vendor-specific descriptors, heterogeneous DMA designs, and varying descriptor locations--using runtime analysis techniques to infer DMA memory access patterns and automatically inject fuzzing data into target buffers, without manual configuration or datasheets. Evaluated on 94 firmware samples and 8 DMA-guarded CVE benchmarks, DyMA-Fuzz reveals vulnerabilities and execution paths missed by state-of-the-art tools and achieves up to 122% higher code coverage. These results highlight DyMA-Fuzz as a practical and effective advancement in automated firmware testing and a scalable solution for fuzzing complex embedded systems.

Related papers

• SAM-DAQ: Segment Anything Model with Depth-guided Adaptive Queries for RGB-D Video Salient Object Detection [44.480885765890925]
  We propose a novel method, namely Segment Anything Model with Depth-guided Adaptive Queries (SAM-DAQ)<n>SAM-DAQ adapts SAM2 to pop-out salient objects from videos by seamlessly integrating depth and temporal cues within a unified framework.<n>Experiments are conducted on three RGB-D VSOD datasets, and the results show that the proposed SAM-DAQ consistently outperforms state-of-the-art methods in terms of all evaluation metrics.
  arXiv  Detail & Related papers  (2025-11-13T02:04:03Z)
• STAFF: Stateful Taint-Assisted Full-system Firmware Fuzzing [2.2780835314511116]
  This article presents a firmware fuzzing framework for discovering bugs in Linux-based firmware built around three key ideas.<n>It identifies 42 bugs involving multiple network requests and different firmware daemons, significantly outperforming existing state-of-the-art fuzzing solutions in both the number and number of discovered bugs.
  arXiv  Detail & Related papers  (2025-09-22T17:14:00Z)
• Protocol-Aware Firmware Rehosting for Effective Fuzzing of Embedded Network Stacks [17.74065470004981]
  We introduce a novel method to automatically detect and handle the use of network protocols in firmware called Pemu.<n>Our approach enables a deeper, more targeted, and layer-by-layer analysis of firmware components that were previously difficult or impossible to test.
  arXiv  Detail & Related papers  (2025-09-17T06:48:19Z)
• FuzzBox: Blending Fuzzing into Emulation for Binary-Only Embedded Targets [2.5193108033256117]
  Coverage-guided fuzzing has been widely applied to address zero-day vulnerabilities in general-purpose software and operating systems.<n>Applying it to industrial systems remains challenging, due to proprietary and closed-source compiler toolchains and lack of access to source code.<n>FuzzBox addresses these limitations by integrating emulation with fuzzing.
  arXiv  Detail & Related papers  (2025-09-06T08:31:36Z)
• Sparse-dLLM: Accelerating Diffusion LLMs with Dynamic Cache Eviction [72.27673320976933]
  Diffusion Large Language Models (dLLMs) enable breakthroughs in reasoning and parallel decoding.<n>Current caching techniques accelerate decoding by storing full-layer states, yet impose substantial memory usage.<n>We propose Sparse-dLLM, the first training-free framework integrating dynamic cache eviction with sparse attention.
  arXiv  Detail & Related papers  (2025-08-04T16:14:03Z)
• Detecting Hardware Trojans in Microprocessors via Hardware Error Correction Code-based Modules [49.1574468325115]
  Hardware Trojans (HTs) enable attackers to execute unauthorized software or gain illicit access to privileged operations.<n>This manuscript introduces a hardware-based methodology for detecting runtime HT activations using Error Correction Codes (ECCs) on a RISC-V microprocessor.
  arXiv  Detail & Related papers  (2025-06-18T12:37:14Z)
• EmbedFuzz: High Speed Fuzzing Through Transplantation [21.875588930207943]
  This paper introduces EmbedFuzz, an efficient fuzzing framework for embedded firmware on low-end Microcontroller Units (MCUs)<n>Our novel firmware transplantation technique converts binary MCU firmware to a functionally equivalent and fuzzing-enhanced version of the firmware which executes on a compatible high-end device at native performance.<n>In our evaluation against state-of-the-art MCU fuzzers, EmbedFuzz exhibits up to eight-fold fuzzing throughput while consuming at most a fourth of the energy thanks to its native execution.
  arXiv  Detail & Related papers  (2024-12-17T10:09:55Z)
• FuzzCoder: Byte-level Fuzzing Test via Large Language Model [46.18191648883695]
  We propose to adopt fine-tuned large language models (FuzzCoder) to learn patterns in the input files from successful attacks. FuzzCoder can predict mutation locations and strategies locations in input files to trigger abnormal behaviors of the program.
  arXiv  Detail & Related papers  (2024-09-03T14:40:31Z)
• Quantum Patch-Based Autoencoder for Anomaly Segmentation [44.99833362998488]
  We introduce a patch-based quantum autoencoder (QPB-AE) for image anomaly segmentation. QPB-AE reconstructs the quantum state of the embedded input patches, computing an anomaly map directly from measurement. We evaluate its performance across multiple datasets and parameter configurations.
  arXiv  Detail & Related papers  (2024-04-26T08:42:58Z)
• Cross-Domain Few-Shot Object Detection via Enhanced Open-Set Object Detector [72.05791402494727]
  This paper studies the challenging cross-domain few-shot object detection (CD-FSOD) It aims to develop an accurate object detector for novel domains with minimal labeled examples.
  arXiv  Detail & Related papers  (2024-02-05T15:25:32Z)
• AIM: Automatic Interrupt Modeling for Dynamic Firmware Analysis [14.623460803437057]
  We present AIM, a generic, scalable, and hardware-independent dynamic firmware analysis framework. AIM covers interrupt-dependent code in firmware by a novel, firmware-guided, Just-in-Time Interrupt Firing technique. Our framework covered up to 11.2 times more interrupt-dependent code than state-of-the-art approaches.
  arXiv  Detail & Related papers  (2023-12-02T18:06:22Z)
• MAPLE-X: Latency Prediction with Explicit Microprocessor Prior Knowledge [87.41163540910854]
  Deep neural network (DNN) latency characterization is a time-consuming process. We propose MAPLE-X which extends MAPLE by incorporating explicit prior knowledge of hardware devices and DNN architecture latency.
  arXiv  Detail & Related papers  (2022-05-25T11:08:20Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.