Skip to main content

Table 2 Reviewed embedded fuzzing works

From: Embedded fuzzing: a review of challenges, tools, and solutions

Environment

 

Framework

Source Code Agnostic

Available

Key contributions

Limitations

Hardware-based

Instrumentation

ARM-AFL (Fan 2020)

Static instrumentation for ARM code

On-target fuzzing only

Frida (FRIDA 2020)

Dynamic instrumentation for various OSes

Application on the target required

Harzer Roller (Bogad and Huber 2019)

Static instrumentation for object files

Function traces only

Os-less DBI (Oh et al. 2015)

Dynamic instrumentation with breakpoints

Manual selection of breakpoint locations

ESP32 Fuzzing (Börsig et al. 2020)

Static instrumentation for ESP32 applications

Slow coverage data transmission

ICSFuzz (Tychalas et al. 2021)

Static instrumentation for PLC binaries

Dedicated to PLCs

PERIFUZZ (Song et al. 2019)

Fuzzing at hw-os boundary, driver monitoring

Must be compiled into the kernel

PHMon (Delshadtehrani et al. 2020)

Hardware module for gathering coverage data

Specific hardware required

Side-Channel

Side-Channel Aware Fuzzing (Sperl and Böttinger 2019)

Code-coverage derived from power analysis

Calibration needed

Certified Side Channels (García et al. 2020)

EM and timing side-channels

For crypto libraries only

Message Interface Reusing

IoTFuzzer (Chen et al. 2018)

Reuse of accompanying mobile applications

Not feedback driven, Android only

DIANE (Redini et al. 2021)

Enhanced IoTFuzzer mechanism

Not feedback driven, Android only

Snipuzz (Feng et al. 2021)

Communication analysis for feedback

For unencrypted channels only

Android TV Fuzzing (Aafer et al. 2021)

Using log output for feedback

Detailed logs needed, Android only

Emulation-based

User Mode Emulation

Firmadyne (Chen et al. 2016)

Custom kernel for emulation

Linux-based applications only

FirmAE (Kim et al. 2020)

Enhanced Firmadyne mechanism

Linux-based applications only

FirmFuzz (Srivastava et al. 2019)

Fuzzing of IoT configuration webpages

Linux-based applications only

Firm-AFL (Zheng et al. 2019)

Speedup by hybrid user and system emulation

Linux-based applications only

Full-System Emulation

TriforceAFL (Hertz and Newsham 2021)

Coverage-guided fuzzing with QEMU

Target must be emulatable by QEMU

SystemC VP Fuzzing (Herdt et al. 2020)

Coverage-guided fuzzing on VP

Virtual prototype required

HALucinator (Clements et al. 2020)

Re-hosting at HAL

Stubs for HALs required

RVFuzzer (Kim et al. 2019)

Fuzzing controller for robotic vehicles

Rich physical simulation required

Peripheral Proxying

PROSPECT (Kammerstetter et al. 2014)

Peripherals proxying through TCP/IP

Requires pthreads and TCP/IP support on target

SURROGATES (Koscher et al. 2015)

Proxying through a custom FPGA

JTAG connection required

Charm (Talebi et al. 2018)

Proxying through USB

Recompilation needed

Avatar\(^{2}\) (Muench et al. 2018)

Flexible, multi-purpose orchestrating framework

Any access to device required

Peripheral Modeling

PRETENDER (Gustafson et al. 2019)

Peripheral modeling by recording and learning of peripheral behavior

Unseen peripheral behavior is not modeled

Conware (Spensky et al. 2021)

Additional modeling of unseen peripheral behavior

Program for recording must be executed on the target

P\(^{2}\)IM (Feng et al. 2020)

Peripheral modeling by automated classification of requests

Missing DMA support

DICE (Mera et al. 2020)

Modeling of DMA-based peripherals

DMA buffer size not identifiable in advance

Jetset (Johnson et al. 2021)

Peripheral modeling by symbolic execution and manual guidance

Manual guidance required

µEmu (Zhou et al. 2021)

Peripheral modeling by concolic execution

Caching can cause false hardware modeling

Fuzzware (Scharnowski et al. 2020)

Peripheral modeling by detailed classification

Not for complex systems

Sandboxing

MIASM (Guedou 2017)

Multi-purpose reverse engineering tool

Reverse engineering required

BaseSAFE (Maier et al. 2020)

Coverage-guided fuzzing of baseband chips

Manually assembled environment

PartEMU (Harrison et al. 2020)

Coverage-guided fuzzing of TrustZones

Manually assembled environment

Frankenstein (Ruge et al. 2020)

Coverage-guided fuzzing of wireless firmwares

Customized for one specific device

FIRMCORN (Gui et al. 2020)

Automated sandboxing of functions

Linux-based applications only

Abstraction-based

Symbolic Execution

FIE (Davidson et al. 2013)

Symbolic execution for MSP430 microcontrollers

Complex programs lead to state explosion

Inception (Corteggiani et al. 2018)

Symbolic execution, even for handwritten assembly and binary libraries

Complex programs lead to state explosion

Concolic Execution

Concolic Testing on VP (Herdt et al. 2019)

Concolic testing of RISC-V virtual prototypes

Target must be prototyped

Concolic Execution on Proxy (Ai et al. 2020)

Symbolic execution on host combined with concrete execution on target

For unix-like systems only