Skip to main content

Table 2 Reviewed embedded fuzzing works

From: Embedded fuzzing: a review of challenges, tools, and solutions

Environment   Framework Source Code Agnostic Available Key contributions Limitations
Hardware-based Instrumentation ARM-AFL (Fan 2020) Static instrumentation for ARM code On-target fuzzing only
Frida (FRIDA 2020) Dynamic instrumentation for various OSes Application on the target required
Harzer Roller (Bogad and Huber 2019) Static instrumentation for object files Function traces only
Os-less DBI (Oh et al. 2015) Dynamic instrumentation with breakpoints Manual selection of breakpoint locations
ESP32 Fuzzing (Börsig et al. 2020) Static instrumentation for ESP32 applications Slow coverage data transmission
ICSFuzz (Tychalas et al. 2021) Static instrumentation for PLC binaries Dedicated to PLCs
PERIFUZZ (Song et al. 2019) Fuzzing at hw-os boundary, driver monitoring Must be compiled into the kernel
PHMon (Delshadtehrani et al. 2020) Hardware module for gathering coverage data Specific hardware required
Side-Channel Side-Channel Aware Fuzzing (Sperl and Böttinger 2019) Code-coverage derived from power analysis Calibration needed
Certified Side Channels (García et al. 2020) EM and timing side-channels For crypto libraries only
Message Interface Reusing IoTFuzzer (Chen et al. 2018) Reuse of accompanying mobile applications Not feedback driven, Android only
DIANE (Redini et al. 2021) Enhanced IoTFuzzer mechanism Not feedback driven, Android only
Snipuzz (Feng et al. 2021) Communication analysis for feedback For unencrypted channels only
Android TV Fuzzing (Aafer et al. 2021) Using log output for feedback Detailed logs needed, Android only
Emulation-based User Mode Emulation Firmadyne (Chen et al. 2016) Custom kernel for emulation Linux-based applications only
FirmAE (Kim et al. 2020) Enhanced Firmadyne mechanism Linux-based applications only
FirmFuzz (Srivastava et al. 2019) Fuzzing of IoT configuration webpages Linux-based applications only
Firm-AFL (Zheng et al. 2019) Speedup by hybrid user and system emulation Linux-based applications only
Full-System Emulation TriforceAFL (Hertz and Newsham 2021) Coverage-guided fuzzing with QEMU Target must be emulatable by QEMU
SystemC VP Fuzzing (Herdt et al. 2020) Coverage-guided fuzzing on VP Virtual prototype required
HALucinator (Clements et al. 2020) Re-hosting at HAL Stubs for HALs required
RVFuzzer (Kim et al. 2019) Fuzzing controller for robotic vehicles Rich physical simulation required
Peripheral Proxying PROSPECT (Kammerstetter et al. 2014) Peripherals proxying through TCP/IP Requires pthreads and TCP/IP support on target
SURROGATES (Koscher et al. 2015) Proxying through a custom FPGA JTAG connection required
Charm (Talebi et al. 2018) Proxying through USB Recompilation needed
Avatar\(^{2}\) (Muench et al. 2018) Flexible, multi-purpose orchestrating framework Any access to device required
Peripheral Modeling PRETENDER (Gustafson et al. 2019) Peripheral modeling by recording and learning of peripheral behavior Unseen peripheral behavior is not modeled
Conware (Spensky et al. 2021) Additional modeling of unseen peripheral behavior Program for recording must be executed on the target
P\(^{2}\)IM (Feng et al. 2020) Peripheral modeling by automated classification of requests Missing DMA support
DICE (Mera et al. 2020) Modeling of DMA-based peripherals DMA buffer size not identifiable in advance
Jetset (Johnson et al. 2021) Peripheral modeling by symbolic execution and manual guidance Manual guidance required
µEmu (Zhou et al. 2021) Peripheral modeling by concolic execution Caching can cause false hardware modeling
Fuzzware (Scharnowski et al. 2020) Peripheral modeling by detailed classification Not for complex systems
Sandboxing MIASM (Guedou 2017) Multi-purpose reverse engineering tool Reverse engineering required
BaseSAFE (Maier et al. 2020) Coverage-guided fuzzing of baseband chips Manually assembled environment
PartEMU (Harrison et al. 2020) Coverage-guided fuzzing of TrustZones Manually assembled environment
Frankenstein (Ruge et al. 2020) Coverage-guided fuzzing of wireless firmwares Customized for one specific device
FIRMCORN (Gui et al. 2020) Automated sandboxing of functions Linux-based applications only
Abstraction-based Symbolic Execution FIE (Davidson et al. 2013) Symbolic execution for MSP430 microcontrollers Complex programs lead to state explosion
Inception (Corteggiani et al. 2018) Symbolic execution, even for handwritten assembly and binary libraries Complex programs lead to state explosion
Concolic Execution Concolic Testing on VP (Herdt et al. 2019) Concolic testing of RISC-V virtual prototypes Target must be prototyped
Concolic Execution on Proxy (Ai et al. 2020) Symbolic execution on host combined with concrete execution on target For unix-like systems only