{"paper":{"title":"Stop Starving or Stuffing Me: Boosting Firmware Fuzzing Efficiency with On-demand Input Delivery","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"Firmware fuzzers gain coverage by delivering inputs precisely at availability check points recovered via static and dynamic analysis.","cross_cats":["cs.SE"],"primary_cat":"cs.CR","authors_text":"Chung Hwan Kim, Keming Zhao, Le Guan, Peng Liu, Shandian Shen, Wei Zhou","submitted_at":"2026-05-16T04:00:17Z","abstract_excerpt":"Firmware fuzzing has gained attention for identifying firmware bugs. However, current approaches often directly integrate fuzzing tools for general software. General software receives input as it encounters I/O functions, but firmware input can be received asynchronously and independently of the firmware's execution, with uncertain timing and quantity. Without full awareness of firmware's exceptions, existing solutions often imprudently deliver fuzzer-generated input to the firmware in an ad-hoc way. This either overwhelms the processing function of the firmware (stuffing) or fails to deliver "},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Compared to ad-hoc input delivery methods used in Fuzzware and MULTIFUZZ, FIDO increases their median code coverage by up to 115% and 54%, respectively. Compared to SEmu, which requires humans to manually specify input delivery points, FIDO still improves its coverage by up to 19%.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The static and dynamic analysis reliably recovers the three-stage input processing routes (retrieval, availability check, processing) across diverse firmware without missing asynchronous behaviors or requiring extensive manual tuning.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"FIDO maps firmware input processing routes via analysis to deliver fuzzer inputs at availability checks, raising median coverage by up to 115% over ad-hoc methods in Fuzzware and MULTIFUZZ.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Firmware fuzzers gain coverage by delivering inputs precisely at availability check points recovered via static and dynamic analysis.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"fb3474cc37bf068861b15fa26f0e022753ecd33c2634b676aef51f396f922d31"},"source":{"id":"2605.16798","kind":"arxiv","version":1},"verdict":{"id":"a34f9a60-efff-4683-a37f-085d2cf3993d","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-19T21:11:49.002470Z","strongest_claim":"Compared to ad-hoc input delivery methods used in Fuzzware and MULTIFUZZ, FIDO increases their median code coverage by up to 115% and 54%, respectively. Compared to SEmu, which requires humans to manually specify input delivery points, FIDO still improves its coverage by up to 19%.","one_line_summary":"FIDO maps firmware input processing routes via analysis to deliver fuzzer inputs at availability checks, raising median coverage by up to 115% over ad-hoc methods in Fuzzware and MULTIFUZZ.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The static and dynamic analysis reliably recovers the three-stage input processing routes (retrieval, availability check, processing) across diverse firmware without missing asynchronous behaviors or requiring extensive manual tuning.","pith_extraction_headline":"Firmware fuzzers gain coverage by delivering inputs precisely at availability check points recovered via static and dynamic analysis."},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2605.16798/integrity.json","findings":[],"available":true,"detectors_run":[{"name":"doi_title_agreement","ran_at":"2026-05-19T21:31:19.302459Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"doi_compliance","ran_at":"2026-05-19T21:21:18.869356Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"claim_evidence","ran_at":"2026-05-19T19:01:56.289436Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"ai_meta_artifact","ran_at":"2026-05-19T18:33:26.424973Z","status":"skipped","version":"1.0.0","findings_count":0}],"snapshot_sha256":"534000ee0bd92858db0d010eaa8a5107c1f997a3af9b21d4032ad0ca081b2159"},"references":{"count":64,"sample":[{"doi":"","year":2023,"title":"N. S. Agency, “Ghidra,” https://ghidra-sre.org/, 2023, last accessed: 2024-11-1","work_id":"0db9ef39-b94c-45e8-9cf4-925362e99fa6","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2025,"title":"Ghidra-Server.org provides a collaboration server on the in- ternet for the software reverse engineering,","work_id":"34ff833b-df95-4dd1-bc62-820b5220867e","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2022,"title":"Sfuzz: Slice-based fuzzing for real- time operating systems,","work_id":"25f4f995-779e-4741-bff0-55d0e1ff4860","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2021,"title":"Sharing more and checking less: Leveraging common input keywords to detect bugs in embedded systems,","work_id":"bfb2d211-a1cb-4a17-8bab-c6c331cd3dc5","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"Icicle: A re-designed emulator for grey-box firmware fuzzing,","work_id":"a022ad17-5f8f-4560-81de-61bbe4d80250","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":64,"snapshot_sha256":"19aed2203a2068af921482b34c8f850025f017055ec69fdc8003613da564974a","internal_anchors":0},"formal_canon":{"evidence_count":2,"snapshot_sha256":"4b3923bdae4eee28773b91f7f6b59a1d74e1bfd0d985d6818c41d7dcc0e7b716"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}