pith. sign in

arxiv: 2509.05643 · v1 · submitted 2025-09-06 · 💻 cs.CR · cs.SE

FuzzBox: Blending Fuzzing into Emulation for Binary-Only Embedded Targets

Carmine Cesarano , Roberto Natella This is my paper

Pith reviewed 2026-05-18 18:12 UTC · model grok-4.3

classification 💻 cs.CR cs.SE
keywords fuzzingemulationembedded systemsbinary analysissecurity testingIoT firmwarehypervisorvulnerability discovery
0
0 comments X

The pith

FuzzBox integrates emulation with fuzzing to enable coverage-guided testing of binary-only embedded systems without source code.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper introduces FuzzBox to apply coverage-guided fuzzing to industrial embedded systems where source code and standard compilers are unavailable. Traditional fuzzing depends on compile-time instrumentation, which cannot be done for proprietary toolchains or closed firmware. FuzzBox performs dynamic instrumentation inside a virtualized emulator to inject fuzz inputs, detect failures, and collect coverage data on the fly. The authors test it on a proprietary MILS hypervisor and multiple commercial IoT firmware images to show it works without hardware-specific setups. If the method holds, it opens fuzz testing to a wide range of real-world embedded devices that were previously out of reach.

Core claim

FuzzBox dynamically instruments code during execution in a virtualized environment for the injection of fuzz inputs, failure detection, and coverage analysis on binary-only embedded targets, without requiring source code recompilation and hardware-specific dependencies. Experiments demonstrate its effectiveness on a proprietary MILS hypervisor for industrial applications and its broad portability across commercial IoT firmware.

What carries the argument

Dynamic instrumentation performed inside a virtualized emulation environment that supplies fuzz input injection, failure detection, and coverage tracking during runtime.

If this is right

  • Fuzz testing becomes possible on proprietary MILS hypervisors used in industrial applications.
  • The same technique applies to a range of commercial IoT firmware with no source access.
  • No recompilation or hardware-specific dependencies are needed for instrumentation.
  • Coverage data and failure signals can be collected directly from the emulated execution.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar dynamic instrumentation could be applied to other closed embedded domains such as automotive controllers or medical devices.
  • Improving emulator accuracy for peripherals would directly strengthen the coverage data FuzzBox collects.
  • Combining FuzzBox with static binary analysis might reduce the number of test cases needed to reach high coverage.

Load-bearing premise

The virtualized emulation environment must faithfully reproduce the timing, memory behavior, and peripheral interactions of the target embedded hardware.

What would settle it

Compare the crashes and code coverage reported by FuzzBox against the same inputs executed directly on real target hardware for a known set of test cases.

read the original abstract

Coverage-guided fuzzing has been widely applied to address zero-day vulnerabilities in general-purpose software and operating systems. This approach relies on instrumenting the target code at compile time. However, applying it to industrial systems remains challenging, due to proprietary and closed-source compiler toolchains and lack of access to source code. FuzzBox addresses these limitations by integrating emulation with fuzzing: it dynamically instruments code during execution in a virtualized environment, for the injection of fuzz inputs, failure detection, and coverage analysis, without requiring source code recompilation and hardware-specific dependencies. We show the effectiveness of FuzzBox through experiments in the context of a proprietary MILS (Multiple Independent Levels of Security) hypervisor for industrial applications. Additionally, we analyze the applicability of FuzzBox across commercial IoT firmware, showcasing its broad portability.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces FuzzBox, a system that integrates dynamic instrumentation during execution in a virtualized emulation environment with fuzzing. This enables coverage-guided fuzzing, input injection, failure detection, and coverage analysis for binary-only embedded targets such as a proprietary MILS hypervisor and commercial IoT firmware, without requiring source code recompilation or hardware-specific dependencies. Effectiveness is demonstrated via experiments on the MILS hypervisor and an analysis of portability to IoT firmware.

Significance. If the emulation environment accurately reproduces hardware timing, memory, and peripheral behavior such that dynamic instrumentation produces representative coverage and failure signals, FuzzBox would address a practical gap in applying coverage-guided fuzzing to closed-source industrial embedded systems where compile-time instrumentation is unavailable.

major comments (2)
  1. Experiments section: The abstract and description assert effectiveness through experiments on the MILS hypervisor and IoT firmware but report no quantitative results (e.g., achieved coverage percentages, number of crashes or unique bugs found, runtime statistics, or comparison to baselines such as AFL++ or other QEMU-based fuzzers). This absence prevents evaluation of whether the data support the central claims of broad portability and reliable failure detection.
  2. Design section: The approach depends on the virtualized environment faithfully modeling interrupt timing, memory-mapped peripherals, and hardware-specific behaviors for binary-only targets. No cross-validation against physical hardware, timing measurements, or artifact analysis is described, which is load-bearing for the claim that dynamically injected instrumentation yields representative coverage and failure signals.
minor comments (2)
  1. Abstract: The claim of 'broad portability' to commercial IoT firmware would benefit from a brief preview of the specific firmware families or architectures tested.
  2. Notation: The term 'virtualized environment' is used without an early definition distinguishing it from standard QEMU or other emulators; a short clarification in the introduction would improve readability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive review of our paper. We appreciate the identification of areas where the manuscript can be strengthened, particularly regarding quantitative evidence and emulation validation. Below, we provide point-by-point responses to the major comments and indicate the revisions we intend to make.

read point-by-point responses

  1. Referee: Experiments section: The abstract and description assert effectiveness through experiments on the MILS hypervisor and IoT firmware but report no quantitative results (e.g., achieved coverage percentages, number of crashes or unique bugs found, runtime statistics, or comparison to baselines such as AFL++ or other QEMU-based fuzzers). This absence prevents evaluation of whether the data support the central claims of broad portability and reliable failure detection.

    Authors: We agree that the lack of quantitative results in the current draft makes it difficult to fully assess the effectiveness. The experiments section currently describes the application to the MILS hypervisor and the portability analysis for IoT firmware but presents results more descriptively. We will revise to include specific quantitative data on coverage, crashes found, runtimes, and comparisons to tools like AFL++ where feasible. This revision will be made in the next version of the manuscript. revision: yes

  2. Referee: Design section: The approach depends on the virtualized environment faithfully modeling interrupt timing, memory-mapped peripherals, and hardware-specific behaviors for binary-only targets. No cross-validation against physical hardware, timing measurements, or artifact analysis is described, which is load-bearing for the claim that dynamically injected instrumentation yields representative coverage and failure signals.

    Authors: The referee raises a valid point about the need for validation of the emulation fidelity. Our approach uses dynamic instrumentation in a virtualized environment, assuming the emulator accurately models the necessary hardware behaviors. However, we did not provide explicit cross-validation due to the proprietary nature of the systems involved, which limits hardware access. In the revision, we will add a discussion in the Design section addressing emulation assumptions, potential limitations in timing and peripheral modeling, and any available supporting evidence or analyses. We will also note this as a limitation of the current work. revision: partial

Circularity Check

0 steps flagged

No circularity: engineering integration without derivation or fitted predictions

full rationale

The paper presents FuzzBox as a practical integration of existing emulation and fuzzing methods for binary-only embedded systems, validated via experiments on a MILS hypervisor and IoT firmware. No equations, first-principles derivations, parameter fitting, or predictions appear in the provided text. The central description relies on dynamic instrumentation during virtualized execution rather than any self-referential reduction or self-citation chain that would force the result by construction. This is a standard engineering contribution whose claims rest on implementation and empirical testing, not on a mathematical chain equivalent to its inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on the assumption that emulation can serve as a faithful proxy for real hardware execution when dynamic instrumentation is added at runtime. No free parameters or new physical entities are introduced; the work is an engineering synthesis rather than a theoretical derivation.

axioms (1)
  • domain assumption Emulation of embedded binaries can provide sufficient fidelity for coverage measurement and failure detection without hardware-specific dependencies.
    Invoked when the paper states that dynamic instrumentation occurs in a virtualized environment without requiring hardware-specific dependencies.
invented entities (1)
  • FuzzBox dynamic instrumentation layer no independent evidence
    purpose: To enable fuzz input injection, failure detection, and coverage analysis inside emulation for binary-only targets.
    The paper introduces this as the core new component that blends fuzzing into emulation.

pith-pipeline@v0.9.0 · 5668 in / 1376 out tokens · 40484 ms · 2026-05-18T18:12:20.192126+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

69 extracted references · 69 canonical work pages

  1. [1]

    CISPA+ Saarland University (2019)

    Zeller, A., Gopinath, R., B¨ ohme, M., Fraser, G., Holler, C.: The fuzzing book. CISPA+ Saarland University (2019)

    work page 2019

  2. [2]

    IEEE Transactions on Software Engineering (2019)

    Man` es, V.J., Han, H., Han, C., Cha, S.K., Egele, M., Schwartz, E.J., Woo, M.: The art, science, and engineering of fuzzing: A survey. IEEE Transactions on Software Engineering (2019)

    work page 2019

  3. [3]

    Cybersecurity5(1), 18 (2022)

    Eisele, M., Maugeri, M., Shriwas, R., Huth, C., Bella, G.: Embedded fuzzing: a review of challenges, tools, and solutions. Cybersecurity5(1), 18 (2022)

    work page 2022

  4. [4]

    ACM Computing Surveys (2022)

    Yun, J., Rustamov, F., Kim, J., Shin, Y.: Fuzzing of Embedded Systems: A Survey. ACM Computing Surveys (2022)

    work page 2022

  5. [5]

    https://llvm.org/ (2023)

    The LLVM Compiler Infrastructure. https://llvm.org/ (2023)

    work page 2023

  6. [6]

    https://gcc.gnu.org/ (2023)

    GNU GCC. https://gcc.gnu.org/ (2023)

    work page 2023

  7. [7]

    https://github.com/talos-vulndev/afl-dyninst (2018)

    talos-vulndev - AFL-DynInst. https://github.com/talos-vulndev/afl-dyninst (2018)

    work page 2018

  8. [8]

    In: 2020 IEEE Symposium on Security and Privacy (SP) (2020)

    Dinesh, S., Burow, N., Xu, D., Payer, M.: Retrowrite: Statically instrumenting cots binaries for fuzzing and sanitization. In: 2020 IEEE Symposium on Security and Privacy (SP) (2020). IEEE

    work page 2020

  9. [9]

    https://github.com/vanhauser-thc/ afl-dynamorio (2018)

    Heuse, Marc - AFL-DynamoRIO. https://github.com/vanhauser-thc/ afl-dynamorio (2018)

    work page 2018

  10. [10]

    https://github.com/vanhauser-thc/afl-pin (2020)

    Heuse, Marc - AFL-PIN. https://github.com/vanhauser-thc/afl-pin (2020)

    work page 2020

  11. [11]

    In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (2019)

    Chen, Y., Mu, D., Xu, J., Sun, Z., Shen, W., Xing, X., Lu, L., Mao, B.: Ptrix: Efficient hardware-assisted fuzzing for cots binary. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (2019)

    work page 2019

  12. [12]

    In: 26th USENIX Security Symposium (USENIX Security 17) (2017)

    Schumilo, S., Aschermann, C., Gawlik, R., Schinzel, S., Holz, T.: {kAFL}:{Hardware-Assisted}feedback fuzzing for{OS}kernels. In: 26th USENIX Security Symposium (USENIX Security 17) (2017)

    work page 2017

  13. [13]

    http://code.google.com/p/honggfuzz (2016)

    Robert, Swiecki - Honggfuzz. http://code.google.com/p/honggfuzz (2016)

    work page 2016

  14. [14]

    In: Proceedings of ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2023)

    Eisele, M., Ebert, D., Huth, C., Zeller, A.: Fuzzing embedded systems using debug interfaces. In: Proceedings of ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2023). (2023)

    work page 2023

  15. [15]

    In: Proceedings of the 44th International Conference on Software Engineering (2022) 28

    Li, W., Shi, J., Li, F., Lin, J., Wang, W., Guan, L.:µafl: non-intrusive feedback-driven fuzzing for microcontroller firmware. In: Proceedings of the 44th International Conference on Software Engineering (2022) 28

    work page 2022

  16. [16]

    In: Eighth TRON Project Symposium (1991)

    Neugass, H., Espin, G., Nunoe, H., Thomas, R., Wilner, D.: Vxworks: an interac- tive development environment and real-time kernel for gmicro. In: Eighth TRON Project Symposium (1991). IEEE Computer Society

    work page 1991

  17. [17]

    International journal of embedded systems (2006)

    Alves-Foss, J., Oman, P.W., Taylor, C., Harrison, W.S.: The MILS architecture for high-assurance embedded systems. International journal of embedded systems (2006)

    work page 2006

  18. [18]

    In: International Workshop on MILS: Architecture and Assurance for Secure Systems (2015)

    Netkachova, K., M¨ uller, K., Paulitsch, M., Bloomfield, R.: Security-informed safety case approach to analysing mils systems. In: International Workshop on MILS: Architecture and Assurance for Secure Systems (2015)

    work page 2015

  19. [19]

    Aeronautical Radio, Inc (2005)

    Airlines Electronic Engineering Committee: ARINC 811: Commercial aircraft information security concepts of operation and process framework. Aeronautical Radio, Inc (2005)

    work page 2005

  20. [20]

    In: 2009 WRI World Congress on Computer Science and Information Engineering (2009)

    Yang, X., Lei, J., Xiong, G.-z.: Inter-partition Information Flow Control for High-Assurance Embedded Systems. In: 2009 WRI World Congress on Computer Science and Information Engineering (2009). IEEE

    work page 2009

  21. [21]

    https://docs.windriver.com/bundle/ Workbench 4 Getting Started OpenVersion 23 03/page/elx1502803804955.html (2023)

    Wind River - VxWorks Workbench. https://docs.windriver.com/bundle/ Workbench 4 Getting Started OpenVersion 23 03/page/elx1502803804955.html (2023)

    work page 2023

  22. [22]

    In: 29th USENIX Security Symposium 20 (2020)

    Ispoglou, K., Austin, D., Mohan, V., Payer, M.:{FuzzGen}: Automatic fuzzer generation. In: 29th USENIX Security Symposium 20 (2020)

    work page 2020

  23. [23]

    In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (2021)

    Feng, X., Sun, R., Zhu, X., Xue, M., Wen, S., Liu, D., Nepal, S., Xiang, Y.: Snipuzz: Black-box fuzzing of iot firmware via message snippet inference. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (2021)

    work page 2021

  24. [24]

    https://bsp.windriver

    Wind RiverVxWorks MILS 3.0 BSP for WR SBC8548. https://bsp.windriver. com/bsps/1573

    work page

  25. [25]

    Computers & Security 122, 102889 (2022)

    Du, X., Chen, A., He, B., Chen, H., Zhang, F., Chen, Y.: AflIot: Fuzzing on linux-based IoT device with binary-level instrumentation. Computers & Security 122, 102889 (2022)

    work page 2022

  26. [26]

    Zalewski - American fuzzy lop, author =

    M. Zalewski - American fuzzy lop, author = . http://lcamtuf.coredump.cx/afl/ (2017)

    work page 2017

  27. [27]

    In: 14th USENIX Workshop on Offensive Technologies (WOOT 20) (2020)

    Fioraldi, A., Maier, D., Eißfeldt, H., Heuse, M.:{AFL++}: Combining incre- mental steps of fuzzing research. In: 14th USENIX Workshop on Offensive Technologies (WOOT 20) (2020)

    work page 2020

  28. [28]

    In: 13th USENIX Workshop on Offensive Technologies (WOOT 19) (2019)

    Maier, D., Radtke, B., Harren, B.: Unicorefuzz: On the viability of emulation 29 for kernelspace fuzzing. In: 13th USENIX Workshop on Offensive Technologies (WOOT 19) (2019)

    work page 2019

  29. [29]

    https://github.com/google/syzkaller (2015)

    google - Syzkaller. https://github.com/google/syzkaller (2015)

    work page 2015

  30. [30]

    IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (2022)

    Shen, Y., Xu, Y., Sun, H., Liu, J., Xu, Z., Cui, A., Shi, H., Jiang, Y.: Tardis: Coverage-Guided Embedded Operating System Fuzzing. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (2022)

    work page 2022

  31. [31]

    In: USENIX Annual Technical Conference, FREENIX Track (2005)

    Bellard, F.: Qemu, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track (2005). Califor-nia, USA

    work page 2005

  32. [32]

    In: Proceedings 21st IEEE Real-Time Systems Symposium (2000)

    Isovic, D., Fohler, G.: Efficient scheduling of sporadic, aperiodic, and periodic tasks with complex constraints. In: Proceedings 21st IEEE Real-Time Systems Symposium (2000). IEEE

    work page 2000

  33. [33]

    https://github.com/ex0dus-0x/fuzzable

    Fuzzable - Framework for Automating Fuzzable Target Discovery with Static Analysis. https://github.com/ex0dus-0x/fuzzable

    work page

  34. [34]

    https://www.ibm.com/docs/en/aix/ 7.2?topic=overview-register-usage-conventions (2023)

    IBM - PowerPC register usage conventions. https://www.ibm.com/docs/en/aix/ 7.2?topic=overview-register-usage-conventions (2023)

    work page 2023

  35. [35]

    In: Proceed- ings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (2019)

    Babi´ c, D., Bucur, S., Chen, Y., Ivanˇ ci´ c, F., King, T., Kusano, M., Lemieux, C., Szekeres, L., Wang, W.: FUDGE: Fuzz driver generation at scale. In: Proceed- ings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (2019)

    work page 2019

  36. [36]

    In: 2023 IEEE Symposium on Security and Privacy (SP) (2023)

    Jeong, B., Jang, J., Yi, H., Moon, J., Kim, J., Jeon, I., Kim, T., Shim, W., Hwang, Y.H.: UTopia: Automatic generation of fuzz driver using unit tests. In: 2023 IEEE Symposium on Security and Privacy (SP) (2023). IEEE

    work page 2023

  37. [37]

    https://wiki.qemu.org/Documentation/ Platforms (2023)

    QEMU Architectures Support. https://wiki.qemu.org/Documentation/ Platforms (2023)

    work page 2023

  38. [38]

    https://github.com/AdaCore/qemu/blob/qemu-stable-4.0.0/ hw/ppc/p2010rdb.c (2019)

    QEMU AdaCore. https://github.com/AdaCore/qemu/blob/qemu-stable-4.0.0/ hw/ppc/p2010rdb.c (2019)

    work page 2019

  39. [39]

    In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (2022)

    Fioraldi, A., Maier, D.C., Zhang, D., Balzarotti, D.: Libafl: A framework to build modular and reusable fuzzers. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (2022)

    work page 2022

  40. [40]

    https://github.com/qemu/qemu/blob/master/docs/ devel/tcg-plugins.rst (2023)

    QEMU TCG Plugins. https://github.com/qemu/qemu/blob/master/docs/ devel/tcg-plugins.rst (2023)

    work page 2023

  41. [41]

    https://github.com/json-parser/json-parser (2022)

    json-parser. https://github.com/json-parser/json-parser (2022)

    work page 2022

  42. [42]

    https://github.com/mykter/afl-training/tree/main/challenges/ sendmail/1305 (2020) 30

    sendmail. https://github.com/mykter/afl-training/tree/main/challenges/ sendmail/1305 (2020) 30

    work page 2020

  43. [43]

    https://github.com/codeplea/tinyexpr (2022)

    TinyExpr. https://github.com/codeplea/tinyexpr (2022)

    work page 2022

  44. [44]

    ACM SIGOPS Operating Systems Review15(5), 12–21 (1981)

    Rushby, J.M.: Design and verification of secure systems. ACM SIGOPS Operating Systems Review15(5), 12–21 (1981)

    work page 1981

  45. [45]

    In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (2018)

    Klees, G., Ruef, A., Cooper, B., Wei, S., Hicks, M.: Evaluating fuzz test- ing. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (2018)

    work page 2018

  46. [46]

    In: 2016 IEEE Symposium on Security and Privacy (SP) (2016)

    Dolan-Gavitt, B., Hulin, P., Kirda, E., Leek, T., Mambretti, A., Robertson, W., Ulrich, F., Whelan, R.: Lava: Large-scale automated vulnerability addition. In: 2016 IEEE Symposium on Security and Privacy (SP) (2016). IEEE

    work page 2016

  47. [47]

    IEEE Embedded Systems Letters10(3), 95– 98 (2018)

    Tsoutsos, N.G., Maniatakos, M.: Anatomy of Memory Corruption Attacks and Mitigations in Embedded Systems. IEEE Embedded Systems Letters10(3), 95– 98 (2018)

    work page 2018

  48. [48]

    In: Proceedings of the 5th USENIX Conference on Hot Topics in Parallelism

    Islam, M.M., Muzahid, A.: Characterizing real world bugs causing sequential consistency violations. In: Proceedings of the 5th USENIX Conference on Hot Topics in Parallelism. HotPar’13, p. 8. USENIX Association, USA (2013)

    work page 2013

  49. [49]

    arXiv preprint arXiv:2003.09561 (2020)

    Geng, S., Li, Y., Du, Y., Xu, J., Liu, Y., Mao, B.: An empirical study on benchmarks of artificial software vulnerabilities. arXiv preprint arXiv:2003.09561 (2020)

    work page arXiv 2003

  50. [50]

    In: Proceedings of the 36th Annual Computer Security Applications Conference, pp

    Kim, M., Kim, D., Kim, E., Kim, S., Jang, Y., Kim, Y.: Firmae: Towards large- scale emulation of iot firmware for dynamic analysis. In: Proceedings of the 36th Annual Computer Security Applications Conference, pp. 733–745 (2020)

    work page 2020

  51. [51]

    IEEE Access9, 101627– 101642 (2021)

    Kim, J., Yu, J., Kim, H., Rustamov, F., Yun, J.: Firm-cov: high-coverage greybox fuzzing for iot firmware via optimized process emulation. IEEE Access9, 101627– 101642 (2021)

    work page 2021

  52. [52]

    In: 28th USENIX Security Symposium (USENIX Security 19), pp

    Zheng, Y., Davanian, A., Yin, H., Song, C., Zhu, H., Sun, L.:{FIRM- AFL}:{High-Throughput}greybox fuzzing of{IoT}firmware via augmented process emulation. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 1099–1114 (2019)

    work page 2019

  53. [53]

    https://www.tendacn.com/it/product/download/a15

    Tenda - AC15 Firmware. https://www.tendacn.com/it/product/download/a15. html (2024)

    work page 2024

  54. [54]

    https://www.trendnet.com/support/ support-detail.asp?prod=190 TEW-651BR (2024)

    Trendnet - TEW-651BR Firmware. https://www.trendnet.com/support/ support-detail.asp?prod=190 TEW-651BR (2024)

    work page 2024

  55. [55]

    https://support.dlink.com.au/download/download

    Dlink - DCS-932L Firmware. https://support.dlink.com.au/download/download. aspx?product=DCS-932L (2024)

    work page 2024

  56. [56]

    In: 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST) (2020)

    Pham, V.-T., B¨ ohme, M., Roychoudhury, A.: Aflnet: a greybox fuzzer for network 31 protocols. In: 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST) (2020). IEEE

    work page 2020

  57. [57]

    https://portswigger.net/burp (2024)

    Port Swigger - BurpSuite. https://portswigger.net/burp (2024)

    work page 2024

  58. [58]

    https://www.zaproxy.org/ (2024)

    Owasp: ZAP. https://www.zaproxy.org/ (2024)

    work page 2024

  59. [59]

    In: NDSS (2018)

    Chen, J., Diao, W., Zhao, Q., Zuo, C., Lin, Z., Wang, X., Lau, W.C., Sun, M., Yang, R., Zhang, K.: Iotfuzzer: Discovering memory corruptions in iot through app-based fuzzing. In: NDSS (2018)

    work page 2018

  60. [60]

    In: 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE) (2021)

    Liu, Q., Zhang, C., Ma, L., Jiang, M., Zhou, Y., Wu, L., Shen, W., Luo, X., Liu, Y., Ren, K.: Firmguide: Boosting the capability of rehosting embedded linux kernels through model-guided kernel execution. In: 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE) (2021). IEEE

    work page 2021

  61. [61]

    In: 30th USENIX Security Symposium 21 (2021)

    Johnson, E., Bland, M., Zhu, Y., Mason, J., Checkoway, S., Savage, S., Levchenko, K.: Jetset: Targeted firmware rehosting for embedded systems. In: 30th USENIX Security Symposium 21 (2021)

    work page 2021

  62. [62]

    In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (2021)

    Fasano, A., Ballo, T., Muench, M., Leek, T., Bulekov, A., Dolan-Gavitt, B., Egele, M., Francillon, A., Lu, L., Gregory, N.,et al.: Sok: Enabling security analyses of embedded systems via rehosting. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (2021)

    work page 2021

  63. [63]

    Electronics (2021)

    D´ ıaz, E., Mateos, R., Bueno, E.J., Nieto, R.: Enabling parallelized-qemu for hardware/software co-simulation virtual platforms. Electronics (2021)

    work page 2021

  64. [64]

    In: Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things (2019)

    Srivastava, P., Peng, H., Li, J., Okhravi, H., Shrobe, H., Payer, M.: Firmfuzz: Automated IoT firmware introspection and analysis. In: Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things (2019)

    work page 2019

  65. [65]

    IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (2020)

    Gao, J., Xu, Y., Jiang, Y., Liu, Z., Chang, W., Jiao, X., Sun, J.: Em- fuzz: Augmented firmware fuzzing via memory checking. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (2020)

    work page 2020

  66. [66]

    In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (2022)

    Zheng, Y., Li, Y., Zhang, C., Zhu, H., Liu, Y., Sun, L.: Efficient greybox fuzzing of applications in Linux-based IoT devices via enhanced user-mode emulation. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (2022)

    work page 2022

  67. [67]

    In: Annual Computer Security Applications Conference (2020)

    Patrick-Evans, J., Cavallaro, L., Kinder, J.: Probabilistic naming of functions in stripped binaries. In: Annual Computer Security Applications Conference (2020)

    work page 2020

  68. [68]

    https://www.volatilityfoundation.org/ 32

    Volatility. https://www.volatilityfoundation.org/ 32

    work page

  69. [69]

    IEEE Transactions on Depend- able and Secure Computing (2024) 33

    Orbinato, V., Feliciano, M.C., Cotroneo, D., Natella, R.: Laccolith: Hypervisor- based adversary emulation with anti-detection. IEEE Transactions on Depend- able and Secure Computing (2024) 33

    work page 2024