FirmCure:Towards Autonomous and Adaptive Rehosting of Linux-Based Firmware
Pith reviewed 2026-06-25 23:13 UTC · model grok-4.3
The pith
FirmCure uses LLMs to autonomously rehost Linux firmware by extracting dependencies, optimizing configs, and fixing runtime errors.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
FirmCure is the first LLM-driven full-system rehosting framework that uses an Adaptive Perception Inference mechanism to extract firmware structural dependencies via static analysis, a Reflective Synthesis module for iterative configuration optimization, and an Autonomous Runtime Intervention module for real-time error remediation through runtime fault diagnosis and monitoring. On 21 IoT firmware images from 10 vendors across 5 architectures it achieved a 100 percent network port opening rate and 90.5 percent service interactivity, substantially outperforming baselines, with intervention strategies that generalize across heterogeneous firmware and that reproduce known vulnerabilities while d
What carries the argument
The Adaptive Perception Inference mechanism for dependency extraction combined with Reflective Synthesis for configuration optimization and Autonomous Runtime Intervention for runtime error remediation.
If this is right
- Security analysis of custom IoT devices becomes possible without manual expert configuration for each device.
- Known vulnerabilities can be reproduced at scale across multiple architectures.
- New security flaws can be discovered in firmware that previously could not be rehosted.
- Intervention strategies learned on one set of devices transfer to other heterogeneous firmware.
- The rehosting process completes with full network access and high service interactivity rates.
Where Pith is reading between the lines
- The same LLM-driven loop might reduce manual work in rehosting non-Linux embedded systems if the static analysis step is extended.
- Combining the runtime intervention module with hardware-in-the-loop testing could catch behaviors the current static extraction misses.
- Patterns found across the 21 tested images could seed a shared library of common hardware dependency fixes for future devices.
- If the approach scales, routine firmware updates could be checked for security issues in an automated pipeline.
Load-bearing premise
The LLM modules can reliably extract accurate firmware structural dependencies via static analysis and perform correct real-time error remediation without missing hardware-specific behaviors or introducing false positives.
What would settle it
A firmware image from a new vendor or architecture where FirmCure produces incorrect dependency graphs or fails to open network ports because of missed hardware behaviors.
Figures
read the original abstract
Full-system rehosting plays a critical role in the security analysis of Linux-based firmware. It matches commonly deployed firmware with sufficient background knowledge. However, for custom devices, existing approaches struggle to handle initialization and runtime obstacles in the rehosting process caused by specialized architectures and hardware-dependent configuration, which heavily rely on expert intervention. This ultimately creates fundamental bottlenecks and results in low rehosting efficiency. To address the above challenges, we propose FirmCure, the first LLM-driven full-system rehosting framework designed for autonomous and adaptive rehosting of Linux-based firmware. FirmCure develops an Adaptive Perception Inference mechanism to extract firmware structural dependencies via static analysis, followed by a Reflective Synthesis module for iterative configuration optimization, and finally an Autonomous Runtime Intervention module for real-time error remediation through runtime fault diagnosis and monitoring. We evaluated 21 IoT firmware images from 10 vendors across 5 architectures, while FirmCure achieved a 100% network port opening rate and 90.5% service interactivity, substantially outperforming state-of-the-art baselines. Our experiments confirm that FirmCure's intervention strategies generalize across heterogeneous firmware. The framework successfully reproduces known vulnerabilities and discovers new security flaws.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces FirmCure, the first LLM-driven full-system rehosting framework for Linux-based IoT firmware. It comprises three modules: Adaptive Perception Inference to extract structural dependencies via static analysis, Reflective Synthesis for iterative configuration optimization, and Autonomous Runtime Intervention for real-time fault diagnosis and error remediation. On 21 firmware images from 10 vendors across 5 architectures, it reports 100% network port opening and 90.5% service interactivity, outperforming baselines, with intervention strategies that generalize and enable reproduction of known vulnerabilities plus discovery of new flaws.
Significance. If the empirical results and LLM-module reliability hold under scrutiny, FirmCure could meaningfully advance scalable firmware security analysis by reducing expert intervention in rehosting heterogeneous devices, enabling broader vulnerability research on custom IoT hardware.
major comments (3)
- [Evaluation] Evaluation section: aggregate success rates (100% port opening, 90.5% interactivity) are reported without firmware selection criteria, baseline implementation details, error bars, or confirmation that post-hoc adjustments were avoided, rendering the central performance claims unverifiable from the provided text.
- [§3] Adaptive Perception Inference and Autonomous Runtime Intervention modules: the load-bearing assumption that the LLM components reliably extract dependencies and perform remediation without missing hardware-specific behaviors (e.g., peripheral initialization, memory-mapped I/O, vendor boot sequences) across 5 architectures lacks supporting ablations on prompt sensitivity, per-module error rates, or false-positive rates in vulnerability reproduction.
- [Experiments] Generalization claim: the assertion that intervention strategies generalize across heterogeneous firmware is not accompanied by case studies or metrics showing instances where static analysis failed or hardware emulation remained necessary despite the autonomy claim.
minor comments (3)
- [§3] Clarify the specific LLMs, versions, and prompt templates used in each module to aid reproducibility.
- [Evaluation] Add a table comparing per-firmware results against each baseline rather than aggregate figures only.
- Ensure all architecture-specific handling details are explicitly described rather than summarized.
Simulated Author's Rebuttal
We thank the referee for the constructive and detailed feedback. We address each major comment point by point below, indicating where revisions will be made to strengthen the manuscript.
read point-by-point responses
-
Referee: [Evaluation] Evaluation section: aggregate success rates (100% port opening, 90.5% interactivity) are reported without firmware selection criteria, baseline implementation details, error bars, or confirmation that post-hoc adjustments were avoided, rendering the central performance claims unverifiable from the provided text.
Authors: We acknowledge that the current manuscript reports aggregate success rates without providing firmware selection criteria, detailed baseline implementation steps, error bars, or explicit confirmation that post-hoc adjustments were avoided. This limits verifiability of the central claims. In the revised manuscript, we will expand the Evaluation section to include these elements: explicit selection criteria for the 21 firmware images, implementation details for all baselines, statistical error bars on the reported rates, and a statement confirming no post-hoc adjustments were performed. revision: yes
-
Referee: [§3] Adaptive Perception Inference and Autonomous Runtime Intervention modules: the load-bearing assumption that the LLM components reliably extract dependencies and perform remediation without missing hardware-specific behaviors (e.g., peripheral initialization, memory-mapped I/O, vendor boot sequences) across 5 architectures lacks supporting ablations on prompt sensitivity, per-module error rates, or false-positive rates in vulnerability reproduction.
Authors: The referee correctly notes the absence of ablations on prompt sensitivity, per-module error rates, and false-positive rates for vulnerability reproduction. The manuscript relies on overall success metrics to support LLM reliability but does not provide these supporting analyses. We will add a dedicated subsection (or expand §3 and the evaluation) with prompt sensitivity experiments, per-module breakdown of success/error rates, and analysis of false positives in vulnerability reproduction to address this gap. revision: yes
-
Referee: [Experiments] Generalization claim: the assertion that intervention strategies generalize across heterogeneous firmware is not accompanied by case studies or metrics showing instances where static analysis failed or hardware emulation remained necessary despite the autonomy claim.
Authors: We agree that the generalization claim requires more concrete supporting evidence. The manuscript asserts that intervention strategies generalize but does not include case studies or quantitative metrics on cases where static analysis failed or where hardware emulation steps remained necessary. In the revision, we will add case studies and associated metrics illustrating such instances to substantiate the autonomy and generalization claims. revision: yes
Circularity Check
No circularity: empirical evaluation only, no derivations or self-referential reductions
full rationale
The paper describes an LLM-based rehosting framework evaluated empirically on 21 firmware samples across architectures, reporting success rates without any equations, fitted parameters, uniqueness theorems, or self-citations that bear the central claims. The three modules (Adaptive Perception Inference, Reflective Synthesis, Autonomous Runtime Intervention) are presented as engineering components whose performance is measured directly in experiments; no step reduces a prediction or result to its own inputs by construction. This is the standard case of a self-contained empirical systems paper.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Connected iot device market update – fall 2025 and 2026 – 2035,
IoT Analytics, “Connected iot device market update – fall 2025 and 2026 – 2035,” https://iot-analytics.com/number-connected-iot-devices/, 2025
2025
-
[2]
Linux in iot devices statistics,
CommandLinux, “Linux in iot devices statistics,” https://commandlinux. com/statistics/linux-in-iot-devices-statistics/, 2024
2024
-
[3]
A survey of the security analysis of embedded devices,
X. Zhou, P. Wang, L. Zhou, P. Xun, and K. Lu, “A survey of the security analysis of embedded devices,”Sensors, vol. 23, no. 22, p. 9221, 2023
2023
-
[4]
Firmhunter: State-aware and introspection-driven grey-box fuzzing towards iot firmware,
Q. Yin, X. Zhou, and H. Zhang, “Firmhunter: State-aware and introspection-driven grey-box fuzzing towards iot firmware,”Applied Sciences, vol. 11, no. 19, p. 9094, 2021
2021
-
[5]
{FIRM-AFL}:{High-Throughput}greybox fuzzing of{IoT}firmware via augmented process emulation,
Y . Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “{FIRM-AFL}:{High-Throughput}greybox fuzzing of{IoT}firmware via augmented process emulation,” in28th USENIX Security Symposium (USENIX Security 19), 2019, pp. 1099–1114
2019
-
[6]
Firmfuzz: Automated iot firmware introspection and analysis,
P. Srivastava, H. Peng, J. Li, H. Okhravi, H. Shrobe, and M. Payer, “Firmfuzz: Automated iot firmware introspection and analysis,” in Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things, 2019, pp. 15–21
2019
-
[7]
Pandawan: quantifying progress in linux-based firmware rehosting,
I. Angelakopoulos, G. Stringhini, and M. Egele, “Pandawan: quantifying progress in linux-based firmware rehosting,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 5859–5876
2024
-
[8]
{FirmSolo}: Enabling dynamic analysis of binary linux-based {IoT}kernel modules,
——, “{FirmSolo}: Enabling dynamic analysis of binary linux-based {IoT}kernel modules,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 5021–5038
2023
-
[9]
Firmdiff: Improving the configuration of linux kernels geared towards firmware re-hosting
——, “Firmdiff: Improving the configuration of linux kernels geared towards firmware re-hosting.” Workshop on Binary Analysis Research (BAR’24), 2024
2024
-
[10]
Towards automated dynamic analysis for linux-based embedded firmware
D. D. Chen, M. Woo, D. Brumley, and M. Egele, “Towards automated dynamic analysis for linux-based embedded firmware.” inNDSS, vol. 1, 2016, pp. 1–1
2016
-
[11]
Firmae: Towards large-scale emulation of iot firmware for dynamic analysis,
M. Kim, D. Kim, E. Kim, S. Kim, Y . Jang, and Y . Kim, “Firmae: Towards large-scale emulation of iot firmware for dynamic analysis,” inProceedings of the 36th Annual Computer Security Applications Conference, 2020, pp. 733–745
2020
-
[12]
User-space dependency-aware rehosting for linux-based firmware binaries,
C. Qin, C. Zhang, Y . Zheng, P. Liu, J. Zhang, Y . Li, W. Zhang, Y . Liu, and L. Sun, “User-space dependency-aware rehosting for linux-based firmware binaries,” inNetwork and Distributed System Security (NDSS) Symposium 2026, 2026, pp. 23–27 February 2026, San Diego, CA, USA. [Online]. Available: www.ndss-symposium.org
2026
-
[13]
Qemu, a fast and portable dynamic translator
F. Bellard, “Qemu, a fast and portable dynamic translator.” inUSENIX annual technical conference, FREENIX Track, vol. 41, no. 46. Cali- fornia, USA, 2005, pp. 10–55
2005
-
[14]
Greenhouse: Single-service rehosting of linux- based firmware binaries in user-space emulation,
H. J. Tay, K. Zeng, J. M. Vadayath, A. S. Raj, A. Dutcher, T. Reddy, W. Gibbs, Z. L. Basque, F. Dong, Z. Smith, A. Doup’e, Y . Shoshi- taishvili, and R. Wang, “Greenhouse: Single-service rehosting of linux- based firmware binaries in user-space emulation,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 5791–5808
2023
-
[15]
Improving language understanding by generative pre-training,
A. Radford, K. Narasimhan, T. Salimans, I. Sutskeveret al., “Improving language understanding by generative pre-training,” 2018
2018
-
[16]
Language models are unsupervised multitask learners,
A. Radford, J. Wu, R. Child, D. Luan, D. Amodei, I. Sutskeveret al., “Language models are unsupervised multitask learners,”OpenAI blog, vol. 1, no. 8, p. 9, 2019
2019
-
[17]
Language mod- els are few-shot learners,
T. Brown, B. Mann, N. Ryder, M. Subbiah, J. D. Kaplan, P. Dhariwal, A. Neelakantan, P. Shyam, G. Sastry, A. Askellet al., “Language mod- els are few-shot learners,”Advances in neural information processing systems, vol. 33, pp. 1877–1901, 2020
1901
-
[18]
An empirical study on the effectiveness of large language models for binary code understanding,
X. Shang, Z. Fu, S. Cheng, G. Chen, G. Li, L. Hu, W. Zhang, and N. Yu, “An empirical study on the effectiveness of large language models for binary code understanding,”Empirical Software Engineering, vol. 31, no. 1, pp. 1–38, 2026
2026
-
[19]
Detecting command injection vulnerabilities in linux-based embedded firmware with llm-based taint analysis of library functions,
J. Ye, X. Fei, X. d. C. de Carnavalet, L. Zhao, L. Wu, and M. Zhang, “Detecting command injection vulnerabilities in linux-based embedded firmware with llm-based taint analysis of library functions,”Computers & Security, vol. 144, p. 103971, 2024
2024
-
[20]
Exploring the efficacy of large lan- guage models (gpt-4) in binary reverse engineering,
S. Pordanesh and B. Tan, “Exploring the efficacy of large lan- guage models (gpt-4) in binary reverse engineering,”arXiv preprint arXiv:2406.06637, 2024
-
[21]
Flexemu: Towards flexible mcu peripheral emulation,
C. Lei, Z. Ling, X. Xu, S. Li, G. Liu, K. Dong, and J. Luo, “Flexemu: Towards flexible mcu peripheral emulation,” inProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, 2025, pp. 2609–2623
2025
-
[22]
ReAct: Synergizing Reasoning and Acting in Language Models
S. Yao, J. Zhao, D. Yu, N. Du, I. Shafran, K. Narasimhan, and Y . Cao, “React: Synergizing reasoning and acting in language models,”arXiv preprint arXiv:2210.03629, 2022
work page internal anchor Pith review Pith/arXiv arXiv 2022
-
[23]
Re- flexion: Language agents with verbal reinforcement learning,
N. Shinn, F. Cassano, A. Gopinath, K. Narasimhan, and S. Yao, “Re- flexion: Language agents with verbal reinforcement learning,”Advances in neural information processing systems, vol. 36, pp. 8634–8652, 2023
2023
-
[24]
Chain-of-thought prompting elicits reasoning in large language models,
J. Wei, X. Wang, D. Schuurmans, M. Bosma, F. Xia, E. Chi, Q. V . Le, D. Zhouet al., “Chain-of-thought prompting elicits reasoning in large language models,”Advances in neural information processing systems, vol. 35, pp. 24 824–24 837, 2022
2022
-
[25]
Large language models for software engi- neering: A systematic literature review,
X. Hou, Y . Zhao, Y . Liu, Z. Yang, K. Wang, L. Li, X. Luo, D. Lo, J. Grundy, and H. Wang, “Large language models for software engi- neering: A systematic literature review,”ACM Transactions on Software Engineering and Methodology, vol. 33, no. 8, pp. 1–79, 2024
2024
-
[26]
Wizardcoder: Empowering code large language models with evol-instruct,
Z. Luo, C. Xu, P. Zhao, Q. Sun, X. Geng, W. Hu, C. Tao, J. Ma, Q. Lin, and D. Jiang, “Wizardcoder: Empowering code large language models with evol-instruct,”arXiv preprint arXiv:2306.08568, 2023
-
[27]
Code Llama: Open Foundation Models for Code
B. Roziere, J. Gehring, F. Gloeckle, S. Sootla, I. Gat, X. E. Tan, Y . Adi, J. Liu, R. Sauvestre, T. Remezet al., “Code llama: Open foundation models for code,”arXiv preprint arXiv:2308.12950, 2023
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[28]
Z. Shen, “Llm with tools: A survey,”arXiv preprint arXiv:2409.18807, 2024
-
[29]
Tool learning with foundation models,
Y . Qin, S. Hu, Y . Lin, W. Chen, N. Ding, G. Cui, Z. Zeng, X. Zhou, Y . Huang, C. Xiaoet al., “Tool learning with foundation models,”ACM Computing Surveys, vol. 57, no. 4, pp. 1–40, 2024
2024
-
[30]
Model context protocol (mcp): Landscape, security threats, and future research directions,
X. Hou, Y . Zhao, S. Wang, and H. Wang, “Model context protocol (mcp): Landscape, security threats, and future research directions,”ACM Transactions on Software Engineering and Methodology, 2025
2025
-
[31]
Retrieval- augmented generation for knowledge-intensive nlp tasks,
P. Lewis, E. Perez, A. Piktus, F. Petroni, V . Karpukhin, N. Goyal, H. K ¨uttler, M. Lewis, W.-t. Yih, T. Rockt ¨aschelet al., “Retrieval- augmented generation for knowledge-intensive nlp tasks,”Advances in neural information processing systems, vol. 33, pp. 9459–9474, 2020
2020
-
[32]
From llms to llm- based agents for software engineering: A survey of current, challenges and future,
H. Jin, L. Huang, H. Cai, J. Yan, B. Li, and H. Chen, “From llms to llm- based agents for software engineering: A survey of current, challenges and future,”arXiv preprint arXiv:2408.02479, 2024
-
[33]
A survey on large language model based autonomous agents,
L. Wang, C. Ma, X. Feng, Z. Zhang, H. Yang, J. Zhang, Z. Chen, J. Tang, X. Chen, Y . Linet al., “A survey on large language model based autonomous agents,”Frontiers of Computer Science, vol. 18, no. 6, p. 186345, 2024
2024
-
[34]
Housefuzz: Service-aware grey-box fuzzing for vulnerability detection in linux- based firmware,
H. Xiao, Z. Wei, J. Dai, B. Li, Y . Zhang, and M. Yang, “Housefuzz: Service-aware grey-box fuzzing for vulnerability detection in linux- based firmware,” in2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025, pp. 3801–3819
2025
-
[35]
Crewai: The leading multi-agent platform,
CrewAI Team, “Crewai: The leading multi-agent platform,” https:// crewai.com/, 2025
2025
-
[36]
Radare2: Unix-like reverse engineering framework and commandline toolset,
Radare Project, “Radare2: Unix-like reverse engineering framework and commandline toolset,” https://www.radare.org/, 2026
2026
-
[37]
Litellm documentation,
BerriAI, “Litellm documentation,” https://docs.litellm.ai/, 2024
2024
-
[38]
VxWorks,
Wind River, “VxWorks,” https://www.windriver.com/products/vxworks, commercial real-time operating system developed by Wind River
-
[39]
About the Zephyr Project,
Zephyr Project, “About the Zephyr Project,” https://www.zephyrproject. org/, open-source real-time operating system hosted by the Linux Foundation
-
[40]
What you corrupt is not what you crash: Challenges in fuzzing embedded devices
M. Muench, J. Stijohann, F. Kargl, A. Francillon, and D. Balzarotti, “What you corrupt is not what you crash: Challenges in fuzzing embedded devices.” inNDSS, 2018
2018
-
[41]
Unicorn: Next generation cpu emulator framework,
N. A. Quynh and D. H. Vu, “Unicorn: Next generation cpu emulator framework,”BlackHat USA, vol. 476, 2015
2015
-
[42]
Ghidra: Software reverse engineering frame- work,
National Security Agency, “Ghidra: Software reverse engineering frame- work,” https://github.com/NationalSecurityAgency/ghidra, 2019
2019
-
[43]
{HALucinator}: Firmware re-hosting through abstraction layer emulation,
A. A. Clements, E. Gustafson, T. Scharnowski, P. Grosen, D. Fritz, C. Kruegel, G. Vigna, S. Bagchi, and M. Payer, “{HALucinator}: Firmware re-hosting through abstraction layer emulation,” in29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 1201– 1218
2020
-
[44]
Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares
J. Zaddach, L. Bruno, A. Francillon, D. Balzarottiet al., “Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares.” inNDSS, vol. 14, no. 2014, 2014, pp. 1–16
2014
-
[45]
Avatar 2: A multi-target orchestration platform,
M. Muench, D. Nisi, A. Francillon, and D. Balzarotti, “Avatar 2: A multi-target orchestration platform,” inProc. Workshop Binary Anal. Res.(Colocated NDSS Symp.), vol. 18, 2018, pp. 1–11
2018
-
[46]
Prospect: peripheral proxying supported embedded code testing,
M. Kammerstetter, C. Platzer, and W. Kastner, “Prospect: peripheral proxying supported embedded code testing,” inProceedings of the 14 9th ACM symposium on Information, computer and communications security, 2014, pp. 329–340
2014
-
[47]
Toward the analysis of embedded firmware through automated re- hosting,
E. Gustafson, M. Muench, C. Spensky, N. Redini, A. Machiry, Y . Fratan- tonio, D. Balzarotti, A. Francillon, Y . R. Choe, C. Kruegelet al., “Toward the analysis of embedded firmware through automated re- hosting,” in22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), 2019, pp. 135–150
2019
-
[48]
Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation,
C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation,” inProceedings of the 36th Annual Computer Security Applications Conference, 2020, pp. 746–759
2020
-
[49]
Automatic firmware emula- tion through invalidity-guided knowledge inference,
W. Zhou, L. Guan, P. Liu, and Y . Zhang, “Automatic firmware emula- tion through invalidity-guided knowledge inference,” in30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 2007–2024
2021
-
[50]
Jetset: Targeted firmware rehosting for embedded systems,
E. Johnson, M. Bland, Y . Zhu, J. Mason, S. Checkoway, S. Savage, and K. Levchenko, “Jetset: Targeted firmware rehosting for embedded systems,” in30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 321–338
2021
-
[51]
A friend’s eye is a good mirror: Synthesizing{MCU}peripheral models from peripheral drivers,
C. Lei, Z. Ling, Y . Zhang, Y . Yang, J. Luo, and X. Fu, “A friend’s eye is a good mirror: Synthesizing{MCU}peripheral models from peripheral drivers,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 7085–7102
2024
-
[52]
Iemu: Interrupt modeling from the logic hidden in the firmware,
Y . Wei, Y . Wang, L. Zhou, X. Zhou, and Z. Jiang, “Iemu: Interrupt modeling from the logic hidden in the firmware,”Journal of Systems Architecture, vol. 154, p. 103237, 2024
2024
-
[53]
What your firmware tells you is not how you should emulate it: A specification-guided approach for firmware emulation,
W. Zhou, L. Zhang, L. Guan, P. Liu, and Y . Zhang, “What your firmware tells you is not how you should emulate it: A specification-guided approach for firmware emulation,” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 3269–3283
2022
-
[54]
Fuzzware: Using precise {MMIO}modeling for effective firmware fuzzing,
T. Scharnowski, N. Bars, M. Schloegel, E. Gustafson, M. Muench, G. Vigna, C. Kruegel, T. Holz, and A. Abbasi, “Fuzzware: Using precise {MMIO}modeling for effective firmware fuzzing,” in31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 1239–1256
2022
-
[55]
Ember-io: Effective firmware fuzzing with model-free memory mapped io,
G. Farrelly, M. Chesser, and D. C. Ranasinghe, “Ember-io: Effective firmware fuzzing with model-free memory mapped io,” inProceedings of the 2023 ACM Asia Conference on Computer and Communications Security, 2023, pp. 401–414
2023
-
[56]
{P2IM}: Scalable and hardware- independent firmware testing via automatic peripheral interface model- ing,
B. Feng, A. Mera, and L. Lu, “{P2IM}: Scalable and hardware- independent firmware testing via automatic peripheral interface model- ing,” in29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 1237–1254
2020
-
[57]
Dice: Automatic emulation of dma input channels for dynamic firmware analysis,
A. Mera, B. Feng, L. Lu, and E. Kirda, “Dice: Automatic emulation of dma input channels for dynamic firmware analysis,” in2021 IEEE Symposium on Security and Privacy (SP). IEEE, 2021, pp. 1938–1954. APPENDIX A. Open Science To support reproducibility, we make the following artifacts publicly available in our anonymous repository: •Source Code.The complete...
2021
-
[58]
Adaptive Perception — Firmware Analyst: Prompt Template Role:Embedded Firmware Reverse Engineering Ana- lyst. Goal:Perform deep analysis of firmware rootfs to accurately identify CPU architecture, httpd web server type and configuration, startup script sequences, shared library dependencies, and NVRAM dependencies, pro- ducing a structured JSON analysis r...
-
[59]
Reflective Synthesis — Boot Repair Engineer: Prompt Template Role:QEMU Emulation Environment Diagnostic and Repair Engineer. Goal:Analyze QEMU boot failure logs, check rootfs filesystem integrity, identify root cause of boot failure, and immediately execute repairs (supplement missing libraries, fix symbolic links, adjust QEMU parameters) to enable the fi...
-
[60]
Goal:Analyze httpd service fault symptoms, accu- rately diagnose fault type, delegate repair tasks to the most appropriate specialist agent, and review repair results
Autonomous Runtime Intervention — Manager: Prompt Template Role:Firmware Runtime Intervention Commander. Goal:Analyze httpd service fault symptoms, accu- rately diagnose fault type, delegate repair tasks to the most appropriate specialist agent, and review repair results. If repair is incomplete or new issues are discovered, re-delegate to other specialis...
-
[61]
Goal:Analyze httpd program crash causes through GDB remote debugging and radare2 reverse engi- neering, and apply fixes using the breakpoint chain accumulation strategy
Autonomous Runtime Intervention — Crash Expert: Prompt Template Role:Binary Crash Analysis and Repair Expert. Goal:Analyze httpd program crash causes through GDB remote debugging and radare2 reverse engi- neering, and apply fixes using the breakpoint chain accumulation strategy. Backstory:You are an embedded binary reverse en- gineering and debugging expe...
-
[62]
Goal:Repair filesystem issues in the QEMU virtual machine: missing files, permission errors, symbolic link corruption, and device node absence
Autonomous Runtime Intervention — File Expert: Prompt Template Role:Firmware Filesystem Repair Expert. Goal:Repair filesystem issues in the QEMU virtual machine: missing files, permission errors, symbolic link corruption, and device node absence. Backstory:You are an embedded Linux filesystem expert. You are familiar with the filesystem structure of embed...
-
[63]
Goal:Repair web-layer issues of the httpd service: HTTP 500/404 errors, CGI script failures, configura- tion file problems, and web content mapping errors
Autonomous Runtime Intervention — Web Expert: Prompt Template Role:httpd Web Service Content Repair Expert. Goal:Repair web-layer issues of the httpd service: HTTP 500/404 errors, CGI script failures, configura- tion file problems, and web content mapping errors. The httpd process is already running; focus on the web content layer, not binary crashes or n...
-
[64]
Goal:Handle failures that cannot be classified into a specific category, comprehensively applying all avail- able tools and expert knowledge bases to diagnose and repair
Autonomous Runtime Intervention — Generic Expert: Prompt Template Role:Firmware Runtime General-Purpose Repair Ex- pert. Goal:Handle failures that cannot be classified into a specific category, comprehensively applying all avail- able tools and expert knowledge bases to diagnose and repair. Backstory:You are a versatile firmware debugging expert. When oth...
-
[65]
Objective:Extract emulation primitives and classify hardware dependencies for QEMU execution
Adaptive Perception — Firmware Analyst: Prompt Template Input:Extracted firmware root filesystem directory. Objective:Extract emulation primitives and classify hardware dependencies for QEMU execution. Analysis Steps: 1)Architecture & Service Profiling:Parse ELF headers (elf_info) to identify CPU architec- ture, endianness, and libc type. Locate the httpd...
-
[66]
Objective:Diagnose QEMU boot failure, apply mini- mal repair, and produce corrected QEMU parameters
Reflective Synthesis — Boot Repair Engineer: Prompt Template Input:QEMU boot log, rootfs directory path, current QEMU command, architecture. Objective:Diagnose QEMU boot failure, apply mini- mal repair, and produce corrected QEMU parameters. Analysis Steps: 1)Priority Diagnosis:Scan boot log for kernel panic, VFS mount failure, CPU ISA mismatch, or missin...
-
[67]
Objective:Diagnose runtime failure type and delegate to the optimal specialist agent
Autonomous Runtime Intervention — Manager: Prompt Template Input:Service status JSON, httpd startup logs, break- point chain history, Adaptive Perception analysis con- text. Objective:Diagnose runtime failure type and delegate to the optimal specialist agent. Analysis Steps: 1)Log-Tail Priority Analysis:Prioritize errors in thelast linesof the log, as the...
-
[68]
Objective:Identify crash root cause via static reverse engineering and bypass failure checks via GDB break- point chain
Autonomous Runtime Intervention — Crash Expert: Prompt Template Input:Fault info (crash signal or hang detection), httpd binary path, architecture, breakpoint chain his- tory. Objective:Identify crash root cause via static reverse engineering and bypass failure checks via GDB break- point chain. Analysis Steps: 1)Error String Extraction:Extract the last m...
-
[69]
Objective:Restore missing or corrupted filesystem resources required by the httpd service
Autonomous Runtime Intervention — File Expert: Prompt Template Input:Fault info (file missing / permission denied / symlink corruption), rootfs path. Objective:Restore missing or corrupted filesystem resources required by the httpd service. Analysis Steps: 1)Resource Localization:Usefind_filesand read_fileto locate missing files, broken symlinks, or incor...
-
[70]
Objective:Diagnose and fix httpd web-layer issues while the binary process is already running
Autonomous Runtime Intervention — Web Expert: Prompt Template Input:Fault info (HTTP 500/404/empty response), HTTP status code, rootfs path. Objective:Diagnose and fix httpd web-layer issues while the binary process is already running. Analysis Steps: 1)Web Directory Inspection (priority):Verify web root content exists, is non-empty, and con- tains index ...
-
[71]
Objective:Handle multi-factor or ambiguous failures that cannot be routed to a single specialist
Autonomous Runtime Intervention — Generic Expert: Prompt Template Input:Unclassified fault info, full tool access, all expert knowledge bases injected. Objective:Handle multi-factor or ambiguous failures that cannot be routed to a single specialist. Analysis Steps: 1)Cross-Domain Diagnosis:Apply the fault rout- ing knowledge base to classify the problem. ...
2015
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.