# Source Extract — FIRM-COV (IEEE Access 2021)
AI Summary
Purpose:
- Structured, faithful extraction of the FIRM-COV paper for downstream wiki pages.
Key points:
- FIRM-COV: high-coverage greybox fuzzer for Linux-based IoT firmware via optimized process emulation.
- Published IEEE Access, Vol. 9, 2021. DOI 10.1109/ACCESS.2021.3097807.
- Authors: Juhwan Kim, Jihyeon Yu, Hyunwook Kim, Fayozbek Rustamov, Joobeom Yun (Sejong University). Hyunwook Kim (the wiki owner) is the third author.
- Core techniques: dictionary generation algorithm, optimized process emulation, synergy scheduling.
- Evaluated on 8 real-world IoT devices vs FIRM-AFL-based baselines; found 2 0-day vulnerabilities.
Relevant when:
- Building or verifying the [[firm-cov]] project page or any IoT-fuzzing concept page.
Do not read full document unless:
- You need exact quotes, metric values, or table-level details not captured here.
Linked documents:
- ../../wiki/academic/firm-cov.md
- ../../wiki/academic/iot-firmware-fuzzing.md
Open Questions
- Exact per-device coverage/throughput numbers live in figures/tables (Fig. 9–12, Tables 4–7); only the textually stated aggregate numbers are extracted below. Per-cell figure values are Needs confirmation (read figures from PDF if required).
- CVE identifiers for the two 0-day vulnerabilities are not stated in the paper. Needs confirmation.
Details
Bibliographic
- Title: "FIRM-COV: High-Coverage Greybox Fuzzing for IoT Firmware via Optimized Process Emulation"
- Authors (as printed): Juhwan Kim¹, Jihyeon Yu¹, Hyunwook Kim², Fayozbek Rustamov², Joobeom Yun¹
- ¹ Dept. of Computer and Information Security, and Convergence Engineering for Intelligent Drone, Sejong University, Seoul - ² Dept. of Computer and Information Security, Sejong University, Seoul - Corresponding author: Joobeom Yun ([email protected])
- Venue: IEEE Access, Vol. 9, 2021. DOI 10.1109/ACCESS.2021.3097807.
- Dates: received May 12, 2021; accepted July 7, 2021; published July 16, 2021; current version July 26, 2021.
- License: Creative Commons Attribution 4.0.
- Funding: MSIT South Korea via ITRC support program (IITP), Grant IITP-2021-2018-0-01423 and Grant IITP-2021-2020-0-01602.
- Index terms: Dictionary, emulation, firmware, fuzzing, IoT, vulnerability.
Problem / motivation
- IoT devices proliferate (Cisco: ~28.5B connected devices by 2022) and are easy remote-attack targets; firmware controls hardware and is prone to vulnerabilities.
- Need dynamic, automated vulnerability detection without requiring physical devices.
- Three challenges of IoT fuzzing (paper's framing):
- C1 Structured input values: network IoT programs (e.g., CGI over HTTP) discard unstructured input; CGI programs read data via getenv() rather than stdin, so malformed method/header values are dropped server-side, blocking deep-path exploration. - C2 Panic state: emulation does not fully implement hardware; reads/writes to peripherals (e.g., NVRAM) can crash the emulator, non-responding inputs get misclassified as crashes, and user→kernel access can force reboot. Paper calls these emulator weaknesses the "panic state." - C3 Code coverage: prior IoT fuzzers do not achieve high coverage; cited result — a 1% increase in code coverage can increase bug discovery by 0.92% (ref [35]).
Background: emulation techniques surveyed (all QEMU-related)
- User-mode emulation — fast cross-arch execution from main(); used by AFL-QEMU; does not recreate crashing hardware devices; not a perfect abstraction.
- System-mode (full-system) emulation — full VM with peripherals; used by FIRMADYNE, DECAF, PANDA; high compatibility but heavy performance overhead.
- Unicorn engine — QEMU-based CPU-only emulator; lighter; used by FIRMCORN; but requires dumping CPU context from real devices, so needs physical devices.
- Augmented process emulation — proposed by FIRM-AFL; combines user- and system-mode for efficiency + compatibility; runs target as emulated user, switches to system-mode for unhandled syscalls; but does not recover from infinite loops/reboots → needs stable emulation.
- FIRM-COV adopts and improves augmented process emulation → "optimized process emulation."
Design goals (four, simultaneous)
- Availability: operate without real-world IoT devices.
- Accuracy: find vulnerabilities with almost no false positives.
- Stability: detect the system's panic state.
- Efficiency: high coverage and throughput.
Approach — three core techniques
(A) Dictionary generation algorithm (Pre-analysis phase, Layer 1)
- Motivation: AFL dictionary-based mutation needs a good dictionary; extracting all binary strings is inefficient (overhead). So mine only syntax-tokens likely to trigger vulnerabilities.
- Steps after extracting all readable string constants from the data section and listing their addresses:
1. Reference mining — pick an address; check if any instruction references it (string used as a function argument); use chaining to collect all instructions propagated by that string. 2. Fine-grained instructions — check whether the string is used as a function argument (e.g., MIPS args in registers $a0–$a3). 3. Library function analysis — check whether the string is used as an argument to specific uClibc library APIs (Table 2) that take strings and affect addresses (common sources of buffer overflow / out-of-bounds). If yes, the string becomes a dictionary syntax-token; else discard.
- Table 1 (motivation): FIRM-AFL with vs without dictionary-based mutation, 30-min fuzz, meaningless seed ("fuzz"), dictionary file from FIRM-AFL author. Without dictionary, DIR-815 found only one discarded path; with dictionary many more. DIR-825 found more unstructured paths without dictionary but missed hidden headers.
(B) Optimized process emulation (Layer 2a)
- Generally runs target in user-mode for efficiency; switches to full-system emulation only to handle exceptions. Four features:
1. Generate entry state for IoT program — set the target's network-packet-receiving entry point as the fork point; abstractly store state (memory, registers, open files) = "entry state." Initialized in full-system emulation using state-of-the-art QEMU (DECAF) dynamic introspection: a custom callback captures target state when the client request packet is received, synchronizing it to user-mode emulation. 2. Snapshot for scalability — user-mode uses fork() to copy the target (cheap); full-system VM is expensive to copy/reboot, so it uses a snapshot, loading the entry state via snapshot on each fuzzing input. 3. Eliminate panic state — handle page faults by requesting new memory mapping from full-system emulation; periodic liveness check detects when emulators fall out of sync (panic state); on detection, re-synchronize the two emulators and discard the triggering input. 4. Handle hardware-dependent functions — functions accessing peripherals (e.g., nvram_get() reading NVRAM at boot) would crash the emulator; FIRM-COV implements a library (manually analyzing all evaluated firmware) loaded via LD_PRELOAD to hijack NVRAM-related functions and return fake data, keeping emulation stable.
(C) Coverage-oriented fuzzing (Layer 2b)
- Code coverage collection — greybox; store coverage in AFL bitmap; only inputs reaching new paths added to queue.
- Dictionary-based mutation — AFL dictionary mutation reads the generated dictionary to produce structured inputs (e.g., to reach "GET / HTTP 1.1"-style inputs unreachable by blind mutation).
- Synergy scheduling — combines improved seed scheduling and mutation scheduling:
- Seed scheduling: low-frequency-based algorithm (inspired by AFLFast [25]); modified power-schedule performance score p(i) = min( (α(i)/β) · (2^{s(i)} / f(i)), M ), where s(i)=times input i selected from queue, f(i)=number of inputs executed on same paths as i. Generates more inputs for low-reachability test cases. - Mutation scheduling: custom particle-swarm-optimization (PSO) algorithm (inspired by MOpt-AFL [28]) to find optimal mutation-operator probability distribution; AFL has 11 mutation operators across deterministic/havoc/splicing stages. FIRM-COV performs sufficient dictionary-based mutation during the deterministic stage but skips it for test cases if no new paths/crashes for 5 minutes, accelerating fuzzing.
Architecture / implementation
- Two layers: (1) Pre-analysis IoT firmware (environment setup + dictionary generation), (2) Emulation-based IoT greybox fuzzing (optimized process emulation + coverage-oriented fuzzing).
- Built in Python and C, integrating open-source projects.
- Environment setup: extract filesystem from Linux firmware image with Binwalk; collect arch info via busybox; build QEMU image; emulate customized kernel (MIPSEL / MIPSEB / ARM) + virtual network interface. Based on FIRMADYNE, with QEMU replaced by state-of-the-art DECAF for dynamic introspection.
- Dictionary generation automation: load target into IDA Pro, extract tokens via IDAPython, generate dictionary file.
- Fuzzer: AFL-based, with instrumentation-based coverage and exception-handling functions.
Evaluation
- Dataset: 8 real-world IoT devices (routers / IP cameras, 3 vendors), selected from FIRMADYNE dataset; firmware acquired from official websites (Table 3). Device families named in text/figures include DIR-815, DIR-825, TEW-632BRP, TV-IP110WN, WR940N (per-row table details: Needs confirmation for full list of 8).
- Baselines / configurations (all built on open-source FIRM-AFL):
- Baseline = FIRM-AFL (AFL + augmented process emulation). - FIRM-AFLFast = baseline with AFL power schedule replaced by AFLFast (low-frequency path guidance). - FIRM-MOptAFL = baseline with mutation scheduling replaced by MOpt-AFL; skips deterministic stage if no paths/crashes for 5 min. - FIRM-COV = optimized process emulation + synergy scheduling on AFL.
- Setup: same dictionary + same initial seed given to all frameworks; 24-h fuzzing per target; results averaged over 3 runs. Host: Intel i5, 32 GB RAM, Ubuntu 16.04 LTS; state-of-the-art QEMU and user-mode QEMU v2.1.0; AFL v2.52b.
- Evaluation questions: EQ1 performance overhead, EQ2 effectiveness, EQ3 code coverage, EQ4 vulnerability detection.
Key results (textually stated):
- EQ1 overhead: nbench (Table 4) shows optimized process emulation has little overhead vs existing augmented process emulation. Dictionary generation (Table 5): only a small fraction of strings tokenized (e.g., WR940N 4.75%); time proportional to total extracted strings — TV-IP110WN 1.53 s (fewest), WR940N 192.59 s (most), average 37.8 s across models.
- EQ2 availability/stability: across 150 Linux-based network IoT firmware (FIRMADYNE dataset), all emulated firmware booted normally; ~30 accessed NVRAM at boot but handled via the preloaded NVRAM library; stable emulation without crashing, no real devices needed.
- EQ2 throughput (Fig. 9): FIRM-COV had the highest fuzzing throughput across all models; it discarded non-responding inputs, unlike baselines whose throughput stalled on slow-HTTP-response inputs (DIR-825, TEW-632BRP, TV-IP110WN, WR940N).
- EQ3 path coverage (Fig. 10): FIRM-COV found the most unique paths in all models; e.g., in Fig. 10(c) ~715% more unique paths than baseline. Improving both seed and mutation scheduling beats improving either alone.
- EQ3 tuple coverage (Table 6, vs baseline): FIRM-AFLFast avg +18.5%; FIRM-MOptAFL avg +9.4% (had fewer tuples on some models due to insufficient first-stage mutation; WR940N +31.6% tuples despite lower path coverage); FIRM-COV avg +78.8%, max +237.7% on DIR-815.
- EQ4 1-day vulns (Table 7, Fig. 11): FIRM-COV found crashes for all identified 1-day vulns and fastest. Baselines/FIRM-AFLFast/FIRM-MOptAFL missed some 1-days (e.g., none on WR940N); their WR940N "crashes" were all false positives (non-responding inputs misclassified). FIRM-COV discarded non-responding inputs → no false positives; found the most crashes after 24 h across all programs.
- EQ4 0-day vulns: two 0-days found by FIRM-COV (not found by other frameworks in same environment), reported to manufacturers:
- Buffer overflow in D-Link DIR-825 (firmware 2.02NA to 2.10NA) — crafting the URI in httpd. - Buffer overflow in Trendnet TEW-632BRP (firmware 1.10B32) — crafting the URI in httpd.
- EQ4 accuracy (Fig. 12): generally high accuracy; many false positives on TV-IP110WN because firmware reads/writes config files in the filesystem; prior inputs corrupted config-file grammar and later inputs were treated as crashes. FIRM-COV restores emulator to entry state but not the firmware filesystem — noted as future work.
Contributions (as stated)
- Show that some IoT programs only accept structured input; investigate the root cause.
- New dictionary generation algorithm using static analysis for efficient input generation.
- New synergy scheduling technique for high coverage and throughput.
- Design and implement FIRM-COV; first application of high-coverage-oriented fuzzing to IoT firmware.
Limitations / future work (as stated)
- Dictionary generation only catches strings used as library-API arguments; misses string-manipulation done without library APIs.
- Crash verification: detects crashes but cannot auto-verify root cause; manual verification required.
- Scalability: supports MIPSEL/MIPSEB/ARM; FIRMADYNE-based so Linux-only; only Type-1 devices (per Muench et al. classification). Plan to extend to non-Linux IoT.
Related work cited (NOT authored by the wiki owner — background only)
- Avatar [2], Firmalice [3], FIRMADYNE [4], Muench et al. "What you corrupt is not what you crash" [5], Avatar2 [6], IOTFUZZER [7], FirmFuzz [8], FIRM-AFL [9], FIRMCORN [10], AFL [20], AFLFast/Böhme et al. [25], MOpt-AFL [28], QSYM [27], Driller [23], VUzzer [24], plus QEMU/DECAF/PANDA/Unicorn/Binwalk/IDA toolchain.