# FIRM-COV
AI Summary
Purpose:
- Describe the FIRM-COV research project: a high-coverage greybox fuzzer for IoT firmware via optimized process emulation, co-authored by the wiki owner (Hyunwook Kim).
Key points:
- Published in IEEE Access, Vol. 9, 2021 (DOI 10.1109/ACCESS.2021.3097807). Authors: Juhwan Kim, Jihyeon Yu, Hyunwook Kim, Fayozbek Rustamov, Joobeom Yun (Sejong University).
- First high-coverage-oriented greybox fuzzer for IoT firmware; runs without real devices via emulation.
- Three core techniques: dictionary generation algorithm (structured input), optimized process emulation (stability + accuracy), synergy scheduling (coverage + throughput).
- Evaluated on 8 real-world IoT devices against FIRM-AFL-based baselines; highest coverage/throughput, fastest 1-day discovery with near-zero false positives, and 2 0-day vulnerabilities found in 24 h.
- Builds on FIRM-AFL's augmented process emulation and improves it.
Relevant when:
- Summarizing the owner's academic work, IoT firmware fuzzing research, or relating it to [[iot-firmware-fuzzing]] and sibling tools.
Do not read full document unless:
- You need exact metrics, algorithm formulas, or table values — see the source extract instead.
Linked documents:
- [[iot-firmware-fuzzing]]
- ../../sources/academic/firm-cov-extract.md
Open Questions
- CVE identifiers for the two 0-day vulnerabilities are not stated in the paper. Needs confirmation.
- Full per-device table of the 8 evaluation targets (beyond DIR-815, DIR-825, TEW-632BRP, TV-IP110WN, WR940N named in text) is in Table 3 figures. Needs confirmation.
- Relationship to the Korean paper "복합 에뮬레이션을 이용한 효율적인 커버리지 가이드 IoT 펌웨어 퍼징기법" — see Details; the two share an author (Joobeom Yun's group) and lineage but propose distinctly named systems (FIRM-COV vs IoTFirmFuzz). Direct authorship overlap of the Korean paper is Needs confirmation.
Details
Bibliographic
- Title: "FIRM-COV: High-Coverage Greybox Fuzzing for IoT Firmware via Optimized Process Emulation"
- Authors (as printed): Juhwan Kim, Jihyeon Yu, Hyunwook Kim, Fayozbek Rustamov, Joobeom Yun. Hyunwook Kim — the wiki owner — is the third author. Corresponding author: Joobeom Yun.
- Affiliation: Sejong University, Dept. of Computer and Information Security (and Convergence Engineering for Intelligent Drone), Seoul, South Korea.
- Venue & year: IEEE Access, Vol. 9, 2021. DOI 10.1109/ACCESS.2021.3097807. Received 2021-05-12, published 2021-07-16. Open access (CC BY 4.0).
- Funding: MSIT (South Korea) ITRC/IITP support; Grants IITP-2021-2018-0-01423 and IITP-2021-2020-0-01602.
Problem
IoT firmware is a high-value, easily reachable remote-attack target, yet hard to fuzz. The paper frames three challenges:
- C1 Structured input: network IoT programs (e.g., CGI over HTTP) silently discard unstructured input, so blind mutation cannot reach deep paths.
- C2 Panic state: emulation imperfectly models hardware (e.g., NVRAM), so peripheral access can crash/reboot the emulator and cause non-responding inputs to be misclassified as crashes (false positives).
- C3 Code coverage: prior IoT fuzzers focus on throughput, not coverage, so they re-explore the same paths and use inefficient mutation operators.
Approach
FIRM-COV pursues four goals at once — availability (no real device), accuracy (few false positives), stability (detect panic state), efficiency (high coverage + throughput) — via three techniques:
- Dictionary generation algorithm (static analysis). Extracts all string constants from the target binary, then keeps only "syntax-tokens" via three steps: reference mining (is the string referenced/used as an argument?), fine-grained instruction check (used as a function argument, e.g., MIPS $a0–$a3?), and library-function analysis (passed to specific uClibc string-handling APIs that often source buffer-overflow / out-of-bounds bugs?). Surviving strings form the AFL dictionary for structured-input generation. Low overhead (small fraction of strings tokenized; avg 37.8 s to build a dictionary).
- Optimized process emulation (improves FIRM-AFL's augmented process emulation). Runs the target in user-mode for speed, switching to full-system emulation only for exceptions. Features: (a) capture an "entry state" at the network-receive point via state-of-the-art QEMU/DECAF dynamic introspection, synchronized between full-system and user-mode; (b) user-mode forks copies while full-system uses snapshots for scalability; (c) panic-state elimination via page-fault handling + periodic liveness check and re-synchronization, discarding the offending input; (d) hijack hardware-dependent functions (e.g., NVRAM) with an LD_PRELOAD library returning fake data to keep emulation stable.
- Coverage-oriented fuzzing with synergy scheduling. Greybox coverage via AFL bitmap; dictionary-based mutation for structured inputs; "synergy scheduling" = improved seed scheduling (low-frequency power schedule inspired by AFLFast) combined with improved mutation scheduling (PSO-based operator selection inspired by MOpt-AFL, skipping deterministic-stage dictionary mutation for a test case after 5 min with no new path/crash).
Architecture
Two layers: (1) Pre-analysis IoT firmware — set up the emulation environment (Binwalk extraction, busybox arch detection, QEMU image, customized MIPSEL/MIPSEB/ARM kernel + virtual NIC; FIRMADYNE base with QEMU replaced by DECAF) and generate the dictionary (IDA Pro + IDAPython). (2) Emulation-based IoT greybox fuzzing — optimized process emulator (integrated user-mode QEMU + full-system DECAF) plus an AFL-based coverage-oriented fuzzer. Implemented in Python and C.
Evaluation
- Targets: 8 real-world IoT devices (routers / IP cameras, 3 vendors) from the FIRMADYNE dataset; firmware from official sites. Named models include DIR-815, DIR-825, TEW-632BRP, TV-IP110WN, WR940N.
- Baselines (all built on open-source FIRM-AFL): Baseline (FIRM-AFL = AFL + augmented process emulation), FIRM-AFLFast (AFLFast seed scheduling), FIRM-MOptAFL (MOpt-AFL mutation scheduling), and FIRM-COV.
- Protocol: identical dictionary and seed for all; 24-h fuzzing per target; 3-run averages. Host: Intel i5, 32 GB RAM, Ubuntu 16.04 LTS; QEMU v2.1.0; AFL v2.52b.
- Results (textually stated):
- Overhead: optimized process emulation adds little overhead vs augmented process emulation (nbench). - Stability: across 150 Linux IoT firmware, all booted normally; NVRAM-at-boot (~30 firmware) handled by the preloaded library; no real devices needed. - Throughput: FIRM-COV highest across all models (discards non-responding inputs). - Path coverage: most unique paths in every model (e.g., ~715% over baseline on one model). - Tuple coverage vs baseline: FIRM-AFLFast +18.5% avg, FIRM-MOptAFL +9.4% avg, FIRM-COV +78.8% avg (max +237.7% on DIR-815). - 1-day vulns: FIRM-COV found all identified 1-days, fastest, with near-zero false positives; baselines missed some and produced false positives (e.g., WR940N). - 0-day vulns: two found and reported — buffer overflow in D-Link DIR-825 (fw 2.02NA–2.10NA, crafted URI in httpd) and buffer overflow in Trendnet TEW-632BRP (fw 1.10B32, crafted URI in httpd).
Contributions
- Demonstrates and root-causes the structured-input requirement of IoT programs.
- New static-analysis dictionary generation algorithm.
- New synergy scheduling technique.
- First high-coverage-oriented IoT firmware fuzzer (FIRM-COV).
Limitations (as stated)
- Dictionary misses string handling done without library APIs; no automatic crash root-cause verification; Linux-only (FIRMADYNE-based), Type-1 devices only, three architectures (MIPSEL/MIPSEB/ARM).
Relationship to the Korean paper (복합 에뮬레이션 …)
- The Korean paper "복합 에뮬레이션을 이용한 효율적인 커버리지 가이드 IoT 펌웨어 퍼징기법 / Efficient Coverage Guided IoT Firmware Fuzzing Technique Using Combined Emulation" (정보보호학회지 JKIISC, 2020.8) proposes a system named IoTFirmFuzz, not FIRM-COV.
- It is an earlier, smaller-scope work from the same research lineage (Joobeom Yun's Sejong group; same FIRM-AFL / combined-emulation foundation). IoTFirmFuzz focuses on strengthening AFL's mutation process: a PSO-based mutation-operator scheduler and a power scheduler for energy assignment, on top of FIRM-AFL's combined (augmented process) emulation. Baselines compared were AFL, AFLFast, AFLgo; evaluation used 4 firmware (DAP-2695, DIR-817LW, DIR-850L, TV-IP110WN) and reported more paths/crashes than FIRM-AFL (e.g., ~2.2× crashes on DAP-2695, ~4.3× paths on TV-IP110WN).
- Conceptual continuity: combined/augmented process emulation + AFL scheduling improvements appear in both. FIRM-COV (2021, IEEE Access) is the more complete, English, peer-reviewed evolution adding the dictionary generation algorithm, optimized process emulation (panic-state handling, NVRAM hijacking), and the unified "synergy scheduling," with a larger 8-device evaluation and 0-day findings.
- Whether the wiki owner co-authored the Korean IoTFirmFuzz paper specifically is Needs confirmation (author list of the Korean PDF not captured in the extracted text).
Sources
- ../../sources/academic/firm-cov-extract.md (structured extract)
- Primary PDFs (local): "세종대학원/성과/FIRM-COV_…Optimized_Process_Emulation.pdf"; "세종대학원/성과/복합 에뮬레이션을 이용한 효율적인 커버리지 가이드 IoT 펌웨어 퍼징기법.pdf"