# IoTFirmFuzz
AI Summary
Purpose:
- Explain the IoTFirmFuzz invention: efficient coverage-guided IoT firmware fuzzing via combined emulation + PSO mutation optimization. Basis of granted Patent 1 (10-2020-0089416).
Key points:
- Core technique = Combined Emulation (full-system-mode emulation captures process state to a RAM File; user-mode emulation replays it for fast fuzzing; syscalls bounce back to system mode).
- Mutation efficiency improved by cutting stage-1 mutation count and applying PSO (Particle Swarm Optimization) to pick effective mutation operators in stage 2.
- Granted patent: see [[patents]]. Internal name in spec is "IoTFirmFuzz".
Relevant when:
- Describing the owner's M.S. firmware-fuzzing research; portfolio academic section.
Do not read full document unless:
- You need the patent metadata (use [[patents]]) or verbatim extraction (use source).
Linked documents:
- [[patents]]
- [[iothybridfuzzer]]
- [[../../sources/academic/patents-uart-extract]]
Open Questions
- "Backward Climbing" method name: the task brief calls IoTFirmFuzz's method "Backward Climbing", but this term does NOT appear in any supplied patent PDF (출원서, 명세서, 결정서, 발명설명서). The documented techniques are Combined Emulation + PSO mutation optimization. "Backward Climbing" — Needs confirmation (possibly an external/thesis name or a different feature).
- "FIRM-COV" relationship: term does NOT appear in supplied sources. Whether IoTFirmFuzz relates to / extends FIRM-COV — Needs confirmation.
- Relationship to the owner's M.S. thesis: plausible the thesis is built on IoTFirmFuzz, but the thesis was not in this source set — Needs confirmation.
Details
Problem addressed:
- Manual analysis of per-vendor IoT firmware is infeasible. Existing approaches emulate firmware and combine fuzzers, but mutation-based fuzzers (1) linger too long in mutation stage 1 (only advancing to stage 2 when no new path/crash is found) and (2) in stage 2 pick among 8 mutation operators randomly rather than by effectiveness. Result: exponential mutation counts without meaningful code-coverage gains; firmware emulation fuzzing also suffers poor speed/compatibility.
Method (as claimed):
- Select target firmware and run it under Full System Mode Emulation.
- Run the firmware's network program; save the process's allocated memory addresses to a RAM File.
- Start the mutation-based fuzzer; its embedded User Mode Emulator references the RAM File to emulate the target process.
- Seed the fuzzer and test the process.
- Pick a seed from the seed queue and allocate a mutation count.
- Mutate through the staged mutation process, selecting mutation operators to generate test cases.
- Feed generated test cases to the target process and test.
- (loop / monitor) — detect syscalls the user-mode process cannot handle; save current memory state; hand off to system-mode emulation to service the syscall; migrate the process back to user mode.
Key improvements over prior mutation fuzzers:
- Reduce time spent in mutation stage 1 by lowering mutation count.
- Apply PSO (Particle Swarm Optimization) in stage 2 to find and favor efficient mutation operators, widening code coverage and reaching deep code-region vulnerabilities faster.
Patent linkage:
- This invention is the granted Patent 1, official title "펌웨어 퍼징 장치 및 방법" / "APPARATUS AND METHOD FOR FUZZING FIRMWARE", app no. 10-2020-0089416, 10 claims. Inventors: 윤주범, 김현욱, 김주환. See [[patents]].
Relation to IoTHybridFuzzer:
- IoTFirmFuzz is the earlier (2020) coverage-guided emulation+mutation work; [[iothybridfuzzer]] (2021) extends the direction by adding symbolic/concolic execution (hybrid fuzzing) to solve hard path constraints.