# Master's Thesis — EF-Fuzz (Efficient Coverage-Guided Fuzzing for Embedded Systems)
AI Summary
Purpose:
- Capture the durable facts of Hyunwook Kim's M.S. thesis: the proposed system (EF-Fuzz), the problem it solves, its design, evaluation, and how it relates to the broader IoT firmware fuzzing work (Firm-AFL, FIRM-COV, IoTFirmFuzz).
Key points:
- Thesis title (KR): "결합된 에뮬레이션을 이용한 임베디드 시스템의 효율적인 커버리지 가이드 퍼징 연구".
- Thesis title (EN): "Research on Efficient Coverage-Guided Fuzzing for Embedded System Using Combined Emulation".
- Degree: M.S. in Information Security (정보보호학과), Sejong University Graduate School (세종대학교대학원). Submitted December 2020.
- Advisor: 윤주범 (Joobeom Yun). Committee chair: 박기웅; committee member: 김영갑. (Names verbatim from the approval page.)
- Proposed system: EF-Fuzz — a mutation-based greybox fuzzer for emulated IoT firmware that improves the AFL seed-generation pipeline with two scheduler enhancements: (1) an Efficient Energy Allocation Scheduler and (2) an Optimized Mutator Scheduler driven by a customized PSO (Particle Swarm Optimization) algorithm, plus a stage-2 entry timer ('L' option).
- EF-Fuzz reuses Firm-AFL's "combined emulation" (full-system + user-mode QEMU) for compatibility/throughput, and adds the two schedulers on top of the fuzzer to raise code coverage and crash discovery.
- Evaluated against Firm-AFL, AFLfast, and AFLgo on 7 real router/camera firmware images; EF-Fuzz won on coverage and crashes across all targets. It discovered a 0-day in DIR-825 Rev.B 2.10B02 (the thesis says "unknown vulnerability"; CVE assignment Needs confirmation).
Relevant when:
- Summarizing the author's academic background, IoT firmware fuzzing expertise, or the lineage that leads to FIRM-COV / IoTFirmFuzz / the patents.
- Producing portfolio or report content about graduate research.
Do not read full document unless:
- You need exact evaluation numbers, the PSO probability formulas, or per-firmware figures — use the source extract instead: [[../../sources/academic/thesis-extract.md]].
Linked documents:
- [[../concepts/iot-firmware-fuzzing.md]] (iot-firmware-fuzzing) — Open question: file may not exist yet.
- [[../concepts/firm-cov.md]] (firm-cov) — Open question: file may not exist yet.
- [[../concepts/iotfirmfuzz.md]] (iotfirmfuzz) — Open question: file may not exist yet.
- [[../../sources/academic/thesis-extract.md]] — faithful section-by-section extraction of the thesis.
- Primary source PDF:
/Users/khw/Google Drive/내 드라이브/세종대학원/성과/석사학위논문_김현욱_최종본.pdf
Open Questions
- Publication / defense venue beyond the degree submission date — Needs confirmation (thesis itself only states December 2020 submission).
- Whether the DIR-825 Rev.B 2.10B02 0-day received a CVE / EDB-ID — Needs confirmation (thesis only says "unknown vulnerability" was found).
- Romanization of advisor name 윤주범 as "Joobeom Yun" is an Assumption based on common publication spelling; the thesis prints only the Korean name.
- The exact identifiers of the 7 evaluation firmware images carry CVE/EDB IDs in Table 3 but the OCR-style extraction split some digits; see thesis-extract for the as-printed values and treat fine-grained IDs as Needs confirmation.
Details
Bibliographic facts (verified from the PDF)
- KR title: 결합된 에뮬레이션을 이용한 임베디드 시스템의 효율적인 커버리지 가이드 퍼징 연구
- EN title: Research on Efficient Coverage-Guided Fuzzing for Embedded System Using Combined Emulation
- Author: 김현욱 (Kim Hyun-wook)
- Institution: 세종대학교대학원 정보보호학과 (Sejong University Graduate School, Department of Computer and Information Security)
- Degree: Master of Information Security
- Date: 2020년 12월 (December 2020)
- Advisor (지도교수): 윤주범
- Examination committee: 심사위원장 박기웅, 심사위원 김영갑, 심사위원 윤주범
Problem
- IoT / embedded devices proliferate and hold personal data; manual vulnerability analysis across heterogeneous devices is infeasible, so automated fuzzing is needed.
- Prior emulation-focused embedded fuzzing (notably Firm-AFL, USENIX ATC 2019) optimized emulation compatibility, throughput, and speed — but did NOT improve the fuzzing logic itself. As a result:
- The fuzzer explores only a narrow set of paths (low code coverage), missing deep bugs. - The mutation-operator selection scheduler tends to pick only a few operators. - Because effective operators differ per program/seed but selection is random, results vary widely run-to-run and crash discovery is lower than with well-chosen operators.
Proposed approach — EF-Fuzz
EF-Fuzz keeps Firm-AFL's combined emulation and strengthens the AFL mutation-based seed-generation scheduler with two mechanisms:
- Efficient Energy Allocation Scheduler
- Standard greybox energy allocation grew exponentially (Cut-off Exponential, CoE [ref 31]), so a selected seed spends most time in mutation Stage 1 (6 operators), rarely reaching Stage 2. - EF-Fuzz proposes an extended CoE that allocates LESS energy, inversely proportional to the number of newly generated seeds, so the fuzzer spends little time in Stage 1, quickly enters Stage 2, picks more diverse operators, and explores more queued seeds/paths.
- Optimized Mutator Scheduler (customized PSO)
- Goal: pick the best mutation operator per program/seed at runtime instead of random Stage-2 selection. - Based on the PSO (Particle Swarm Optimization) algorithm of James Kennedy & Russell C. Eberhart, adapted to fuzzing. - Each Stage-2 operator is a particle; the set is a Local Swarm (LS); the best particle is the Local Best Particle (LBP); per-seed bests aggregate into a Global Swarm (GS) whose best is the Global Best Particle (GBP). - Operators are scored by how many new blocks/crashes their generated seeds produced for a fixed energy E; probabilities are normalized and updated in real time, raising the priority of effective operators.
- Optimized Mutator Scheduler Timer ('L' option)
- At long runtimes even the extended CoE energy grows large, so a selected seed gets stuck cycling Stage 1's 6 operators and rarely meets the optimal operator. - A timer parameter L <minutes> (e.g. L 10) forces a jump to Stage 2 if no new path is found within the time budget in Stage 1.
System architecture
- Built on Firm-AFL's combined emulation:
- Full-system mode QEMU virtualizes the whole firmware environment (compatibility: handles device-specific system calls). - User-mode QEMU runs only the target process (speed/throughput). - The two modes exchange memory snapshots: full-system handles the unusual system calls, user-mode runs fast; the 6-step combine-emulation loop (steps 3–6 repeat) gives both high throughput and high compatibility.
- On top of the fuzzer, EF-Fuzz inserts the Efficient Energy Allocation Scheduler and the PSO-based Optimized Mutator Scheduler (with the Stage-2 timer). Figure 8 in the thesis is the overall EF-Fuzz structure.
Key contributions (as claimed by the thesis)
- First (per the thesis's framing) to bring high code coverage into embedded firmware fuzzing by reforming the mutation process, rather than only optimizing emulation.
- Two reusable scheduler techniques: efficient energy allocation (extended CoE) and PSO-based optimal mutation-operator selection, plus a Stage-2 entry timer.
- Empirical demonstration that these raise both coverage and crash counts over Firm-AFL/AFLfast/AFLgo, and discovery of a real 0-day.
Evaluation setup
- Host: CPU Intel i5-6400 @ 2.7 GHz, 8.0 GB RAM, Ubuntu 16.04.
- Compared fuzzers: EF-Fuzz vs Firm-AFL vs AFLfast vs AFLgo.
- Feature matrix (Table 2): all are mutation-based; AFLfast and EF-Fuzz have the Efficient Energy Allocation Scheduler; only EF-Fuzz has the Optimized Mutator Scheduler; only AFLgo does specific-path-concentration fuzzing.
- Targets: 7 real firmware images (Table 3), e.g. DAP-2695 (httpd), DIR-817LW (hnap), DIR-850L (hnap), TV-IP110WN camera (network.cgi), DIR-815 (hedwig.cgi), TEW-632BRP (miniupnpd), WR940N (httpd). Exact CVE/EDB IDs: see source extract; treat as Needs confirmation due to extraction noise.
- Protocol: each firmware process measured every 4 hours; each firmware run for 24 hours, 10 repetitions, results averaged. Metrics: Total Paths (paths found) and "new edges on" (constraints solved to enter blocks) for coverage; crash counts for crash evaluation.
Results (real numbers from the thesis)
- Coverage: the two top fuzzers were AFLfast and EF-Fuzz (both use Efficient Energy Allocation), ~2–3x ahead of the bottom two; among the top two, EF-Fuzz beat AFLfast because of the Optimized Mutator Scheduler.
- Largest coverage gap: on TV-IP110WN, EF-Fuzz explored ~6.4x more paths than the worst fuzzer (AFLgo), and ~4.1x more than Firm-AFL.
- Smallest coverage gap: on DIR-815, EF-Fuzz explored ~2.5x more paths than the comparison.
- Crashes: EF-Fuzz was top on every firmware; the bottom fuzzer varied per target. Largest crash gap: DIR-817 (LW), ~2.2x more than Firm-AFL. Smallest crash gap: DIR-815, ~0.8x vs AFLfast. (The 0.8x value is as printed in the thesis.)
- Per Table 3, EF-Fuzz reached "on (%)" coverage figures in the mid/high-90s (e.g. ~94–98%) vs Firm-AFL's ~12–24% on the same targets — see thesis-extract for the full table.
- 0-day: continued experiments beyond the 7 targets found an unknown (0-day) vulnerability in DIR-825 Rev.B 2.10B02.
Relation to FIRM-COV / IoTFirmFuzz / Firm-AFL
- Firm-AFL (Zheng et al., USENIX ATC 2019) is the direct base: EF-Fuzz reuses its combined / augmented process emulation and inherits its throughput and speed, adding coverage-oriented scheduler logic.
- This thesis (2020) sits in the same line of IoT firmware greybox fuzzing as FIRM-COV ("High-Coverage Greybox Fuzzing for IoT Firmware via Optimized Process Emulation") — both target high coverage on emulated firmware; the precise authorship/overlap between this thesis and the FIRM-COV paper is an Open question (see [[../concepts/firm-cov.md]]).
- The thesis's stated future work (combining symbolic execution with the fuzzer) matches the 2020–2021 research-note direction toward hybrid fuzzing (P2IM) recorded in the graduate research summaries. See [[../concepts/iot-firmware-fuzzing.md]] and [[../concepts/iotfirmfuzz.md]] for how IoTFirmFuzz fits.