Web Analytics
S3 Lab - Software & Systems Security Laboratory The University of Texas at Dallas

Stop Starving or Stuffing Me: Boosting Firmware Fuzzing Efficiency with On-demand Input Delivery

Shandian Shen, Wei Zhou, Keming Zhao, Peng Liu, Chung Hwan Kim, and Le Guan

Proceedings of the 47th IEEE Symposium on Security and Privacy (S&P) 2026.

DOI: 10.1109/SP63933.2026.00155

areas
Security, Cyber-Physical Systems, Software Testing

abstract

Firmware fuzzing has gained attention for its ability to identify firmware bugs. While progress has been made in firmware emulation to support fuzzing, current approaches often directly integrate fuzzing tools for general software. However, unlike general software, which receives input as they encounter I/O functions, firmware input can be received asynchronously and independently of the firmware’s execution, with uncertain timing and quantity. Without full awareness of firmware’s exceptions, existing solutions often imprudently deliver fuzzer-generated input to the firmware in an ad-hoc way. This either overwhelms the processing function of the firmware (i.e., stuffing problem) or fails to deliver enough input data to trigger input processing functions (i.e., starving problem). In both cases, fuzzing capability is weakened.

In this paper, we comprehensively investigate the input delivery issue, a unique and less studied field in firmware fuzzing. To accurately determine the optimal timing and quantity for delivering test cases, we leverage the fact that firmware has to check input availability before using any data. Therefore, we employ static and dynamic analysis to map each input processing route into three stages: input retrieval, availability check, and processing. This recovered semantic information allows the fuzzer to accurately deliver input at the availability check points within the expected length range. Since firmware may have multiple input routes, we also optimize the scheduling algorithm to reach more diverse routes. Our prototype, named FIDO, can serve as an add-on to existing firmware fuzzers to enhance their test-case delivery effectiveness. Compared to ad-hoc input delivery methods used in Fuzzware and MULTIFUZZ, FIDO increases their median code coverage by up to 115% and 54%, respectively. Compared to SEmu, which requires human to manually specify input delivery points, FIDO still improves its coverage by up to 19%. As a result of improved input delivery strategy, FIDO discovers known bugs significantly faster and also identifies five previously unknown bugs.