Microcontroller Unit (MCU)-based devices constitute a critical layer of the Internet of Things (IoT) infrastructure, so ensuring their security is of paramount importance. Rehosting-based dynamic MCU firmware analysis is an effective approach to securing these devices. However, existing rehosting frameworks commonly suffer from substantial performance overhead due to emulation or diminished execution scope.

To address these limitations, we propose Khost, a near-native, scope-preserving rehosting framework. It extends the KVM by introducing a lightweight extended CPU, an auxiliary page table, and a software-based interrupt controller, enabling MCU firmware to be rehosted on high-performance platforms with minimum overhead. It also provides a memory-mapped I/O (MMIO) monitor for quick peripheral interactions and a wrapper for firmware to enable coverage collection and configure the existing fuzzing engines flexibly. Evaluations on two standard benchmarks show that Khost reduces overhead by 90.0% to 95.5% for complex computational tasks and by up to 98.5% for MCU system-level operations, compared to QEMU. Furthermore, fuzzing on 12 real-world firmware with Khost achieves up to 197.5× higher throughput and improves basic block coverage by 6x compared to existing fuzzing tools. Additionally, Khost successfully uncovers 5 previously unknown bugs.

Static taint analysis has become a fundamental technique to detect vulnerabilities implied in web services of Linux-based firmware. However, existing works commonly oversimplify the composition of firmware web services. Specifically, only C binaries (i.e., those extracted from the target firmware) are considered within the scope of vulnerability detection. In this work, we observe that modern firmware extensively combines Lua scripts/bytecode and C binaries to implement hybrid web services, and obviously, those C-binary-oriented vulnerability detection techniques can hardly achieve satisfactory performance. In light of this, we propose FirmCross, an automated taint-style vulnerability detector dedicated for C-Lua hybrid web services. Compared to existing detectors, FirmCross can automatically de-obfuscate the Lua bytecode in target firmware, additionally identify distinctive taint sources in Lua codespace, and systematically capture the C-Lua cross-language taint flow. In the evaluation, FirmCross detects 6.82X ~ 14.5X more vulnerabilities than SoTA approaches (i.e., MangoDFA and LuaTaint) in a dataset containing 73 firmware images from 11 vendors. Notably, FirmCross helps identify 610 0-day vulnerabilities among target firmware images. After reporting these vulnerabilities to vendors, till now, 31 vulnerability IDs have been assigned.

To date, grey-box fuzzing has become an essential technique to detect vulnerabilities implied in Linux-based firmware. However, existing fuzzing approaches commonly encounter three overlooked obstacles stemming from firmware service characteristics, which largely hinder the effectiveness and efficiency of vulnerability identification. Firstly, the multi-process nature of firmware services is oversimplified during both the emulation and the fuzzing procedures, limiting the scope of firmware testing. Furthermore, firmware services usually incorporate customized service protocols, which feature rich and stringent semantic constraints, causing unique challenges for input generation. To address these obstacles, this paper proposes a service-aware grey-box fuzzing tool HouseFuzz. During the firmware emulation, HouseFuzz carefully traverses the system initialization procedure for identifying those network-facing and daemon processes overlooked by existing approaches. After that, during the fuzzing procedure, HouseFuzz features a multi-process fuzzing framework, enabling the comprehensive inspection of firmware services activated via multiple processes. Furthermore, HouseFuzz leverages both offline and online firmware service analysis to capture the token-level semantic constraints of customized service protocols, based on which HouseFuzz can effectively generate high-quality test cases. In evaluation, compared to SoTA grey-box firmware fuzzing approaches, HouseFuzz identified 76% more network services, achieved 33.4% more code coverage, and detected 175% more 0-day vulnerabilities on the same firmware dataset.

IoT firmware faces severe threats to security vulnerabilities. As an important method to detect vulnerabilities, recurring vulnerability detection has not been systematically studied in IoT firmware. In fact, existing methods would meet significant challenges from two aspects. First, firmware vulnerabilities are usually reported in texts without too much code-level information, e.g., security patches. Second, firmware images are released as binaries, making the analysis of known vulnerabilities and the detection of unknown vulnerabilities quite difficult.

This paper presents FirmRec, the first recurring vulnerability detection approach for IoT firmware. FirmRec features several new techniques to enable accurate and efficient vulnerability detection. First, it proposes a new exploitation-based vulnerability signature representation for firmware, which does not use syntactic code features but the semantic features along the dynamic vulnerability exploitation procedure (thus is more resilient to binary code changes and fits the context of binary-only firmware). Second, given a vulnerability report, it designs concolic execution-based vulnerability signature extraction to understand the vulnerability exploitation procedure and generate an exploitation-based vulnerability signature. Third, based on known vulnerability signatures, it employs a two-stage pipeline to accurately and efficiently detect recurring vulnerabilities.