𝜇AFL: Non-intrusive Feedback-driven Fuzzing for Microcontroller Firmware

Wenqiang Li, Jiameng Shi, Fengjun Li, Jingqiang Lin, Wei Wang, Le Guan

  • Read: 13 Jun 2025
  • Published: 05 July 2022

ICSE ‘22: Proceedings of the 44th International Conference on Software Engineering, Pages 1 - 12

https://doi.org/10.1145/3510003.3510208


Q&A (link)

What are the motivations for this work?

  • See Introduction.
  • There are limitations in the existing firmware security testing approaches when applied to embedded firmware testing: table1

What is the proposed solution?

  • See Introduction, Section 2.
  • Use ARM ETM (Embedded Trace Macrocell) for non-intrusive feedback collection.
  • ETM is a hardware instruction trace feature for ARM. The design of ETM is: A dedicated hardware component emits a stream of control flow packets, a decoder reconstructs a unique execution path by matching the control flow data to the disassembled machine code.

What is the work’s evaluation of the proposed solution?

See Section 4.

  • Implemented a prototype of 𝜇AFL on top of AFL2.56 by adding ∼2,000 lines of C code on the PC side.
  • Used the SEGGER J-Trace Pro debug dongle to control the communication between the host PC and the target ARM Cortex-M evaluation boards.
  • Experiments were done to NXP TWR-K64F120M and STM32H7B3I-EVAL. Used the sample code provided in NXP SDK and STM32 SDK.

What is your analysis of the identified problem, idea and evaluation?

NONE

What are the contributions?

  • See Introduction.
  • 𝜇AFL, the first fuzzing tool that is applicable to the driver code of MCU firmware.
  • Some bugs detected.

What are future directions for this research?

NONE

What questions are you left with?

NONE

What is your take-away message from this paper?

NONE

Written on