Modern embedded Linux devices, such as routers, IP cameras, and IoT gateways, rely on complex software stacks where numerous daemons interact to provide services. Testing these devices is crucial from a security perspective since vendors often use custom closed- or open-source software without documenting releases and patches. Recent coverage-guided fuzzing solutions primarily test individual processes, ignoring deep dependencies between daemons and their persistent internal state. This article presents STAFF, a firmware fuzzing framework for discovering bugs in Linux-based MIPS firmware with HTTP-managed workflowsuilt around three key ideas: (a) user-driven multi-request recording, which monitors HTTPuser interactions with emulated firmware to capture request sequences;(b) intra- and inter-process dependency detection, which uses whole-system taint analysis to track how input bytes influence user-space states, including CPU registers, memory accesses, IPC channels, and filesystem operations;(c) protocol-aware taint-guided fuzzing, which applies mutations to request sequences based on identified dependencies, exploiting multi-staged forkservers to efficiently checkpoint protocol states. When evaluating STAFF on 15 Linux-based MIPSirmware targets, it identifies 42 crashes in 9 firmware imagesnvolving multiple network requests and different firmware daemons. Through systematic crash triage, these crashes consolidate into 20 previously unknownugs submitted for disclosure9 discovered exclusively by STAFF) and 4 previously disclosed CVEs (2 found only by STAFF), significantlyutperforming the considered full-system multi-processaselinefirmware fuzzing solutions in both the number and reproducibility of discovered crashes
STAFF: Stateful Taint-Assisted Full-system Firmware Fuzzing / Izzillo, A., Lazzeretti, R., Coppa, E.. - In: COMPUTERS & SECURITY. - ISSN 0167-4048. - 170:(2026). [10.1016/j.cose.2026.105003]
STAFF: Stateful Taint-Assisted Full-system Firmware Fuzzing
Izzillo, Alessio;Lazzeretti, Riccardo;Coppa, Emilio
2026
Abstract
Modern embedded Linux devices, such as routers, IP cameras, and IoT gateways, rely on complex software stacks where numerous daemons interact to provide services. Testing these devices is crucial from a security perspective since vendors often use custom closed- or open-source software without documenting releases and patches. Recent coverage-guided fuzzing solutions primarily test individual processes, ignoring deep dependencies between daemons and their persistent internal state. This article presents STAFF, a firmware fuzzing framework for discovering bugs in Linux-based MIPS firmware with HTTP-managed workflowsuilt around three key ideas: (a) user-driven multi-request recording, which monitors HTTPuser interactions with emulated firmware to capture request sequences;(b) intra- and inter-process dependency detection, which uses whole-system taint analysis to track how input bytes influence user-space states, including CPU registers, memory accesses, IPC channels, and filesystem operations;(c) protocol-aware taint-guided fuzzing, which applies mutations to request sequences based on identified dependencies, exploiting multi-staged forkservers to efficiently checkpoint protocol states. When evaluating STAFF on 15 Linux-based MIPSirmware targets, it identifies 42 crashes in 9 firmware imagesnvolving multiple network requests and different firmware daemons. Through systematic crash triage, these crashes consolidate into 20 previously unknownugs submitted for disclosure9 discovered exclusively by STAFF) and 4 previously disclosed CVEs (2 found only by STAFF), significantlyutperforming the considered full-system multi-processaselinefirmware fuzzing solutions in both the number and reproducibility of discovered crashesI documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
