Bare-Metal Firmware Fuzzing: A Survey of Techniques and Approaches

Firmware attacks are increasingly prevalent, often serving as low-hanging fruit for attackers due to the challenges of firmware security analysis. The complexity of hardware systems, platform diversity, peripheral interactions, and asynchronous events make thorough security analysis of embedded firmware particularly difficult. Despite these challenges, significant research has been dedicated to advancing dynamic analysis techniques, such as fuzzing, to improve firmware security. Existing research approaches these issues with varying methods and emphases. This survey paper examines the implementation of existing firmware fuzzing techniques, providing an overview of their emulation strategies and fuzzing methodologies. It also reviews several existing fuzzers and the application of large language models (LLMs) in fuzzing generic software. Our survey focuses specifically on frameworks for fuzzing embedded bare-metal/monolithic firmware. Our analysis highlights that most existing research has focused primarily on firmware emulation, rehosting, and back-end instrumentation to facilitate fuzzing, often relying on direct integration with existing fuzzers. However, the broader exploration of various fuzzing techniques, such as input generation, mutation, feedback, and scheduling strategies, widely used in generic software remains limited for embedded firmware. Recent efforts have started to address these aspects, with emerging work exploring fuzzing techniques beyond simple fuzzer integration. Furthermore, the application of LLMs presents a promising direction for further investigation. This survey provides a comprehensive overview of the past, present, and future landscape of bare-metal firmware fuzzing.