Binary firmware fuzzing has garnered attention in recent years. Compared to source-code-based approaches, binary approaches require less semantic information and are therefore more applicable. This is particularly relevant in firmware analysis, as most firmware vendors distribute only binaries, withholding source code due to proprietary concerns.
Pivoting away from the traditional hardware-in-the-loop (HiL) methodology, researchers are exploring more efficient ways to engage real hardware for fuzzing. However, existing approaches have inherent drawbacks, such as reliance on high-end hardware features, inability to recover complete coverage, and slow execution speeds. We propose DRIFT, a novel approach for on-device binary firmware testing that follows the semihosting methodology. DRIFT addresses all the aforementioned drawbacks. Instead of relying on high-end hardware tracing units or debug probes, DRIFT leverages the Debug Monitor—a CPU feature widely available in nearly all ARM Cortex-M chips. Additionally, DRIFT delivers compact and complete coverage feedback for fuzzing. DRIFT achieves this by employing lightweight static analysis of the firmware. The pre-knowledge gained from this analysis is directly embedded into the binary, enabling the firmware to trace itself. This self-tracing approach minimizes interference from the workstation, significantly boosting fuzzing performance.
We designed DRIFT to be highly flexible, accommodating a number of hardware resource limitations. When applied to new firmware, DRIFT discovered three previously unknown bugs that were not identified by existing binary fuzzing techniques. Furthermore, DRIFT outperforms all state-of-the-art binary firmware fuzzers in terms of speed and fidelity, trailing only SHiFT, an approach that requires source code.