{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,2]],"date-time":"2026-03-02T12:50:28Z","timestamp":1772455828531,"version":"3.50.1"},"reference-count":143,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"am","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"DOI":"10.13039\/100001273","name":"Noyce Foundation and NSF","doi-asserted-by":"publisher","award":["1916741"],"award-info":[{"award-number":["1916741"]}],"id":[{"id":"10.13039\/100001273","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2025]]},"DOI":"10.1109\/access.2025.3575691","type":"journal-article","created":{"date-parts":[[2025,6,2]],"date-time":"2025-06-02T18:02:32Z","timestamp":1748887352000},"page":"98253-98277","source":"Crossref","is-referenced-by-count":2,"title":["Bare-Metal Firmware Fuzzing: A Survey of Techniques and Approaches"],"prefix":"10.1109","volume":"13","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5626-1985","authenticated-orcid":false,"given":"Asmita","family":"Asmita","sequence":"first","affiliation":[{"name":"Electrical and Computer Engineering Department, University of California at Davis, Davis, CA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-8382-0099","authenticated-orcid":false,"given":"Ryan","family":"Tsang","sequence":"additional","affiliation":[{"name":"Electrical and Computer Engineering Department, University of California at Davis, Davis, CA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-1331-0706","authenticated-orcid":false,"given":"Sujan","family":"Ghimire","sequence":"additional","affiliation":[{"name":"Electrical and Computer Engineering Department, The University of Arizona, Tucson, AZ, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5998-8795","authenticated-orcid":false,"given":"Soheil","family":"Salehi","sequence":"additional","affiliation":[{"name":"Electrical and Computer Engineering Department, The University of Arizona, Tucson, AZ, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8904-4699","authenticated-orcid":false,"given":"Houman","family":"Homayoun","sequence":"additional","affiliation":[{"name":"Electrical and Computer Engineering Department, University of California at Davis, Davis, CA, USA"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"5 CVEs Found With Feedback-Based Fuzzing","author":"Reimer","year":"2025"},{"key":"ref2","volume-title":"OSS Fuzz","year":"2025"},{"key":"ref3","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2018.23166","article-title":"What you corrupt is not what you crash: Challenges in fuzzing embedded devices","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","author":"Muench"},{"key":"ref4","article-title":"Forming faster firmware fuzzers","volume-title":"Proc. USENIX","author":"Seidel"},{"key":"ref5","first-page":"1237","article-title":"P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Feng"},{"key":"ref6","first-page":"1201","article-title":"HALucinator: Firmware re-hosting through abstraction layer emulation","volume-title":"Proc. 29th USENIX Conf. Secur. Symp.","author":"Clements"},{"key":"ref7","first-page":"2007","article-title":"Automatic firmware emulation through invalidity-guided knowledge inference","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Zhou"},{"key":"ref8","first-page":"321","article-title":"Jetset: Targeted firmware rehosting for embedded systems","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Johnson"},{"key":"ref9","first-page":"5359","article-title":"MultiFuzz: A multi-stream fuzzer for testing monolithic firmware","volume-title":"Proc. 33rd USENIX Secur. Symp.","author":"Chesser"},{"key":"ref10","article-title":"Hoedur: Embedded firmware fuzzing using multi-stream inputs","volume-title":"Proc. 32nd USENIX Conf. Secur. Symp.","author":"Scharnowski"},{"key":"ref11","volume-title":"Amnesia:33","author":"dos Santos","year":"2025"},{"key":"ref12","volume-title":"Ripple 20:19 Zero-Day Vulnerabilities Amplified by the Supply Chain","year":"2020"},{"key":"ref13","first-page":"911","article-title":"SweynTooth: Unleashing mayhem over Bluetooth low energy","volume-title":"Proc. USENIX Annu. Tech. Conf.","author":"Garbelini"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.5555\/3241189.3241275"},{"key":"ref15","volume-title":"Ghidra Github Repository","year":"2023"},{"key":"ref16","volume-title":"A Powerful Disassembler and a Versatile Debugger","year":"2025"},{"key":"ref17","volume-title":"A Free\/Libre Toolchain for Easing Several Low Level Tasks","year":"2025"},{"key":"ref18","volume-title":"Binary Ninja","author":"Bednarz","year":"2025"},{"key":"ref19","first-page":"1239","article-title":"Fuzzware: Using precise MMIO modeling for effective firmware fuzzing","volume-title":"Proc. 31st USENIX Secur. Symp.","author":"Scharnowski"},{"key":"ref20","doi-asserted-by":"crossref","DOI":"10.14722\/bar.2018.23017","article-title":"avatar2: A multi-target orchestration platform","volume-title":"Proc. Workshop Binary Anal. Res.","author":"Muench"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427280"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/2843859.2843867"},{"key":"ref23","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2022.23136","article-title":"FirmWire: Transparent dynamic analysis for cellular baseband firmware","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","author":"Hernandez"},{"key":"ref24","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2016.23415","article-title":"Towards automated dynamic analysis for linux-based embedded firmware","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","author":"Chen"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-018-0002-y"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2946563"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1145\/3457913.3457934"},{"key":"ref28","volume-title":"Embedded Software Fuzzing: A Survey","author":"Yu","year":"2025"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/3512345"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-022-00123-y"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/3538644"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-96-0401-2_18"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3623375"},{"key":"ref34","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2017.23404","article-title":"VUzzer: Application-aware evolutionary fuzzing","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","author":"Rawat"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.23"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978428"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134020"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23368"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.37"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2941681"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/2090147.2094081"},{"key":"ref42","volume-title":"Syzkaller","year":"2025"},{"key":"ref43","volume-title":"TriforceAFL","author":"Hertz","year":"2025"},{"key":"ref44","first-page":"167","article-title":"KAFL: Hardware-assisted feedback fuzzing for OS kernels","volume-title":"Proc. 26th USENIX Conf. Secur. Symp.","author":"Schumilo"},{"issue":"8","key":"ref45","first-page":"239","article-title":"AutoFuzz: Automated network protocol fuzzing framework","volume":"10","author":"Gorbunov","year":"2010","journal-title":"Int. J. Comput. Sci. Netw. Secur."},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1007\/11836810_25"},{"key":"ref47","volume-title":"Radamsa","author":"Helin","year":"2025"},{"key":"ref48","volume-title":"Peach Fuzzer","author":"Eddington","year":"2025"},{"key":"ref49","volume-title":"American Fuzzy Lop\u2014A Security-oriented Fuzzer","author":"Zalewski","year":"2025"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2009.5070546"},{"key":"ref51","volume-title":"Sulley: Fuzzing Framework","author":"Amini","year":"2024"},{"key":"ref52","article-title":"An introduction to spike, the fuzzer creation kit","author":"Aitel","year":"2001"},{"key":"ref53","first-page":"543","article-title":"Model-based whitebox fuzzing for program binaries","volume-title":"Proc. 31st IEEE\/ACM Int. Conf. Automated Softw. Eng. (ASE)","author":"Pham"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23159"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106295"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/2110356.2110358"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/2699026.2699098"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00080"},{"key":"ref59","first-page":"463","article-title":"FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution","volume-title":"Proc. 22nd USENIX Secur. Symp.","author":"Davidson"},{"key":"ref60","first-page":"19","article-title":"Frankenstein: Advanced wireless fuzzing to exploit new Bluetooth escalation targets","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Ruge"},{"key":"ref61","article-title":"Learn&fuzz: Machine learning for input fuzzing","author":"Godefroid","year":"2017","journal-title":"arXiv:1701.07232"},{"key":"ref62","first-page":"1949","article-title":"MOPT: Optimized mutation scheduling for fuzzers","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Lyu"},{"key":"ref63","first-page":"1967","article-title":"EnFuzz: Ensemble fuzzing with seed synchronization among diverse fuzzers","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Chen"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00046"},{"key":"ref65","first-page":"745","article-title":"QSYM: A practical concolic execution engine tailored for hybrid fuzzing","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Yun"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238176"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243849"},{"key":"ref68","first-page":"2271","article-title":"FuzzGen: Automatic fuzzer generation","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Ispoglou"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/ICST46399.2020.00062"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-61638-0_14"},{"key":"ref71","volume-title":"Dynamic Instrumentation Toolkit for Developers, Reverse-Engineers, and Security Researchers","author":"Ravn\u00e5s","year":"2025"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1145\/3375894.3375897"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23176"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484543"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1145\/3338507.3358616"},{"key":"ref76","first-page":"1099","article-title":"FIRM-AFL: High-throughput greybox fuzzing of IoT firmware via augmented process emulation","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Zheng"},{"key":"ref77","first-page":"425","article-title":"RVFuzzer: Finding input validation bugs in robotic vehicles through control-guided testing","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Kim"},{"key":"ref78","first-page":"291","article-title":"Charm: Facilitating dynamic analysis of device drivers of mobile systems","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Talebi"},{"key":"ref79","article-title":"NEMESYS: Network message syntax reverse engineering by analysis of the intrinsic structure of individual messages","volume-title":"Proc. 12th USENIX Workshop Offensive Technol. (WOOT)","author":"Kleber"},{"key":"ref80","first-page":"135","article-title":"Toward the analysis of embedded firmware through automated re-hosting","volume-title":"Proc. 22nd Int. Symp. Res. Attacks, Intrusions Defenses","author":"Gustafson"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3437532"},{"key":"ref82","first-page":"309","article-title":"Inception: System-wide security testing of real-world embedded systems software","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Corteggiani"},{"key":"ref83","first-page":"181","article-title":"Symbolic execution with SymCC: Don\u2019t interpret, compile!","volume-title":"Proc. 29th USENIX Conf. Secur. Symp.","author":"Poeplau"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510208"},{"key":"ref85","first-page":"12","article-title":"AFL++: Combining incremental steps of fuzzing research","volume-title":"Proc. 14th USENIX Workshop Offensive Technol.","author":"Fioraldi"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1145\/3579856.3582840"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560602"},{"key":"ref88","volume-title":"LLVM\u2014LibFuzzer","year":"2025"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453093"},{"key":"ref90","first-page":"41","article-title":"QEMU, a fast and portable dynamic translator","volume-title":"Proc. Annu. Conf. USENIX Annu. Tech. Conf.","author":"Bellard"},{"key":"ref91","volume-title":"Unicorn: Next Generation CPU Emulator Framework","author":"Quynh"},{"key":"ref92","volume-title":"Renode","year":"2025"},{"key":"ref93","volume-title":"TLib","year":"2025"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1145\/800027.808444"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1145\/800027.808445"},{"key":"ref96","first-page":"209","article-title":"KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs","volume-title":"Proc. 8th USENIX Symp. Operating Syst. Design Implement. (OSDI)","author":"Cadar"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.50"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.31"},{"key":"ref99","first-page":"31","article-title":"Triton: A dynamic symbolic execution framework","volume-title":"Proc. Symp. sur la S\u00e9curit\u00e9 des Technologies de l\u2019Information et des Communications","author":"Saudel"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"ref101","first-page":"5573","article-title":"FFXE: Dynamic control flow graph recovery for embedded firmware binaries","volume-title":"Proc. 33rd USENIX Secur. Symp.","author":"Tsang"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1145\/3623278.3624759"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2021.3056179"},{"key":"ref104","doi-asserted-by":"crossref","DOI":"10.21236\/ADA610472","article-title":"Probability-based parameter selection for black-box fuzz testing","author":"Householder","year":"2012"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243804"},{"key":"ref106","doi-asserted-by":"crossref","first-page":"118","DOI":"10.1016\/j.cose.2018.02.002","article-title":"A systematic review of fuzzing techniques","volume":"75","author":"Chen","year":"2018","journal-title":"Comput. Secur."},{"key":"ref107","first-page":"49","article-title":"Dowsing for overflows: A guided fuzzer to find buffer boundary violations","volume-title":"Proc. 22nd USENIX Secur. Symp.","author":"Haller"},{"key":"ref108","volume-title":"Honggfuzz","year":"2025"},{"key":"ref109","volume-title":"Clusterfuzz","year":"2025"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1145\/3395351.3399360"},{"key":"ref111","first-page":"24","article-title":"SMS of death: From analyzing to attacking mobile phones on a large scale","volume-title":"Proc. 20th USENIX Conf. Secur.","author":"Mulliner"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2020.3013046"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1002\/cpe.5756"},{"key":"ref114","doi-asserted-by":"crossref","first-page":"101627","DOI":"10.1109\/ACCESS.2021.3097807","article-title":"FIRM-COV: High-coverage greybox fuzzing for IoT firmware via optimized process emulation","volume":"9","author":"Kim","year":"2021","journal-title":"IEEE Access"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1109\/HOST55342.2024.10545377"},{"key":"ref116","doi-asserted-by":"publisher","DOI":"10.1145\/3652032.3657568"},{"key":"ref117","first-page":"5323","article-title":"SHiFT: Semi-hosted fuzz testing for embedded applications","volume-title":"Proc. 33rd USENIX Secur. Symp.","author":"Mera"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598115"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2023.3303780"},{"key":"ref120","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598039"},{"key":"ref121","volume-title":"Zeromq","year":"2025"},{"key":"ref122","volume-title":"AFL-Unicorn","year":"2023"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-78800-3_24"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4613-0303-9_33"},{"key":"ref125","volume-title":"Capstone\u2014The Ultimate Disassembler","year":"2025"},{"key":"ref126","volume-title":"Keystone\u2014The Ultimate Assembler","year":"2025"},{"key":"ref127","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2019.23371","article-title":"REDQUEEN: Fuzzing with input-to-state correspondence","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","author":"Aschermann"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598067"},{"key":"ref129","article-title":"Large language models are edge-case fuzzers: Testing deep learning libraries via FuzzGPT","author":"Deng","year":"2023","journal-title":"arXiv:2304.02014"},{"key":"ref130","doi-asserted-by":"publisher","DOI":"10.1109\/APR59189.2023.00012"},{"key":"ref131","article-title":"Augmenting greybox fuzzing with generative AI","author":"Hu","year":"2023","journal-title":"arXiv:2306.06782"},{"key":"ref132","article-title":"Fuzz4All: Universal fuzzing with large language models","author":"Steven Xia","year":"2023","journal-title":"arXiv:2308.04748"},{"key":"ref133","first-page":"883","article-title":"Fuzzing BusyBox: Leveraging LLM and crash reuse for embedded bug unearthing","volume-title":"Proc. 33rd USENIX Secur. Symp.","author":"Oliinyk"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1109\/sp54263.2024.00211"},{"key":"ref135","doi-asserted-by":"publisher","DOI":"10.1109\/IOTSMS62296.2024.10710191"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.1109\/JSEN.2023.3301517"},{"key":"ref137","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.1706.03762"},{"key":"ref138","volume-title":"OpenAI,  API","year":"2024"},{"key":"ref139","doi-asserted-by":"publisher","DOI":"10.1145\/3448300.3468296"},{"key":"ref140","volume-title":"Quickstart Boofuzz 0.4.2 Documentation","year":"2025"},{"key":"ref141","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560703"},{"key":"ref142","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.24556"},{"key":"ref143","volume-title":"AI-Powered Fuzzing: Breaking the Bug Hunting Barrier","author":"Liu","year":"2024"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"https:\/\/ieeexplore.ieee.org\/ielam\/6287639\/10820123\/11020638-aam.pdf","content-type":"application\/pdf","content-version":"am","intended-application":"syndication"},{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/6287639\/10820123\/11020638.pdf?arnumber=11020638","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,11]],"date-time":"2025-06-11T05:10:30Z","timestamp":1749618630000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11020638\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":143,"URL":"https:\/\/doi.org\/10.1109\/access.2025.3575691","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]}}}