Existing embedded software retargeting techniques rely heavily on high-fidelity hardware emulation, compromising scalability and dynamic analysis efficiency; empirical evidence further indicates that such fidelity is often unnecessary for exposing most vulnerabilities. This paper proposes a semantics-preserving cross-platform retargeting framework that decouples embedded applications—spanning four distinct RTOSes—from hardware dependencies and transforms them into native x86 Linux binaries. The transformation leverages system-call abstraction, RTOS API mapping, memory model adaptation, and lightweight interrupt simulation to enable seamless dynamic analysis migration. Crucially, the approach eliminates the need for custom emulators. Evaluated on 18 real-world embedded applications, it achieves approximately 2× higher testing efficiency and coverage, discovers 21 previously unknown vulnerabilities, and reduces false negatives by 18. To our knowledge, this is the first work to enable efficient, scalable security analysis of embedded software on general-purpose Linux platforms.

Dynamic analysis, through rehosting, is an important capability for security assessment in embedded systems software. Existing rehosting techniques aim to provide high-fidelity execution by accurately emulating hardware and peripheral interactions. However, these techniques face challenges in adoption due to the increasing number of available peripherals and the complexities involved in designing emulation models for diverse hardware. Additionally, contrary to the prevailing belief that guides existing works, our analysis of reported bugs shows that high-fidelity execution is not required to expose most bugs in embedded software. Our key hypothesis is that security vulnerabilities are more likely to arise at higher abstraction levels. To substantiate our hypothesis, we introduce LEMIX, a framework enabling dynamic analysis of embedded applications by rehosting them as x86 Linux applications decoupled from hardware dependencies. Enabling embedded applications to run natively on Linux facilitates security analysis using available techniques and takes advantage of the powerful hardware available on the Linux platform for higher testing throughput. We develop various techniques to address the challenges involved in converting embedded applications to Linux applications. We evaluated LEMIX on 18 real-world embedded applications across four RTOSes and found 21 new bugs in 12 of the applications and all 4 of the RTOS kernels. We report that LEMIX is superior to existing state-of-the-art techniques both in terms of code coverage (~2x more coverage) and bug detection (18 more bugs).