This study addresses the inefficiency in existing firmware fuzzing caused by improper timing and volume of input delivery, which often leads to input starvation or overload. The authors present the first systematic model of asynchronous input handling in firmware, identifying three distinct phases—acquisition, availability check, and processing—through combined static and dynamic analysis. Building on this model, they introduce FIDO, an enhancement module that delivers test cases of appropriate length precisely when needed and optimizes multi-path scheduling. FIDO integrates seamlessly into existing fuzzers without requiring manual intervention. Experimental results demonstrate that FIDO achieves median code coverage improvements of 115% and 54% over Fuzzware and MULTIFUZZ, respectively, and outperforms the manually guided SEmu by 19%, while uncovering five previously unknown vulnerabilities.

Firmware fuzzing has gained attention for identifying firmware bugs. However, current approaches often directly integrate fuzzing tools for general software. General software receives input as it encounters I/O functions, but firmware input can be received asynchronously and independently of the firmware's execution, with uncertain timing and quantity. Without full awareness of firmware's exceptions, existing solutions often imprudently deliver fuzzer-generated input to the firmware in an ad-hoc way. This either overwhelms the processing function of the firmware (stuffing) or fails to deliver enough input data to trigger input processing functions (starving). In both cases, fuzzing capability is weakened. In this paper, we comprehensively investigate the input delivery issue. To determine the optimal timing and quantity for delivering test cases, we leverage the fact that firmware has to check input availability before using data. So we employ static and dynamic analysis to map each input processing route into three stages: input retrieval, availability check, and processing. This recovered semantic information allows the fuzzer to accurately deliver input at the availability check points within the expected length range. For multiple input routes problem, we also optimize the scheduling algorithm to reach more diverse routes. Our prototype, named FIDO, can serve as an add-on to existing firmware fuzzers to enhance their test-case delivery effectiveness. Compared to ad-hoc input delivery methods used in Fuzzware and MULTIFUZZ, FIDO increases their median code coverage by up to 115% and 54%, respectively. Compared to SEmu, which requires humans to manually specify input delivery points, FIDO still improves its coverage by up to 19%. As a result, FIDO discovers known bugs significantly faster and also identifies five previously unknown bugs.