Traditional firmware fuzzing faces coverage bottlenecks at the system level, limiting its effectiveness in uncovering security vulnerabilities arising from firmware–hardware interactions. This work proposes a dynamic cooperative mechanism that seamlessly integrates system-level fuzzing with selective symbolic execution: when fuzzing coverage plateaus, the approach automatically transitions to symbolic execution to generate high-coverage test cases. This method represents the first practical solution capable of efficiently exploring the complex interplay between firmware and hardware for vulnerability discovery. Experimental evaluation on multiple real-world embedded firmware images demonstrates that the proposed approach substantially outperforms existing tools, identifying 118 known vulnerabilities—compared to only 13 detected by baseline methods—with up to a 3.3× speedup in vulnerability triggering.

Firmware serves as the critical interface between hardware and software in computing systems, making any bugs or vulnerabilities particularly dangerous as they can cause catastrophic system failures. While fuzzing is a promising approach for identifying design flaws and security vulnerabilities, traditional fuzzers are ineffective at detecting firmware vulnerabilities. For example, existing fuzzers focus on user-level fuzzing, which is not suitable for detecting kernel-level vulnerabilities. Existing fuzzers also face a coverage plateau problem when dealing with complex interactions between firmware and hardware. In this paper, we present an efficient firmware verification framework, SysFuSS, that integrates system-level fuzzing with selective symbolic execution. Our approach leverages system-level emulation for initial fuzzing, and automatically transitions to symbolic execution when coverage reaches a plateau. This strategy enables us to generate targeted test cases that can trigger previously unexplored regions in firmware designs. We have evaluated SysFuSS on real-world embedded firmware, including OpenSSL, WolfBoot, WolfMQTT, HTSlib, MXML, and libIEC. Experimental evaluation demonstrates that SysFuSS significantly outperforms state-of-the-art fuzzers in terms of both branch coverage and detection of firmware vulnerabilities. Specifically, SysFuSS can detect 118 known vulnerabilities while state-of-the-art can cover only 13 of them. Moreover, SysFuSS takes significantly less time (up to 3.3X, 1.7X on average) to activate these vulnerabilities.