Coverage-guided fuzzing of closed-source embedded systems is severely hindered by the absence of source code and vendor-specific toolchains. Method: This paper proposes a binary-level fuzzing approach that requires neither source code nor proprietary toolchains. It employs lightweight dynamic binary instrumentation within a full-system emulator, integrated with input-feedback-driven coverage guidance to automate fuzzing of industrial firmware on virtualized platforms (e.g., MILS). Contribution/Results: The method eliminates hardware dependencies and compiler-specific constraints, enabling plug-and-play vulnerability discovery across heterogeneous IoT firmware from multiple vendors. Evaluated on a real-world MILS platform, it successfully identified multiple zero-day vulnerabilities, demonstrating high effectiveness, strong cross-platform generality, and excellent portability across diverse embedded environments.

Coverage-guided fuzzing has been widely applied to address zero-day vulnerabilities in general-purpose software and operating systems. This approach relies on instrumenting the target code at compile time. However, applying it to industrial systems remains challenging, due to proprietary and closed-source compiler toolchains and lack of access to source code. FuzzBox addresses these limitations by integrating emulation with fuzzing: it dynamically instruments code during execution in a virtualized environment, for the injection of fuzz inputs, failure detection, and coverage analysis, without requiring source code recompilation and hardware-specific dependencies. We show the effectiveness of FuzzBox through experiments in the context of a proprietary MILS (Multiple Independent Levels of Security) hypervisor for industrial applications. Additionally, we analyze the applicability of FuzzBox across commercial IoT firmware, showcasing its broad portability.