Existing embedded network protocol stack fuzzing is hindered by manual intervention, hardware dependencies, and insufficient multi-layer protocol input modeling in firmware rehosting, limiting deep logical coverage. This paper proposes a protocol-aware firmware migration approach: it automatically identifies network protocols within firmware and synthesizes syntactically and semantically valid packets, enabling hierarchical, targeted fuzz input injection. The method integrates dynamic emulation, protocol behavioral analysis, and transparent packet encapsulation, and is seamlessly incorporated into mainstream firmware rehosting platforms. Evaluated across three rehosting tools, our approach significantly improves code coverage, reproduces multiple known vulnerabilities, and discovers five novel critical defects. These results demonstrate breakthrough advances in deep protocol coverage, full automation, and practical deployability for embedded network stack testing.

One of the biggest attack surfaces of embedded systems is their network interfaces, which enable communication with other devices. Unlike their general-purpose counterparts, embedded systems are designed for specialized use cases, resulting in unique and diverse communication stacks. Unfortunately, current approaches for evaluating the security of these embedded network stacks require manual effort or access to hardware, and they generally focus only on small parts of the embedded system. A promising alternative is firmware rehosting, which enables fuzz testing of the entire firmware by generically emulating the physical hardware. However, existing rehosting methods often struggle to meaningfully explore network stacks due to their complex, multi-layered input formats. This limits their ability to uncover deeply nested software faults. To address this problem, we introduce a novel method to automatically detect and handle the use of network protocols in firmware called Pemu. By automatically deducing the available network protocols, Pemu can transparently generate valid network packets that encapsulate fuzzing data, allowing the fuzzing input to flow directly into deeper layers of the firmware logic. Our approach thus enables a deeper, more targeted, and layer-by-layer analysis of firmware components that were previously difficult or impossible to test. Our evaluation demonstrates that Pemu consistently improves the code coverage of three existing rehosting tools for embedded network stacks. Furthermore, our fuzzer rediscovered several known vulnerabilities and identified five previously unknown software faults, highlighting its effectiveness in uncovering deeply nested bugs in network-exposed code.