This work addresses the challenges of vulnerability identification and patch status determination in BusyBox-based IoT firmware, which are exacerbated by symbol stripping, inconsistent vendor patches, and cross-architecture compilation. To tackle these issues, the authors propose an evolution-aware cross-architecture binary retrieval framework that integrates anonymous instruction and contextual features, function call graph statistics, geometric embedding priors, and historical function prototypes. This approach enables precise localization of homologous vulnerable functions without relying on symbols, file paths, or version metadata. Notably, it is the first to incorporate evolutionary information into cross-architecture firmware vulnerability analysis and introduces a large-scale BusyBox benchmark dataset. Experimental results across 57 versions and 1,020 architecture pairs show a Hit@1 accuracy of 34.56%—a 16.04% improvement over the strongest baseline—along with 82.44% patch status prediction accuracy, an F1 score of 88.47%, and a 98.98% reduction in manual review effort.

BusyBox is one of the most widely reused userland components in Linux-based Internet-of-Things (IoT) firmware, yet its security assessment remains difficult because firmware images are frequently stripped, vendor patch practices are inconsistent, and the same source component is compiled for heterogeneous architectures. We propose EvoPatch-IoT, an evolution-aware cross-architecture retrieval framework for stripped BusyBox firmware binaries. EvoPatch-IoT combines anonymous instruction/context features, graph-level statistics, per-binary geometric priors, and historical function prototypes to localize homologous and potentially vulnerable functions without relying on symbols, source paths, or version strings at test time. We further construct a large-scale BusyBox benchmark from 57 historical versions, 270 unstripped binaries, 285 stripped binaries, and 130 source releases, yielding 1,550,752 function-symbol rows, 1,290,369 analysis-function rows, and 155,845 high-confidence stripped-to-unstripped matches. On 57 fully covered versions and 1,020 directed architecture pairs, EvoPatch-IoT achieves a weighted Hit@1 of 34.56\% and Hit@10 of 56.24\%, outperforming the strongest baseline by 16.04\% and 26.85\%, respectively, and reducing the expected manual inspection space by 98.98\%. The method is best on 56 of 57 versions and maintains consistent advantages on difficult architecture pairs. In addition, a version-change transfer study reaches a mean ROC-AUC of 0.9887, and a CVE-2021-42386 patch-state proxy obtains 82.44\% mean accuracy and 88.47\% mean F1 across held-out architectures. These results show that evolution-aware binary retrieval is a practical foundation for scalable IoT firmware vulnerability auditing.