Kai Feng (School of Computing Science, University of Glasgow), Jeremy Singer (School of Computing Science, University of Glasgow), Angelos K Marnerides (Dept. of Electrical & Computer Engineering, KIOS CoE, University of Cyprus)
Fuzzing firmware on microcontrollers (MCUs) is hard to scale. Rehosting is an ideal way to achieve this, but it often loses fidelity and can be slow, while on-device tracing support is limited. Standard coverage-guided fuzzing relies on software instrumentation, which is costly for MCUs and gives only control-flow signals that arrive late for complex checks.
We present Hardfuzz, an on-device fuzzer that uses definition-use (def-use) chains to guide exploration. Hardfuzz performs offline static analysis to extract def-use pairs from the binary, then runs directly on the device and uses the debug unit’s hardware breakpoints to observe when definitions and their uses execute. Two small bitmaps in shared memory record (i) which definitions execute and (ii) which def-use pairs execute, giving rich feedback than basic-block coverage alone. A lightweight scheduler prioritises definitions with many uses and adapts to the few hardware breakpoints available on MCUs.
We evaluate Hardfuzz against another hardware breakpoint-based solution, GDBFuzz. In emulation, Hardfuzz achieves higher basic-block coverage in most targets and progresses faster in the early hours running on emulation. On hardware, it covers 14-40% more basic blocks after 24 hours across three programs with known faults. These results show that def-use guidance is practical on MCUs and improves exploration over control-flow-only feedback.