The Last Mile of Fuzzing: An Efficient Fault Localization Framework for ARM Embedded Firmware

Abstract

While fuzzing has been widely adopted and proven effective in exposing vulnerabilities in embedded firmware, fault localization, as the last mile of the vulnerability discovery pipeline, still remains a large challenge. Current post-fuzzing analysis heavily relies on manual debugging, which is hindered by the lack of debugging support in embedded environments and the prevalence of overly tainted, noisy suspicious instructions. These factors impose significant burdens on analysts and slow down vulnerability triage. To bridge this gap, we propose FirmLocator, a highly efficient and automated framework for fault localization in embedded firmware crashes. FirmLocator introduces an event-driven memory footprint collection mechanism to capture concrete memory accesses during crash reproduction. It then performs a history-guided propagation analysis to precisely trace data dependencies, reconstructing fine-grained data dependency chains. Finally, it applies heuristic strategies to score and prioritize candidate instructions, providing actionable insights for root cause analysis. We evaluate FirmLocator on 19 ARM firmware binaries and 59 crashing test cases. The results show that FirmLocator achieves a localization accuracy of 98.3% within the top 10 instructions, demonstrating its effectiveness and practical value in automated fault localization.

Publication
IEEE Transactions on Dependable and Secure Computing (TDSC) 2026, CCF-A
Boyu Chang
Boyu Chang
Ph.D. candidate in Computer Science and Technology

My research interests include binary vulnerablities.