pith. sign in

arxiv: 2606.24549 · v1 · pith:6ZDA2OS5new · submitted 2026-06-23 · 💻 cs.CR

FirmCure:Towards Autonomous and Adaptive Rehosting of Linux-Based Firmware

Pith reviewed 2026-06-25 23:13 UTC · model grok-4.3

classification 💻 cs.CR
keywords firmware rehostingIoT securityLLM automationfull-system emulationvulnerability analysisembedded device testingruntime interventionadaptive configuration
0
0 comments X

The pith

FirmCure uses LLMs to autonomously rehost Linux firmware by extracting dependencies, optimizing configs, and fixing runtime errors.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces FirmCure as a framework that automates the full-system rehosting of Linux-based firmware for custom IoT devices. Existing methods require heavy expert intervention to handle specialized architectures and hardware configurations, creating bottlenecks in security analysis. FirmCure combines static analysis with LLM modules for dependency extraction, iterative configuration, and real-time error fixes. On 21 firmware images from 10 vendors and 5 architectures it reached 100 percent network port opening and 90.5 percent service interactivity while reproducing known vulnerabilities and finding new ones. A sympathetic reader would care because successful rehosting is a prerequisite for practical vulnerability work on embedded systems that are otherwise hard to test.

Core claim

FirmCure is the first LLM-driven full-system rehosting framework that uses an Adaptive Perception Inference mechanism to extract firmware structural dependencies via static analysis, a Reflective Synthesis module for iterative configuration optimization, and an Autonomous Runtime Intervention module for real-time error remediation through runtime fault diagnosis and monitoring. On 21 IoT firmware images from 10 vendors across 5 architectures it achieved a 100 percent network port opening rate and 90.5 percent service interactivity, substantially outperforming baselines, with intervention strategies that generalize across heterogeneous firmware and that reproduce known vulnerabilities while d

What carries the argument

The Adaptive Perception Inference mechanism for dependency extraction combined with Reflective Synthesis for configuration optimization and Autonomous Runtime Intervention for runtime error remediation.

If this is right

  • Security analysis of custom IoT devices becomes possible without manual expert configuration for each device.
  • Known vulnerabilities can be reproduced at scale across multiple architectures.
  • New security flaws can be discovered in firmware that previously could not be rehosted.
  • Intervention strategies learned on one set of devices transfer to other heterogeneous firmware.
  • The rehosting process completes with full network access and high service interactivity rates.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same LLM-driven loop might reduce manual work in rehosting non-Linux embedded systems if the static analysis step is extended.
  • Combining the runtime intervention module with hardware-in-the-loop testing could catch behaviors the current static extraction misses.
  • Patterns found across the 21 tested images could seed a shared library of common hardware dependency fixes for future devices.
  • If the approach scales, routine firmware updates could be checked for security issues in an automated pipeline.

Load-bearing premise

The LLM modules can reliably extract accurate firmware structural dependencies via static analysis and perform correct real-time error remediation without missing hardware-specific behaviors or introducing false positives.

What would settle it

A firmware image from a new vendor or architecture where FirmCure produces incorrect dependency graphs or fails to open network ports because of missed hardware behaviors.

Figures

Figures reproduced from arXiv: 2606.24549 by Chenyifan Liu, Chuan Hong, Laisong Li, Lei Zhou, Peihong Lin, Xu Zhou, Ze Huang, Zheng Zhang.

Figure 1
Figure 1. Figure 1: Overview of the FIRMCURE NU516U1, a kernel panic is caused by an unspecified CPU ar￾chitecture during QEMU launch, and an feasible fix strategy is to explicitly adjust the -cpu 74Kf parameter. Concurrently, the D-Link DGL-5500 fails to mount its root filesystem due to corruption and dangling symbolic links. These issues can be resolved by pre-boot repair routines that remove broken links and restore missin… view at source ↗
Figure 2
Figure 2. Figure 2: Time Cost of FIRMCURE across Different Firmware Samples (Using GLM-5.1). such as TRENDnet TEW-711BR and D-Link DGL5500, and Tenda AC15, trigger heavy A.R.I usage (1.09M–1.9M input tokens) and reach total costs of $2.32–$3.74. Across the six samples, the average total cost is approximately $2.18 per firmware. This on-demand resource allocation means that sim￾pler firmware incurs minimal LLM expense, while c… view at source ↗
read the original abstract

Full-system rehosting plays a critical role in the security analysis of Linux-based firmware. It matches commonly deployed firmware with sufficient background knowledge. However, for custom devices, existing approaches struggle to handle initialization and runtime obstacles in the rehosting process caused by specialized architectures and hardware-dependent configuration, which heavily rely on expert intervention. This ultimately creates fundamental bottlenecks and results in low rehosting efficiency. To address the above challenges, we propose FirmCure, the first LLM-driven full-system rehosting framework designed for autonomous and adaptive rehosting of Linux-based firmware. FirmCure develops an Adaptive Perception Inference mechanism to extract firmware structural dependencies via static analysis, followed by a Reflective Synthesis module for iterative configuration optimization, and finally an Autonomous Runtime Intervention module for real-time error remediation through runtime fault diagnosis and monitoring. We evaluated 21 IoT firmware images from 10 vendors across 5 architectures, while FirmCure achieved a 100% network port opening rate and 90.5% service interactivity, substantially outperforming state-of-the-art baselines. Our experiments confirm that FirmCure's intervention strategies generalize across heterogeneous firmware. The framework successfully reproduces known vulnerabilities and discovers new security flaws.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 3 minor

Summary. The paper introduces FirmCure, the first LLM-driven full-system rehosting framework for Linux-based IoT firmware. It comprises three modules: Adaptive Perception Inference to extract structural dependencies via static analysis, Reflective Synthesis for iterative configuration optimization, and Autonomous Runtime Intervention for real-time fault diagnosis and error remediation. On 21 firmware images from 10 vendors across 5 architectures, it reports 100% network port opening and 90.5% service interactivity, outperforming baselines, with intervention strategies that generalize and enable reproduction of known vulnerabilities plus discovery of new flaws.

Significance. If the empirical results and LLM-module reliability hold under scrutiny, FirmCure could meaningfully advance scalable firmware security analysis by reducing expert intervention in rehosting heterogeneous devices, enabling broader vulnerability research on custom IoT hardware.

major comments (3)
  1. [Evaluation] Evaluation section: aggregate success rates (100% port opening, 90.5% interactivity) are reported without firmware selection criteria, baseline implementation details, error bars, or confirmation that post-hoc adjustments were avoided, rendering the central performance claims unverifiable from the provided text.
  2. [§3] Adaptive Perception Inference and Autonomous Runtime Intervention modules: the load-bearing assumption that the LLM components reliably extract dependencies and perform remediation without missing hardware-specific behaviors (e.g., peripheral initialization, memory-mapped I/O, vendor boot sequences) across 5 architectures lacks supporting ablations on prompt sensitivity, per-module error rates, or false-positive rates in vulnerability reproduction.
  3. [Experiments] Generalization claim: the assertion that intervention strategies generalize across heterogeneous firmware is not accompanied by case studies or metrics showing instances where static analysis failed or hardware emulation remained necessary despite the autonomy claim.
minor comments (3)
  1. [§3] Clarify the specific LLMs, versions, and prompt templates used in each module to aid reproducibility.
  2. [Evaluation] Add a table comparing per-firmware results against each baseline rather than aggregate figures only.
  3. Ensure all architecture-specific handling details are explicitly described rather than summarized.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. We address each major comment point by point below, indicating where revisions will be made to strengthen the manuscript.

read point-by-point responses
  1. Referee: [Evaluation] Evaluation section: aggregate success rates (100% port opening, 90.5% interactivity) are reported without firmware selection criteria, baseline implementation details, error bars, or confirmation that post-hoc adjustments were avoided, rendering the central performance claims unverifiable from the provided text.

    Authors: We acknowledge that the current manuscript reports aggregate success rates without providing firmware selection criteria, detailed baseline implementation steps, error bars, or explicit confirmation that post-hoc adjustments were avoided. This limits verifiability of the central claims. In the revised manuscript, we will expand the Evaluation section to include these elements: explicit selection criteria for the 21 firmware images, implementation details for all baselines, statistical error bars on the reported rates, and a statement confirming no post-hoc adjustments were performed. revision: yes

  2. Referee: [§3] Adaptive Perception Inference and Autonomous Runtime Intervention modules: the load-bearing assumption that the LLM components reliably extract dependencies and perform remediation without missing hardware-specific behaviors (e.g., peripheral initialization, memory-mapped I/O, vendor boot sequences) across 5 architectures lacks supporting ablations on prompt sensitivity, per-module error rates, or false-positive rates in vulnerability reproduction.

    Authors: The referee correctly notes the absence of ablations on prompt sensitivity, per-module error rates, and false-positive rates for vulnerability reproduction. The manuscript relies on overall success metrics to support LLM reliability but does not provide these supporting analyses. We will add a dedicated subsection (or expand §3 and the evaluation) with prompt sensitivity experiments, per-module breakdown of success/error rates, and analysis of false positives in vulnerability reproduction to address this gap. revision: yes

  3. Referee: [Experiments] Generalization claim: the assertion that intervention strategies generalize across heterogeneous firmware is not accompanied by case studies or metrics showing instances where static analysis failed or hardware emulation remained necessary despite the autonomy claim.

    Authors: We agree that the generalization claim requires more concrete supporting evidence. The manuscript asserts that intervention strategies generalize but does not include case studies or quantitative metrics on cases where static analysis failed or where hardware emulation steps remained necessary. In the revision, we will add case studies and associated metrics illustrating such instances to substantiate the autonomy and generalization claims. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical evaluation only, no derivations or self-referential reductions

full rationale

The paper describes an LLM-based rehosting framework evaluated empirically on 21 firmware samples across architectures, reporting success rates without any equations, fitted parameters, uniqueness theorems, or self-citations that bear the central claims. The three modules (Adaptive Perception Inference, Reflective Synthesis, Autonomous Runtime Intervention) are presented as engineering components whose performance is measured directly in experiments; no step reduces a prediction or result to its own inputs by construction. This is the standard case of a self-contained empirical systems paper.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review yields no explicit free parameters, axioms, or invented entities; the framework implicitly assumes LLM reliability for dependency extraction and error diagnosis.

pith-pipeline@v0.9.1-grok · 5754 in / 996 out tokens · 19298 ms · 2026-06-25T23:13:57.885373+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

71 extracted references · 6 canonical work pages · 2 internal anchors

  1. [1]

    Connected iot device market update – fall 2025 and 2026 – 2035,

    IoT Analytics, “Connected iot device market update – fall 2025 and 2026 – 2035,” https://iot-analytics.com/number-connected-iot-devices/, 2025

  2. [2]

    Linux in iot devices statistics,

    CommandLinux, “Linux in iot devices statistics,” https://commandlinux. com/statistics/linux-in-iot-devices-statistics/, 2024

  3. [3]

    A survey of the security analysis of embedded devices,

    X. Zhou, P. Wang, L. Zhou, P. Xun, and K. Lu, “A survey of the security analysis of embedded devices,”Sensors, vol. 23, no. 22, p. 9221, 2023

  4. [4]

    Firmhunter: State-aware and introspection-driven grey-box fuzzing towards iot firmware,

    Q. Yin, X. Zhou, and H. Zhang, “Firmhunter: State-aware and introspection-driven grey-box fuzzing towards iot firmware,”Applied Sciences, vol. 11, no. 19, p. 9094, 2021

  5. [5]

    {FIRM-AFL}:{High-Throughput}greybox fuzzing of{IoT}firmware via augmented process emulation,

    Y . Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “{FIRM-AFL}:{High-Throughput}greybox fuzzing of{IoT}firmware via augmented process emulation,” in28th USENIX Security Symposium (USENIX Security 19), 2019, pp. 1099–1114

  6. [6]

    Firmfuzz: Automated iot firmware introspection and analysis,

    P. Srivastava, H. Peng, J. Li, H. Okhravi, H. Shrobe, and M. Payer, “Firmfuzz: Automated iot firmware introspection and analysis,” in Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things, 2019, pp. 15–21

  7. [7]

    Pandawan: quantifying progress in linux-based firmware rehosting,

    I. Angelakopoulos, G. Stringhini, and M. Egele, “Pandawan: quantifying progress in linux-based firmware rehosting,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 5859–5876

  8. [8]

    {FirmSolo}: Enabling dynamic analysis of binary linux-based {IoT}kernel modules,

    ——, “{FirmSolo}: Enabling dynamic analysis of binary linux-based {IoT}kernel modules,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 5021–5038

  9. [9]

    Firmdiff: Improving the configuration of linux kernels geared towards firmware re-hosting

    ——, “Firmdiff: Improving the configuration of linux kernels geared towards firmware re-hosting.” Workshop on Binary Analysis Research (BAR’24), 2024

  10. [10]

    Towards automated dynamic analysis for linux-based embedded firmware

    D. D. Chen, M. Woo, D. Brumley, and M. Egele, “Towards automated dynamic analysis for linux-based embedded firmware.” inNDSS, vol. 1, 2016, pp. 1–1

  11. [11]

    Firmae: Towards large-scale emulation of iot firmware for dynamic analysis,

    M. Kim, D. Kim, E. Kim, S. Kim, Y . Jang, and Y . Kim, “Firmae: Towards large-scale emulation of iot firmware for dynamic analysis,” inProceedings of the 36th Annual Computer Security Applications Conference, 2020, pp. 733–745

  12. [12]

    User-space dependency-aware rehosting for linux-based firmware binaries,

    C. Qin, C. Zhang, Y . Zheng, P. Liu, J. Zhang, Y . Li, W. Zhang, Y . Liu, and L. Sun, “User-space dependency-aware rehosting for linux-based firmware binaries,” inNetwork and Distributed System Security (NDSS) Symposium 2026, 2026, pp. 23–27 February 2026, San Diego, CA, USA. [Online]. Available: www.ndss-symposium.org

  13. [13]

    Qemu, a fast and portable dynamic translator

    F. Bellard, “Qemu, a fast and portable dynamic translator.” inUSENIX annual technical conference, FREENIX Track, vol. 41, no. 46. Cali- fornia, USA, 2005, pp. 10–55

  14. [14]

    Greenhouse: Single-service rehosting of linux- based firmware binaries in user-space emulation,

    H. J. Tay, K. Zeng, J. M. Vadayath, A. S. Raj, A. Dutcher, T. Reddy, W. Gibbs, Z. L. Basque, F. Dong, Z. Smith, A. Doup’e, Y . Shoshi- taishvili, and R. Wang, “Greenhouse: Single-service rehosting of linux- based firmware binaries in user-space emulation,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 5791–5808

  15. [15]

    Improving language understanding by generative pre-training,

    A. Radford, K. Narasimhan, T. Salimans, I. Sutskeveret al., “Improving language understanding by generative pre-training,” 2018

  16. [16]

    Language models are unsupervised multitask learners,

    A. Radford, J. Wu, R. Child, D. Luan, D. Amodei, I. Sutskeveret al., “Language models are unsupervised multitask learners,”OpenAI blog, vol. 1, no. 8, p. 9, 2019

  17. [17]

    Language mod- els are few-shot learners,

    T. Brown, B. Mann, N. Ryder, M. Subbiah, J. D. Kaplan, P. Dhariwal, A. Neelakantan, P. Shyam, G. Sastry, A. Askellet al., “Language mod- els are few-shot learners,”Advances in neural information processing systems, vol. 33, pp. 1877–1901, 2020

  18. [18]

    An empirical study on the effectiveness of large language models for binary code understanding,

    X. Shang, Z. Fu, S. Cheng, G. Chen, G. Li, L. Hu, W. Zhang, and N. Yu, “An empirical study on the effectiveness of large language models for binary code understanding,”Empirical Software Engineering, vol. 31, no. 1, pp. 1–38, 2026

  19. [19]

    Detecting command injection vulnerabilities in linux-based embedded firmware with llm-based taint analysis of library functions,

    J. Ye, X. Fei, X. d. C. de Carnavalet, L. Zhao, L. Wu, and M. Zhang, “Detecting command injection vulnerabilities in linux-based embedded firmware with llm-based taint analysis of library functions,”Computers & Security, vol. 144, p. 103971, 2024

  20. [20]

    Exploring the efficacy of large lan- guage models (gpt-4) in binary reverse engineering,

    S. Pordanesh and B. Tan, “Exploring the efficacy of large lan- guage models (gpt-4) in binary reverse engineering,”arXiv preprint arXiv:2406.06637, 2024

  21. [21]

    Flexemu: Towards flexible mcu peripheral emulation,

    C. Lei, Z. Ling, X. Xu, S. Li, G. Liu, K. Dong, and J. Luo, “Flexemu: Towards flexible mcu peripheral emulation,” inProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, 2025, pp. 2609–2623

  22. [22]

    ReAct: Synergizing Reasoning and Acting in Language Models

    S. Yao, J. Zhao, D. Yu, N. Du, I. Shafran, K. Narasimhan, and Y . Cao, “React: Synergizing reasoning and acting in language models,”arXiv preprint arXiv:2210.03629, 2022

  23. [23]

    Re- flexion: Language agents with verbal reinforcement learning,

    N. Shinn, F. Cassano, A. Gopinath, K. Narasimhan, and S. Yao, “Re- flexion: Language agents with verbal reinforcement learning,”Advances in neural information processing systems, vol. 36, pp. 8634–8652, 2023

  24. [24]

    Chain-of-thought prompting elicits reasoning in large language models,

    J. Wei, X. Wang, D. Schuurmans, M. Bosma, F. Xia, E. Chi, Q. V . Le, D. Zhouet al., “Chain-of-thought prompting elicits reasoning in large language models,”Advances in neural information processing systems, vol. 35, pp. 24 824–24 837, 2022

  25. [25]

    Large language models for software engi- neering: A systematic literature review,

    X. Hou, Y . Zhao, Y . Liu, Z. Yang, K. Wang, L. Li, X. Luo, D. Lo, J. Grundy, and H. Wang, “Large language models for software engi- neering: A systematic literature review,”ACM Transactions on Software Engineering and Methodology, vol. 33, no. 8, pp. 1–79, 2024

  26. [26]

    Wizardcoder: Empowering code large language models with evol-instruct,

    Z. Luo, C. Xu, P. Zhao, Q. Sun, X. Geng, W. Hu, C. Tao, J. Ma, Q. Lin, and D. Jiang, “Wizardcoder: Empowering code large language models with evol-instruct,”arXiv preprint arXiv:2306.08568, 2023

  27. [27]

    Code Llama: Open Foundation Models for Code

    B. Roziere, J. Gehring, F. Gloeckle, S. Sootla, I. Gat, X. E. Tan, Y . Adi, J. Liu, R. Sauvestre, T. Remezet al., “Code llama: Open foundation models for code,”arXiv preprint arXiv:2308.12950, 2023

  28. [28]

    Llm with tools: A survey,

    Z. Shen, “Llm with tools: A survey,”arXiv preprint arXiv:2409.18807, 2024

  29. [29]

    Tool learning with foundation models,

    Y . Qin, S. Hu, Y . Lin, W. Chen, N. Ding, G. Cui, Z. Zeng, X. Zhou, Y . Huang, C. Xiaoet al., “Tool learning with foundation models,”ACM Computing Surveys, vol. 57, no. 4, pp. 1–40, 2024

  30. [30]

    Model context protocol (mcp): Landscape, security threats, and future research directions,

    X. Hou, Y . Zhao, S. Wang, and H. Wang, “Model context protocol (mcp): Landscape, security threats, and future research directions,”ACM Transactions on Software Engineering and Methodology, 2025

  31. [31]

    Retrieval- augmented generation for knowledge-intensive nlp tasks,

    P. Lewis, E. Perez, A. Piktus, F. Petroni, V . Karpukhin, N. Goyal, H. K ¨uttler, M. Lewis, W.-t. Yih, T. Rockt ¨aschelet al., “Retrieval- augmented generation for knowledge-intensive nlp tasks,”Advances in neural information processing systems, vol. 33, pp. 9459–9474, 2020

  32. [32]

    From llms to llm- based agents for software engineering: A survey of current, challenges and future,

    H. Jin, L. Huang, H. Cai, J. Yan, B. Li, and H. Chen, “From llms to llm- based agents for software engineering: A survey of current, challenges and future,”arXiv preprint arXiv:2408.02479, 2024

  33. [33]

    A survey on large language model based autonomous agents,

    L. Wang, C. Ma, X. Feng, Z. Zhang, H. Yang, J. Zhang, Z. Chen, J. Tang, X. Chen, Y . Linet al., “A survey on large language model based autonomous agents,”Frontiers of Computer Science, vol. 18, no. 6, p. 186345, 2024

  34. [34]

    Housefuzz: Service-aware grey-box fuzzing for vulnerability detection in linux- based firmware,

    H. Xiao, Z. Wei, J. Dai, B. Li, Y . Zhang, and M. Yang, “Housefuzz: Service-aware grey-box fuzzing for vulnerability detection in linux- based firmware,” in2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025, pp. 3801–3819

  35. [35]

    Crewai: The leading multi-agent platform,

    CrewAI Team, “Crewai: The leading multi-agent platform,” https:// crewai.com/, 2025

  36. [36]

    Radare2: Unix-like reverse engineering framework and commandline toolset,

    Radare Project, “Radare2: Unix-like reverse engineering framework and commandline toolset,” https://www.radare.org/, 2026

  37. [37]

    Litellm documentation,

    BerriAI, “Litellm documentation,” https://docs.litellm.ai/, 2024

  38. [38]

    VxWorks,

    Wind River, “VxWorks,” https://www.windriver.com/products/vxworks, commercial real-time operating system developed by Wind River

  39. [39]

    About the Zephyr Project,

    Zephyr Project, “About the Zephyr Project,” https://www.zephyrproject. org/, open-source real-time operating system hosted by the Linux Foundation

  40. [40]

    What you corrupt is not what you crash: Challenges in fuzzing embedded devices

    M. Muench, J. Stijohann, F. Kargl, A. Francillon, and D. Balzarotti, “What you corrupt is not what you crash: Challenges in fuzzing embedded devices.” inNDSS, 2018

  41. [41]

    Unicorn: Next generation cpu emulator framework,

    N. A. Quynh and D. H. Vu, “Unicorn: Next generation cpu emulator framework,”BlackHat USA, vol. 476, 2015

  42. [42]

    Ghidra: Software reverse engineering frame- work,

    National Security Agency, “Ghidra: Software reverse engineering frame- work,” https://github.com/NationalSecurityAgency/ghidra, 2019

  43. [43]

    {HALucinator}: Firmware re-hosting through abstraction layer emulation,

    A. A. Clements, E. Gustafson, T. Scharnowski, P. Grosen, D. Fritz, C. Kruegel, G. Vigna, S. Bagchi, and M. Payer, “{HALucinator}: Firmware re-hosting through abstraction layer emulation,” in29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 1201– 1218

  44. [44]

    Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares

    J. Zaddach, L. Bruno, A. Francillon, D. Balzarottiet al., “Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares.” inNDSS, vol. 14, no. 2014, 2014, pp. 1–16

  45. [45]

    Avatar 2: A multi-target orchestration platform,

    M. Muench, D. Nisi, A. Francillon, and D. Balzarotti, “Avatar 2: A multi-target orchestration platform,” inProc. Workshop Binary Anal. Res.(Colocated NDSS Symp.), vol. 18, 2018, pp. 1–11

  46. [46]

    Prospect: peripheral proxying supported embedded code testing,

    M. Kammerstetter, C. Platzer, and W. Kastner, “Prospect: peripheral proxying supported embedded code testing,” inProceedings of the 14 9th ACM symposium on Information, computer and communications security, 2014, pp. 329–340

  47. [47]

    Toward the analysis of embedded firmware through automated re- hosting,

    E. Gustafson, M. Muench, C. Spensky, N. Redini, A. Machiry, Y . Fratan- tonio, D. Balzarotti, A. Francillon, Y . R. Choe, C. Kruegelet al., “Toward the analysis of embedded firmware through automated re- hosting,” in22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), 2019, pp. 135–150

  48. [48]

    Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation,

    C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation,” inProceedings of the 36th Annual Computer Security Applications Conference, 2020, pp. 746–759

  49. [49]

    Automatic firmware emula- tion through invalidity-guided knowledge inference,

    W. Zhou, L. Guan, P. Liu, and Y . Zhang, “Automatic firmware emula- tion through invalidity-guided knowledge inference,” in30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 2007–2024

  50. [50]

    Jetset: Targeted firmware rehosting for embedded systems,

    E. Johnson, M. Bland, Y . Zhu, J. Mason, S. Checkoway, S. Savage, and K. Levchenko, “Jetset: Targeted firmware rehosting for embedded systems,” in30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 321–338

  51. [51]

    A friend’s eye is a good mirror: Synthesizing{MCU}peripheral models from peripheral drivers,

    C. Lei, Z. Ling, Y . Zhang, Y . Yang, J. Luo, and X. Fu, “A friend’s eye is a good mirror: Synthesizing{MCU}peripheral models from peripheral drivers,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 7085–7102

  52. [52]

    Iemu: Interrupt modeling from the logic hidden in the firmware,

    Y . Wei, Y . Wang, L. Zhou, X. Zhou, and Z. Jiang, “Iemu: Interrupt modeling from the logic hidden in the firmware,”Journal of Systems Architecture, vol. 154, p. 103237, 2024

  53. [53]

    What your firmware tells you is not how you should emulate it: A specification-guided approach for firmware emulation,

    W. Zhou, L. Zhang, L. Guan, P. Liu, and Y . Zhang, “What your firmware tells you is not how you should emulate it: A specification-guided approach for firmware emulation,” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 3269–3283

  54. [54]

    Fuzzware: Using precise {MMIO}modeling for effective firmware fuzzing,

    T. Scharnowski, N. Bars, M. Schloegel, E. Gustafson, M. Muench, G. Vigna, C. Kruegel, T. Holz, and A. Abbasi, “Fuzzware: Using precise {MMIO}modeling for effective firmware fuzzing,” in31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 1239–1256

  55. [55]

    Ember-io: Effective firmware fuzzing with model-free memory mapped io,

    G. Farrelly, M. Chesser, and D. C. Ranasinghe, “Ember-io: Effective firmware fuzzing with model-free memory mapped io,” inProceedings of the 2023 ACM Asia Conference on Computer and Communications Security, 2023, pp. 401–414

  56. [56]

    {P2IM}: Scalable and hardware- independent firmware testing via automatic peripheral interface model- ing,

    B. Feng, A. Mera, and L. Lu, “{P2IM}: Scalable and hardware- independent firmware testing via automatic peripheral interface model- ing,” in29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 1237–1254

  57. [57]

    Dice: Automatic emulation of dma input channels for dynamic firmware analysis,

    A. Mera, B. Feng, L. Lu, and E. Kirda, “Dice: Automatic emulation of dma input channels for dynamic firmware analysis,” in2021 IEEE Symposium on Security and Privacy (SP). IEEE, 2021, pp. 1938–1954. APPENDIX A. Open Science To support reproducibility, we make the following artifacts publicly available in our anonymous repository: •Source Code.The complete...

  58. [58]

    Adaptive Perception — Firmware Analyst: Prompt Template Role:Embedded Firmware Reverse Engineering Ana- lyst. Goal:Perform deep analysis of firmware rootfs to accurately identify CPU architecture, httpd web server type and configuration, startup script sequences, shared library dependencies, and NVRAM dependencies, pro- ducing a structured JSON analysis r...

  59. [59]

    Reflective Synthesis — Boot Repair Engineer: Prompt Template Role:QEMU Emulation Environment Diagnostic and Repair Engineer. Goal:Analyze QEMU boot failure logs, check rootfs filesystem integrity, identify root cause of boot failure, and immediately execute repairs (supplement missing libraries, fix symbolic links, adjust QEMU parameters) to enable the fi...

  60. [60]

    Goal:Analyze httpd service fault symptoms, accu- rately diagnose fault type, delegate repair tasks to the most appropriate specialist agent, and review repair results

    Autonomous Runtime Intervention — Manager: Prompt Template Role:Firmware Runtime Intervention Commander. Goal:Analyze httpd service fault symptoms, accu- rately diagnose fault type, delegate repair tasks to the most appropriate specialist agent, and review repair results. If repair is incomplete or new issues are discovered, re-delegate to other specialis...

  61. [61]

    Goal:Analyze httpd program crash causes through GDB remote debugging and radare2 reverse engi- neering, and apply fixes using the breakpoint chain accumulation strategy

    Autonomous Runtime Intervention — Crash Expert: Prompt Template Role:Binary Crash Analysis and Repair Expert. Goal:Analyze httpd program crash causes through GDB remote debugging and radare2 reverse engi- neering, and apply fixes using the breakpoint chain accumulation strategy. Backstory:You are an embedded binary reverse en- gineering and debugging expe...

  62. [62]

    Goal:Repair filesystem issues in the QEMU virtual machine: missing files, permission errors, symbolic link corruption, and device node absence

    Autonomous Runtime Intervention — File Expert: Prompt Template Role:Firmware Filesystem Repair Expert. Goal:Repair filesystem issues in the QEMU virtual machine: missing files, permission errors, symbolic link corruption, and device node absence. Backstory:You are an embedded Linux filesystem expert. You are familiar with the filesystem structure of embed...

  63. [63]

    Goal:Repair web-layer issues of the httpd service: HTTP 500/404 errors, CGI script failures, configura- tion file problems, and web content mapping errors

    Autonomous Runtime Intervention — Web Expert: Prompt Template Role:httpd Web Service Content Repair Expert. Goal:Repair web-layer issues of the httpd service: HTTP 500/404 errors, CGI script failures, configura- tion file problems, and web content mapping errors. The httpd process is already running; focus on the web content layer, not binary crashes or n...

  64. [64]

    Goal:Handle failures that cannot be classified into a specific category, comprehensively applying all avail- able tools and expert knowledge bases to diagnose and repair

    Autonomous Runtime Intervention — Generic Expert: Prompt Template Role:Firmware Runtime General-Purpose Repair Ex- pert. Goal:Handle failures that cannot be classified into a specific category, comprehensively applying all avail- able tools and expert knowledge bases to diagnose and repair. Backstory:You are a versatile firmware debugging expert. When oth...

  65. [65]

    Objective:Extract emulation primitives and classify hardware dependencies for QEMU execution

    Adaptive Perception — Firmware Analyst: Prompt Template Input:Extracted firmware root filesystem directory. Objective:Extract emulation primitives and classify hardware dependencies for QEMU execution. Analysis Steps: 1)Architecture & Service Profiling:Parse ELF headers (elf_info) to identify CPU architec- ture, endianness, and libc type. Locate the httpd...

  66. [66]

    Objective:Diagnose QEMU boot failure, apply mini- mal repair, and produce corrected QEMU parameters

    Reflective Synthesis — Boot Repair Engineer: Prompt Template Input:QEMU boot log, rootfs directory path, current QEMU command, architecture. Objective:Diagnose QEMU boot failure, apply mini- mal repair, and produce corrected QEMU parameters. Analysis Steps: 1)Priority Diagnosis:Scan boot log for kernel panic, VFS mount failure, CPU ISA mismatch, or missin...

  67. [67]

    Objective:Diagnose runtime failure type and delegate to the optimal specialist agent

    Autonomous Runtime Intervention — Manager: Prompt Template Input:Service status JSON, httpd startup logs, break- point chain history, Adaptive Perception analysis con- text. Objective:Diagnose runtime failure type and delegate to the optimal specialist agent. Analysis Steps: 1)Log-Tail Priority Analysis:Prioritize errors in thelast linesof the log, as the...

  68. [68]

    Objective:Identify crash root cause via static reverse engineering and bypass failure checks via GDB break- point chain

    Autonomous Runtime Intervention — Crash Expert: Prompt Template Input:Fault info (crash signal or hang detection), httpd binary path, architecture, breakpoint chain his- tory. Objective:Identify crash root cause via static reverse engineering and bypass failure checks via GDB break- point chain. Analysis Steps: 1)Error String Extraction:Extract the last m...

  69. [69]

    Objective:Restore missing or corrupted filesystem resources required by the httpd service

    Autonomous Runtime Intervention — File Expert: Prompt Template Input:Fault info (file missing / permission denied / symlink corruption), rootfs path. Objective:Restore missing or corrupted filesystem resources required by the httpd service. Analysis Steps: 1)Resource Localization:Usefind_filesand read_fileto locate missing files, broken symlinks, or incor...

  70. [70]

    Objective:Diagnose and fix httpd web-layer issues while the binary process is already running

    Autonomous Runtime Intervention — Web Expert: Prompt Template Input:Fault info (HTTP 500/404/empty response), HTTP status code, rootfs path. Objective:Diagnose and fix httpd web-layer issues while the binary process is already running. Analysis Steps: 1)Web Directory Inspection (priority):Verify web root content exists, is non-empty, and con- tains index ...

  71. [71]

    Objective:Handle multi-factor or ambiguous failures that cannot be routed to a single specialist

    Autonomous Runtime Intervention — Generic Expert: Prompt Template Input:Unclassified fault info, full tool access, all expert knowledge bases injected. Objective:Handle multi-factor or ambiguous failures that cannot be routed to a single specialist. Analysis Steps: 1)Cross-Domain Diagnosis:Apply the fault rout- ing knowledge base to classify the problem. ...