Stateful Embedded Fuzzing with Peripheral-Accurate SystemC Virtual Prototypes

TL;DR

This paper introduces a framework combining AFL++ with SystemC-TLM virtual prototypes to enable realistic, effective fuzzing of embedded software with accurate peripheral modeling.

Contribution

It presents a novel integration of fuzzing with full-system simulation, improving peripheral realism and testing effectiveness for embedded systems.

Findings

Eliminates false positives in embedded fuzzing.

Maintains comparable code coverage to existing tools.

Achieves realistic peripheral interactions during fuzzing.

Abstract

The increasing complexity of embedded software has made comprehensive manual testing impractical, motivating the use of automated techniques such as fuzzing. Coverage-guided fuzzers like AFL++ have shown strong results for conventional software but remain challenging to apply effectively in embedded contexts, where peripheral behaviors play critical roles. Existing approaches either use fast user-mode simulators, sacrificing peripheral realism, or rely on full-system simulators with manual instrumentation, limiting applicability to large-scale software. In this work, we present a novel framework that integrates AFL++ with a stateful SystemC-TLM virtual prototype to enable realistic fuzzing of embedded software. Fuzzer-generated inputs are injected directly into peripheral models, allowing peripherals to trigger natural side effects such as interrupts and FIFO updates. By integrating fuzzing with full-system simulation, our framework advances the effectiveness of pre-silicon testing for embedded systems. Results on embedded workloads show that our approach eliminates false positives while maintaining comparable code coverage and execution performance as state-of-the-art tools.