Feng, Kai (2026) Fuzzing techniques for automated vulnerability detection in IoT firmware. PhD thesis, University of Glasgow.
Full text available as:![[thumbnail of 2025FengPhD.pdf]](https://theses.gla.ac.uk/style/images/fileicons/other.png) |
PDF
Download (4MB) |
Abstract
A security flaw in the firmware of microcontrollers (MCUs) can lead to devastating consequences. Finding and fixing these bugs before deployment is essential because patching them in the field is often difficult, expensive, or impossible. However, standard software testing techniques like fuzzing struggle with embedded firmware due to its tight coupling with specialized hardware, which makes testing slow, inaccurate, and inefficient. This thesis studies two key design choices: where tests run (emulation, Hardware-in-the-Loop (HIL), or on-device) and what feedback and inputs they use (control flow vs. data flow; generic vs. domain-specific). It moves testing from slow emulation to real hardware and replaces simple code coverage with data-flow guidance to drive bug finding. It also measures how new hardware features can prevent whole classes of bugs.
The approach is demonstrated through four linked contributions. First, Sizzler solves the input wasted problem by generating valid, domain-aware tests for Programmable Logic Controllers (PLCs) by deep learning model, so fuzzing effort is not wasted. Second, FuzzRDUCC improves feedback by tracking def-use chains, revealing subtle bugs that edge-based coverage can miss. Third, Hardfuzz brings this data-flow guidance onto real hardware, using hardware breakpoints for fast, consistent testing. Finally, a differential testing framework for MicroPython compares builds with and without architectural memory-safety features from CHERI and shows which bug classes they block.
These results show that firmware testing benefits from hardware-centric, data-flow-guided methods. These approaches yield smarter, domain-aware inputs; feedback that is more informative than edge coverage; and fast, consistent testing on real devices. It also provides clear evidence that architectural memory safety-exemplified by CHERI-can block whole classes of vulnerabilities. In short, the thesis shifts the goal from only finding bugs to also preventing them by design.
| Item Type: | Thesis (PhD) |
|---|---|
| Qualification Level: | Doctoral |
| Subjects: | Q Science > QA Mathematics > QA75 Electronic computers. Computer science |
| Colleges/Schools: | College of Science and Engineering > School of Computing Science |
| Supervisor's Name: | Singer, Professor Jeremy |
| Date of Award: | 2026 |
| Depositing User: | Theses Team |
| Unique ID: | glathesis:2026-85682 |
| Copyright: | Copyright of this thesis is held by the author. |
| Date Deposited: | 15 Jan 2026 11:30 |
| Last Modified: | 15 Jan 2026 14:08 |
| Thesis DOI: | 10.5525/gla.thesis.85682 |
| URI: | https://theses.gla.ac.uk/id/eprint/85682 |
| Related URLs: |
Actions (login required)
 |
View Item |
Downloads
Downloads per month over past year
Tools
Tools
