Khost: KVM-based Near Native MCU Firmware Rehosting

Microcontroller Unit (MCU)-based devices constitute a critical layer of the Internet of Things (IoT) infrastructure, so ensuring their security is of paramount importance. Rehostingbased dynamic MCU firmware analysis is an effective approach to securing these devices. However, existing rehosting frameworks commonly suffer from substantial performance overhead due to emulation or diminished execution scope. To address these limitations, we propose Khost, a nearnative, scope-preserving rehosting framework. It extends the KVM by introducing a lightweight extended CPU, an auxiliary page table, and a software-based interrupt controller, enabling MCU firmware to be rehosted on high-performance platforms with minimum overhead. It also provides a memorymapped I/O (MMIO) monitor for quick peripheral interactions and a wrapper for firmware to enable coverage collection and configure the existing fuzzing engines flexibly. Evaluations on two standard benchmarks show that Khost reduces overhead by 90.0% to 95.5% for complex computational tasks and by up to 98.5% for MCU system-level operations, compared to QEMU. Furthermore, fuzzing on 12 real-world firmware with Khost achieves up to 197.5× higher throughput and improves basic block coverage by 6x compared to existing fuzzing tools. Additionally, Khost successfully uncovers 5 previously unknown bugs. 5 ⃝ KVM-based Emulator + Peripheral Model Khost high medium high Kernel-based Virtual Machine [27] , or KVM, is a hardwareassisted virtualization technology for general-purpose processors that enables near-native execution performance. Many modern ARM 64-bit high-performance processors support KVM and provide backward compatibility with 32-bit operations, allowing them to execute most operations typically found in MCUs. Therefore, we can leverage KVM to efficiently rehost MCU firmware on high-performance processors while preserving the original firmware behavior. First, the absence of an MMU in MCUs significantly undermines KVM's correctness and performance in memory handling. Second, the instruction set profiles used by MCUs and highperformance processors are incompatible, hindering the direct execution of MCU firmware on KVM. Third, the Nested Vectored Interrupt Controller (NVIC), which is essential for managing asynchronous events in MCUs, is not supported on high-performance platforms. Finally, the lack of built-in instrumentation for coverage collection and efficient peripheral interaction mechanisms significantly impedes the effectiveness of fuzzing MCU firmware under KVM. In this paper, we present Khost, a near-native and scopepreserving MCU firmware rehosting framework based on KVM, which enables MCU firmware to be rehosted on highperformance ARM platforms. Khost addresses the above challenges through the following components: (1) an auxiliary page table, which creates a virtual MMU to bridge the memory management differences between MCUs and high-performance processors; (2) an extended CPU, for handling MCU-specific operations with minimal overhead; (3) a software-based NVIC that allows the MCU asynchronous events to be correctly processed during execution; (4) an MMIO Monitor, for configuring existing peripheral models and providing quick peripheral interactions; (5) a wrapper for firmware to enable coverage collection and configure the existing fuzzing engines flexibly. We evaluate the rehosting performance of Khost with benchmark workloads from CoreMark-PRO [13] and Simbench [59]. The results demonstrate that Khost reduces overhead by 90.0% to 95.5% on handling complex computational tasks compared to QEMU under the same test environment. And it achieves up to a 98.5% reduction in overhead when performing system-level operations. Furthermore, we assess the performance of fuzzing with Khost on 12 real-world firmware. The results show up to 197.5× improvement in fuzzing throughput and a 6x increase in basic block coverage compared to HALucinator [11], as well as 68.6× and up to 3.4x improvements, respectively, over Fuzzware [50] . In all, Khost successfully uncovers 5 previously unknown bugs. In summary, we make the following contributions: • We design a near-native, scope-preserving rehosting framework that extends KVM to rehost MCU firmware on high-performance ARM platforms, while enabling coverage collection, rapid peripheral interactions, and flexible configuration of existing fuzzing engines. • We implement our approach in a prototype tool called Khost. And its source code can be accessed publicly at: https://github.com/seclab-fudan/Khost