User-Space Dependency-Aware Rehosting for Linux-Based Firmware Binaries

Firmware rehosting is a fundamental emulation technique that enables dynamic analysis of firmware binaries at scale. Successfully rehosting Linux-based firmware services requires proper emulation of both system-level functionalities like device interfaces and user-space dependencies such as configuration files, inter-process communications. However, existing solutions inadequately leverage user-space knowledge. The init routine, which is the first user-space process sets up operating environments, is often incompletely executed, leading to incomplete initialization. Besides, all emulation failures are treated uniformly, failing to distinguish between direct system-level emulation issues and their indirect effects on user-space dependencies. To fill this gap, we developed FIRMWELL, a framework which first models firmware rehosting as the coordinated emulation of both the target binary and its user-space dependencies. It first rehosts the init routine for environment construction and then launches the target, which is a procedure that typically involves more than one hundred processes. When emulation failures occur, FIRMWELL identifies the blocking process, analyzes incorrectly emulated resources, and applies targeted fixes. The key strategy is to address user-space dependency failures by correcting the underlying system-level emulation errors, while employing program analysis for precise resource value inference. In evaluation of 14,049 firmware images, FIRMWELL successfully rehosted 6,490 services, outperforming state-of-the-art by 1.6 - 8x (3,581 for FirmAE, 3,962 for Greenhouse, and 810 for Pandawan), while reducing average rehosting time by 1.8 - 8.4x (12 vs. 22, 74, and 101 minutes). FIRMWELL was applied to fuzz 1,043 firmware images, uncovering 67 zero-day vulnerabilities with ten assigned CVE identifiers.