How It Works
Metalware emulates your firmware’s CPU and memory in software, so no physical hardware is needed. You upload a binary, and Metalware does the rest.
Emulation
Section titled “Emulation”Metalware runs your firmware on an emulated ARM Cortex-M processor. The emulator executes real machine code, including interrupt handlers and startup routines, just as the firmware would execute on physical hardware.
Automatic Peripheral Modeling
Section titled “Automatic Peripheral Modeling”Firmware communicates with peripherals (UART, SPI, Bluetooth, etc.) through memory-mapped I/O (MMIO). Since no real peripherals are present, Metalware’s fuzzer supplies values at each MMIO address. Each address gets its own independent input stream, so the fuzzer can learn which values drive the firmware deeper into its code paths.
Metalware also automatically detects DMA buffers and fuzzes those independently.
Coverage-Guided Fuzzing
Section titled “Coverage-Guided Fuzzing”The fuzzer generates inputs and tracks which basic blocks the firmware executes. Inputs that reach new code are kept and mutated further. Over time, this builds up a corpus of inputs that exercises a large portion of the firmware.
Defect Detection
Section titled “Defect Detection”When the fuzzer triggers a crash (e.g., an out-of-bounds write, null pointer dereference, or stack overflow), Metalware captures it as a defect with a full stack trace, root cause analysis, and proof-of-concept input. Every defect is fully reproducible with time-travel debugging, so you can step forward and backward through execution to understand exactly what happened.
Ready to try it? See Starting a New Analysis.