Emulation-based fuzzers enable testing binaries without source code and facilitate testing embedded applications where automated execution on the target hardware architecture is difficult and slow. The instrumentation techniques added to extract feedback and guide input mutations towards generating effective test cases is at the core of modern fuzzers. But, modern emulation-based fuzzers have evolved by re-purposing general-purpose emulators; consequently, developing and integrating fuzzing techniques, such as instrumentation methods, is difficult and often added in an ad-hoc manner, specific to an instruction set architecture (ISA). This limits state-of-the-art fuzzing techniques to a few ISAs such as x86/x86-64 or ARM/AArch64; a significant problem for \textit{firmware fuzzing} of diverse ISAs.

This study presents our efforts to \textit{re-think emulation for fuzzing}. We design and implement a fuzzing-specific, multi-architecture emulation framework—{\sc Icicle}. We demonstrate the capability to add instrumentation once, in an \textit{architecture agnostic} manner, with low execution overhead.
We employ {\sc Icicle} as the emulator for a state-of-the-art ARM firmware fuzzer—{\sc Fuzzware}—and replicate results. Significantly, we demonstrate the availability of new instrumentation in {\sc Icicle} enabled the discovery of new bugs. We demonstrate the fidelity of {\sc Icicle} and efficacy of architecture agnostic instrumentation by discovering bugs in benchmarks that require a known and \textit{specific} operational capability of instrumentation techniques, \textit{across a diverse set of instruction set architectures} (x86-64, ARM/AArch64, RISC-V, MIPS). Further, to demonstrate the effectiveness of {\sc Icicle} to discover bugs in a currently \textit{unsupported} architecture in emulation-based fuzzers, we perform a fuzzing campaign with real-world firmware binaries for Texas Instruments' MSP430 ISA and discovered 7 new bugs.