A list of helpful fuzzing tools and research materials for embedded applications can be found in this repository.
All resources are alphabetically organized and labeled, making it simple to locate them simply searching one item from the index on the entire page (with CTRL+F). The ones not having a link attached are present in the documents/ folder.
| Paper Title | Abstract | Venue | Publication Date |
|---|---|---|---|
| JetSet | Click to see the abstract!The ability to execute code in an emulator is a fundamental part of modern vulnerability testing. Unfortunately, this poses a challenge for many embedded systems, where firmware expects to interact with hardware devices specific to the target. Getting embedded system firmware to run outside its native environment, termed rehosting, requires emulating these hardware devices with enough accuracy to convince the firmware that it is executing on the target hardware. However, full fidelity emulation of target devices (which requires considerable engineering effort) may not be necessary to boot the firmware to a point of interest for an analyst (for example, a point where fuzzer input can be injected). We hypothesized that, for the firmware to boot successfully, it is sufficient to emulate only the behavior expected by the firmware, and that this behavior could be inferred automatically. To test this hypothesis, we developed and implemented Jetset, a system that uses symbolic execution to infer what behavior firmware expects from a target device. Jetset can generate devices models for hardware peripherals in C, allowing an analyst to boot the firmware in an emulator (e.g., QEMU). We successfully applied Jetset to thirteen distinct pieces of firmware together representing three architectures, three application domains (power grid, avionics, and consumer electronics), and five different operating systems. We also demonstrate how Jetset-assisted rehosting facilitates fuzztesting, a common security analysis technique, on an avionics embedded system, in which we found a previously unknown privilege escalation vulnerability |
USENIX 2021 | 2021 |
| SoK: Enabling Security Analyses of Embedded Systems via Rehosting | Click to see the abstract!Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically wellsupported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call “rehosting” poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmwarecentric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research. |
ASIACCS 2021 | 2021 |
- AFL
- Description: state-of-the-art fuzzer
- Type:
- Purpose:
- AFL++
- Description: state-of-the-art fuzzer
- Type:
- Purpose:
- afl-unicorn
- Description: AFL-based fuzzer integrated with Unicorn
- Type:
- Purpose:
- afl-unicorn: Fuzzing Arbitrary Binary Code
- Description: tutorial for afl-unicorn
- Type:
- Purpose:
- afl-unicorn: Part 2 Fuzzing the ‘Unfuzzable’
- Description: tutorial for afl-unicorn
- Type:
- Purpose:
- AFLGo
- Description: directed fuzzer
- Type:
- Purpose:
- Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part I
- Description: reverse enginerring for DLINK DIR645
- Type:
- Purpose:
- Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part II
- Description: reverse enginerring for DLINK DIR645
- Type:
- Purpose:
- Analyzing Programs with Z3
- Description: symbolic execution with Z3
- Type:
- Purpose:
- angr
- Description: binary analysis platform
- Type:
- Purpose:
- Avatar2
- Description: dynamic analysis of embedded devices' firmware!
- Type:
- Purpose:
- Awesome list for directed-fuzzing
- Description: awesome list for directed-fuzzing
- Type:
- Purpose:
- Capstone
- Description: disassembly platform
- Type:
- Purpose:
- DICE
- Description: nan
- Type:
- Purpose:
- Firmware Rehosting Community
- Description: firmware Rehosting Community
- Type:
- Purpose:
- FIT IoT-LAB
- Description: nan
- Type:
- Purpose:
- Google FuzzBench
- Description: benchmark for fuzzers
- Type:
- Purpose:
- GynvaelEN - Hacking Livestream #17: Basics of fuzzing
- Description: fuzzing 101 tutorial
- Type:
- Purpose:
- GynvaelEN - Hacking Livestream #18: Genetic fuzzing
- Description: fuzzing 101 tutorial
- Type:
- Purpose:
- GynvaelEN - Hacking Livestream #19: Genetic fuzzing
- Description: fuzzing 101 tutorial
- Type:
- Purpose:
- Hack In The Box Security Conference - VIRTUAL LAB: Qiling Framework: Build a Fuzzer Based on a 1day Bug - Lau Kai Jern
- Description: workshop about Qiling (emulator)
- Type:
- Purpose:
- hal-fuzz
- Description: embedded fuzzer based in HALucinator
- Type:
- Purpose:
- HALucinator
- Description: nan
- Type:
- Purpose:
- JetSet
- Description: presentation for Jetset
- Type:
- Purpose:
- JetSet
- Description: repository for JetSet
- Type:
- Purpose:
- LAVA
- Description: benchmark for fuzzers
- Type:
- Purpose:
- LIEF
- Description: library to do binary instrumentation
- Type:
- Purpose:
- Maat
- Description: symbolic execution framework
- Type:
- Purpose:
- Magma
- Description: benchmark for fuzzers
- Type:
- Purpose:
- NDC Conferences - Fuzzing with AFL - Erlend Oftedal
- Description: fuzzing 101 tutorial
- Type:
- Purpose:
- ndss18_wycinwyc
- Description: fuzzing experiments from the paper "What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices"
- Type:
- Purpose:
- P2IM
- Description: nan
- Type:
- Purpose:
- Practical Binary Analysis. Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly
- Description: book with example and approaches for binary analysis
- Type:
- Purpose:
- Pretender
- Description: nan
- Type:
- Purpose:
- ProFuzzBench
- Description: benchmark for fuzzers focused on network protocols
- Type:
- Purpose:
- Qemu
- Description: nan
- Type:
- Purpose:
- Qiling
- Description: nan
- Type:
- Purpose:
- Renode
- Description: nan
- Type:
- Purpose:
- S2E
- Description: symbolic execution
- Type:
- Purpose:
- STÖK - Fuzzing for Beginners
- Description: fuzzing 101 tutorial
- Type:
- Purpose:
- Symbolic Execution Summary
- Description: presentation on Symbolic Execution
- Type:
- Purpose:
- The fuzzing book
- Description: book with practical examples about fuzzing
- Type:
- Purpose:
- Triforce-AFL
- Description: AFL/QEMU fuzzing with full-system emulation.
- Type:
- Purpose:
- Triton
- Description: symbolic execution
- Type:
- Purpose:
- Unicorn
- Description: nan
- Type:
- Purpose:
- unicornafl
- Description: AFL-based fuzzer integrated with Unicorn
- Type:
- Purpose:
- Z3 - SMT solver
- Description: symbolic execution
- Type:
- Purpose:
- Edit the
resources.csvfile. - Push the changes into the GitHub repository.
- Wait for the GitHub action to automatically recompile
README.md.
The template is inspired from this repository.