This repository contains the code for fuzzing experiments described in the paper "What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices" [1], which is available here.
In a nutshell, boofuzz is used to fuzz firmware of an embedded device under orchestration by avatar². This allows to deploy simple heuristics to detect memory corruptions as soon the firmware is (partially) emulated, which are implemented as PANDA [2] plugins.
For easy replication, this repository comes with an Vagrant file setting up the
experiments. A simple vagrant up
after cloning this repository should be enough
to create a working environment. However, as automated build-scripts tend to break
every once in a while, we also provide a pre-built vagrant box, which can be obtained
by vagrant init avatar2/ndss18_wycinwyc
. In this case, it is mandatory to
adjust the generated Vagrant file to forward the USB devices to the guest, as done in the
Vagrantfile in this repository.
The fuzzed target is an STM32 Nucleo-L152RE board. This Target is connected to a Yepkit USB Switchable Hub (YKUSH) for being able to reset it programmatically. Additionally, for communication, an usb-to-serial cable is connected to pin PC10 (RX) and PC11 (TX) on the board.
The rest of the repository is organized as following:
-
Vagrantfile and bootstrap.sh are here for automatically creating a vagrantbox, compiling everything making it easy to use, blabla
-
panda_modifications/ has two subdirectories and two files:
- wycinwyc/ - this directory contains is the code for the PANDA plugins implementing the
heuristics described in the paper. The full folder is meant to be copied to
panda/plugins
. - stm32l1xx_usart/ - this contains the source code for an USART peripheral,
usable by QEMU/PANDA, which is needed to enable the full emulation scenario
described in the paper. This implementation is based on QEMU's stm32f2xx_usart-implementation.
Inside PANDA, the header file has to be copied to
include/hw/char/
, and the corresponding c file tohw/char
- avatar-panda/ - this is a reference to the git-repository holding the original avatar-panda code.
- build_panda_wycinwyc.sh - as the name suggests, this script takes care of automatically building PANDA with the wycinwyc modifications.
- wycinwyc/ - this directory contains is the code for the PANDA plugins implementing the
heuristics described in the paper. The full folder is meant to be copied to
-
experiments/ - this folder contains everything required for conducting the experiments
- binaries/ - contains both the elf and binary file of the fuzzed firmware, to be flashed on the target.
- configs/ - contains the OpenOCD configuration for the target.
- sample_trigger/ - trigger inputs for the different corruptions
- scripts/ - contains the various scripts used for fuzzing. The main interface is wycinwyc_fuzzer.py.
- run_experiments.py - runs the experiments with the same settings as described in the paper.
- setup_experiments.sh - sets up the dependencies to run the experiments.
-
target_source/ - Contains the source code for the firmware being fuzzed. A simple
make
inside this directory should build the firmware. The bugs themselves (with exception of the formatstring bug) are all added to the xmlparse.c source file of the expat library.
Happy fuzzing! :)
[1] M. Muench, J. Stijohann, F. Kargl, A. Francillon, D.avide Balzarotti. "What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices." Network and Distributed System Security Symposium, San Diego, California, 2018.
[2] B. Dolan-Gavitt, J. Hodosh, P. Hulin, T. Leek, R. Whelan. "Repeatable Reverse Engineering with PANDA." Program Protection and Reverse Engineering Workshop, Los Angeles, California, December 2015.