This repository contains the code for fuzzing experiments described in the paper "What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices" [1], which is available here.
In a nutshell, boofuzz is used to fuzz firmware of an embedded device under orchestration by avatar². This allows to deploy simple heuristics to detect memory corruptions as soon the firmware is (partially) emulated, which are implemented as PANDA [2] plugins.
For easy replication, this repository comes with an Vagrant file setting up the
experiments. A simple vagrant up
after cloning this repository should be enough
to create a working environment. However, as automated build-scripts tend to break
every once in a while, we also provide a pre-built vagrant box, which can be obtained
by vagrant init avatar2/ndss18_wycinwyc
. In this case, it is mandatory to
adjust the generated Vagrant file to forward the USB devices to the guest, as done in the
Vagrantfile in this repository.
The fuzzed target is an STM32 Nucleo-L152RE board. This Target is connected to a Yepkit USB Switchable Hub (YKUSH) for being able to reset it programmatically. Additionally, for communication, an usb-to-serial cable is connected to pin PC10 (RX) and PC11 (TX) on the board.
The rest of the repository is organized as following:
Vagrantfile and bootstrap.sh are here for automatically creating a vagrantbox, compiling everything making it easy to use, blabla
panda_modifications/ has two subdirectories and two files:
panda/plugins
.include/hw/char/
, and the
corresponding c file to hw/char
experiments/ - this folder contains everything required for conducting the experiments
target_source/ - Contains the source code for the firmware being fuzzed. A simple make
inside this directory should build the firmware. The bugs themselves (with exception of the formatstring bug) are all added to the xmlparse.c source file of the expat library.
Happy fuzzing! :)
[1] M. Muench, J. Stijohann, F. Kargl, A. Francillon, D.avide Balzarotti. "What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices." Network and Distributed System Security Symposium, San Diego, California, 2018.
[2] B. Dolan-Gavitt, J. Hodosh, P. Hulin, T. Leek, R. Whelan. "Repeatable Reverse Engineering with PANDA." Program Protection and Reverse Engineering Workshop, Los Angeles, California, December 2015.