search

intel / tsffs

A snapshotting, coverage-guided fuzzer for software (UEFI, Kernel, firmware, BIOS) built on SIMICS
https://intel.github.io/tsffs/
Apache License 2.0
277 stars 18 forks source link

Can tsffs fuzz the closed-source UEFI firmware like ASUS or HP? #95

Closed lovelxc closed 4 months ago

lovelxc commented 4 months ago

as title mention

novafacing commented 4 months ago

Ostensibly, this is possible. In practice, there are several challenges to get closed-source firmware running in the simulator. I'll make this reply as detailed as I can, because I have had this question from others and a detailed reply will be helpful to point them to as well.

Let's take a case study:

  1. Create a project ispm projects msi-test --create 1000-latest 1030-latest 2096-latest 4094-latest 8112-latest
  2. Download BIOS 7E06vAD2 from https://www.msi.com/Motherboard/PRO-Z790-P/support
  3. Extract 7E06vAD2.zip into msi-test
  4. Untar scripts.tar.gz in msi-test (should create targets/qsp-x86/qsp-custom.target.yml and targets/qsp-x86/qsp-custom.target.yml.include)
  5. Run ./simics
  6. In the CLI, run load-target qsp-x86/qsp-custom machine:hardware:processor:class = x86-glc (GLC is required to get a modern core, otherwise we will triple fault with an MSR fault almost immediately)
  7. Continue simulation with continue

The system won't crash, but it also won't boot. We'll get a bunch of "Illegal vector 5" spec violations, and the BIOS will spinlock (presumably waiting for some data/exception from the chipset which never arrives).

Basically, the public QSP-x86 package (2096) provides:

These are the critical board components of the X58-family motherboards (there actually are physical motherboards in this family like from MSI), which the open source SimicsOpenBoardPkg provides firmware support for. To boot a BIOS for a different platform/chipset, we need simulated hardware for that platform/chipset (along with a BIOS, which we would download from the manufacturer website or extract from a board).

Thus, there are two directions to approach this problem:

Likely, a combination of both would be needed for this to work. To get an idea of the difficulty of this problem, take a look at the datasheet for the X58 chipset. Not all the features will be needed to bring up the software you want to fuzz need to be modeled, but some definitely do. This is quite similar to the process required to bring up a BIOS in QEMU.

Also take a look at simics-qsp-x86-*/src/components/x58-ich10-comp/x58_ich10.py in your installation which contains some implementation of the board.

TL;DR: Not without a good amount of work, and we will not officially support or help with this use case, but it should theoretically be possible.

novafacing commented 4 months ago

I should note that if anyone who works at a vendor, OEM, etc who can obtain commercial access to models is asking this, this answer does not apply to you and this is possible. If your board has a model, software on it can be fuzzed. Please email us instead ;)