FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.

Related tags

NetworkingFirmAFL
Overview

FIRM-AFL

FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it addresses compatibility issues by enabling fuzzing for POSIX-compatible firmware that can be emulated in a system emulator. Second, it addresses the performance bottleneck caused by system-mode emulation with a novel technique called "augmented process emulation". By combining system-mode emulation and user-mode emulation in a novel way, augmented process emulation provides high compatibility as system-mode emulation and high throughput as user-mode emulation.

Publication

Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, Limin Sun, “FIRM-AFL: High-throughput greybox fuzzing of IoT firmware via augmented process emulation,” in USENIX Security Symposium, 2019.

Introduction

FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it addresses compatibility issues by enabling fuzzing for POSIX-compatible firmware that can be emulated in a system emulator. Second, it addresses the performance bottleneck caused by system-mode emulation with a novel technique called "augmented process emulation". By combining system-mode emulation and user-mode emulation in a novel way, augmented process emulation provides high compatibility as system-mode emulation and high throughput as user-mode emulation. The overview is show in Figure 1.

Figure 1. Overview of Augmented Process Emulation

 

We design and implement FIRM-AFL, an enhancement of AFL for fuzzing IoT firmware. We keep the workflow of AFL intact and replace the user-mode QEMU with augmented process emulation, and the rest of the components remain unchanged. The new workflow is illustrated in Figure 2.

Figure 2. Overview of FIRM-AFL

Setup

Our system has two parts: system mode and user mode. We compile them separately for now.

User mode

cd user_mode/
./configure --target-list=mipsel-linux-user,mips-linux-user,arm-linux-user --static --disable-werror
make

System mode

cd qemu_mode/DECAF_qemu_2.10/
./configure --target-list=mipsel-softmmu,mips-softmmu,arm-softmmu --disable-werror
make

Usage

  1. Download the Firmdyne repo to the root directory of FirmAFL, then setup the firmadyne according to its instructions including importing its datasheet https://cmu.app.boxcn.net/s/hnpvf1n72uccnhyfe307rc2nb9rfxmjp into database.

  2. Replace the scripts/makeImage.sh with modified one in firmadyne_modify directory.

  3. follow the guidance from firmadyne to generate the system running scripts.

Take DIR-815 router firmware as a example,

cd firmadyne
./sources/extractor/extractor.py -b dlink -sql 127.0.0.1 -np -nk "../firmware/DIR-815_FIRMWARE_1.01.ZIP" images
./scripts/getArch.sh ./images/9050.tar.gz
./scripts/makeImage.sh 9050
./scripts/inferNetwork.sh 9050
cd ..
python FirmAFL_setup.py 9050 mipsel
  1. modify the run.sh in image_9050 directory as following, in order to emulate firmware with our modified QEMU and kernel, and running on the RAM file.

For mipsel,

ARCH=mipsel
QEMU="./qemu-system-${ARCH}"
KERNEL="./vmlinux.${ARCH}_3.2.1" 
IMAGE="./image.raw"
MEM_FILE="./mem_file"
${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} \ 

For mipseb,

ARCH=mips
QEMU="./qemu-system-${ARCH}"
KERNEL="./vmlinux.${ARCH}_3.2.1" 
IMAGE="./image.raw"
MEM_FILE="./mem_file"
${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} \
  1. run the fuzzing process

after running the start.py script, FirmAFL will start the firmware emulation, and after the system initialization(120s), the fuzzing process will start. (Maybe you should use root privilege to run it.)

cd image_9050
python start.py 9050

Related Work

Our system is built on top of TriforceAFL, DECAF, AFL, and Firmadyne.

TriforceAFL: AFL/QEMU fuzzing with full-system emulation, https://github.com/nccgroup/TriforceAFL.

DECAF: "Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform", Andrew Henderson, Aravind Prakash, Lok Kwong Yan, Xunchao Hu, Xujiewen Wang, Rundong Zhou, and Heng Yin, to appear in the International Symposium on Software Testing and Analysis (ISSTA'14), San Jose, CA, July 2014. https://github.com/sycurelab/DECAF.

AFL: american fuzzy lop (2.52b), http://lcamtuf.coredump.cx/afl/.

Firmadyne: Daming D. Chen, Maverick Woo, David Brumley, and Manuel Egele. “Towards automated dynamic analysis for Linux-based embedded firmware,” in Network and Distributed System Security Symposium (NDSS’16), 2016. https://github.com/firmadyne.

Troubleshooting

(1) error: static declaration of ‘memfd_create’ follows non-static declaration

Please see https://blog.csdn.net/newnewman80/article/details/90175033.

(2) failed to find romfile "efi-e1000.rom" when run the "run.sh"

Use the run.sh in FirmAFL_config/9050/ instead.

(3) Fork server crashed with signal 11

Run scripts in start.py sequentially. First run "run.sh", when the testing program starts, run "python test.py", and "user.sh".

(4) For the id "12978", "16116" firmware, since these firmware have more than 1 test case, so we use different image directory name to distinguish them.

Before FirmAFL_setup, 
first, change image directory name image_12978 to image_129780, 
then modify the firmadyne/scratch/12978 to firmadyne/scratch/129780
After that, run python FirmAFL_setup.py 129780 mips
(If you want to test another case for image_12978, you can use image_129781 instead image_129780)
Qobuz-rpc - A simple discord rich presence client for qobuz written in Python

qobuz-rpc A simple discord rich presence client for qobuz written in Python It's

Raphael O. 13 Dec 15, 2022
A repository to spoof ARP table of any devices and successfully establish Man in the Middle(MITM) attack using Python3 in Linux

arp_spoofer A repository to spoof ARP table of any devices and successfully establish Man in the Middle(MITM) attack using Python3 in Linux Usage: git

Surya Das N 1 Oct 30, 2021
GhostVPN - Simple and lightweight TUI application for CyberGhostVPN

GhostVPN Simple and lightweight TUI application for CyberGhostVPN. Screenshot Us

Mehmet Ali KERİMOĞLU 5 Jul 27, 2022
wg-exporter is a simple yet effective Prometheus exporter for Wireguard

wg-exporter wg-exporter is a simple yet effective Prometheus exporter for Wireguard. What are the collected metrics ? General: wg_connected_peers: num

men1n2 3 May 20, 2022
Building a Robust IOT device which is customizable, encrypted, secure and user friendly

Building a Robust IOT device which is customizable, encrypted, secure and user friendly, which uses a single GPIO pin to extract multiple sensor values

1 Jan 03, 2022
Network Engineer's Unified Realtime Automation Library

NEURAL is the premiere CLI jockey replacement full stack web/app/database network automation application, providing a "no-code" web app for network engineers developed by a network engineer!

Brett M Spunt 3 Aug 15, 2022
Using AWS's API Gateway + Lambda + Python to run a simple websocket application. For learning/testing

Using AWS's API Gateway + Lambda + Python to run a simple websocket application. For learning/testing. The AWS Resources seemed overly complex and were missing some critical gotchas in setting up a s

Seth Miller 15 Dec 23, 2022
pureSxS - A tool to export Component Based Servicing packages from a full Windows installation

pureSxS A tool to export Component Based Servicing packages from a full Windows installation. Usage pureSxS.py source_mum destination pureSxS wor

Gamers Against Weed 3 Oct 03, 2022
Connects to databases or sftp server based on configured environmental variables.

Myconnections Connects to Oracle databases or sftp servers depending on configured environmental variables. VERY IMPORTANT: VPN must exist. Installati

0 Jan 02, 2022
Simple client for the Sirah Matisse Commander TCP server.

Simple client for the Sirah Matisse Commander TCP server.

Nelson Darkwah Oppong 1 Nov 02, 2021
Huawei firewall automatically updates Chinese ip to target IP group.

Huawei firewall automatically updates Chinese ip to target IP group.

Lundaa 0 Jan 11, 2022
DataShare - Simple library for data sharing between scripts and public functions calling

DataShare - Simple library for data sharing between scripts and public functions calling. Installation. Install code, Delete LICENSE, README, readme.t

Ivan Perzhinsky. 1 Dec 17, 2021
Minimal, self-hosted, 0-config alternative to ngrok. Caddy+OpenSSH+50 lines of Python.

If you have a webserver running on one computer (say your development laptop), and you want to expose it securely (ie HTTPS) via a public URL, SirTunnel allows you to easily do that.

Anders Pitman 423 Jan 02, 2023
A Simple Web Server made by Python3.

A Simple Web Server made by Python3.

GGN_2015 2 Nov 27, 2021
Linkedin Connection Automation

Why spend an hour+ a week, connecting with the correct people on LinkedIn when you can go for lunch and let your computer do the hard work?

1 Nov 29, 2021
Uses machine learning to scan the similarity of two texts

PlagiarismChecker Uses machine learning to scan the similarity of two documents. End Points: http://localhost:3000/register (create a/c) http://localh

Elvis Chege 2 Aug 10, 2022
Impacket is a collection of Python classes for working with network protocols.

What is Impacket? Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmat

SecureAuth Corporation 10.4k Jan 09, 2023
Easily share folders between VMs.

This package aims to solve the problem of inter-VM file sharing (rather than manual copying) by allowing a VM to mount folders from any other VM's file system (or mounted network shares).

Rudd-O 12 Oct 17, 2022
simple subdomain finder

Subdomain-finder Simple SubDomain finder using python which is easy to use just download and run it Wordlist you can use your own wordlist but here i

AsjadOwO 5 Sep 24, 2021
9SPY: a Windows RAT built in Python using sockets

9SPY 👁‍🗨 9SPY is a Windows RAT built in Python using sockets Features Features will be listed here soon, there are currenly 14 Information This is a

doop 12 Dec 01, 2022