├── .gitmodules
├── README.md
└── images
    └── overview.png


/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "SplITS-Experiments"]
2 | 	path = SplITS-Experiments
3 | 	url = https://github.com/SplITS-Fuzzer/SplITS-Experiments
4 | [submodule "fuzzware"]
5 | 	path = fuzzware
6 | 	url = https://github.com/SplITS-Fuzzer/fuzzware
7 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # SplITS
 2 | 
 3 | SplITS is an automated fuzzing framework focused on solving magic strings in monolithic firmware. We support firmware built for ARM Cortex-M microcontrollers. Our feedback guided search efficiently identifies non-contiguous bytes that are used to form a string, allowing them to be easily replaced. We also include additional coverage instrumentation to ensure test inputs that load strings of suitable lengths for replacement are saved for further fuzzing.
 4 | 
 5 | You can read the full paper, accepted to ESORICS '23, regarding our work [here](https://arxiv.org/abs/2308.07860).
 6 | 
 7 | # Cite Us
 8 | ```
 9 | @inproceedings{splits,
10 | title = {{SplITS}: Split Input-to-State Mapping for Effective Firmware Fuzzing},
11 | author = {Guy Farrelly and Paul Quirk and Salil S. Kanhere and Seyit Camtepe and Damith C. Ranasinghe},
12 | booktitle = {Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS)},
13 | year = {2023}
14 | }
15 | ```
16 | 
17 | # Installing SplITS
18 | SplITS is implemented on top of Fuzzware, and follows a similar installation process. We provide the following commands as an example based on Ubuntu 20.04.
19 | 
20 | ```bash
21 | # install dependencies
22 | sudo apt install python2 python3 automake redis-server tmux cmake clang unzip python3-pip
23 | pip3 install virtualenvwrapper
24 | # check the output of pip3 incase commands have to be run to configure the environment
25 | 
26 | # clone SplITS
27 | git clone https://github.com/SplITS-Fuzzer/SplITS
28 | 
29 | # get submodules
30 | cd SplITS
31 | git submodule update --init --recursive
32 | 
33 | # compile
34 | cd fuzzware
35 | ./install_local.sh
36 | ```
37 | # Repository Structure
38 | ```
39 | - fuzzware                  Main Fuzzer Implementation, built on the existing Fuzzware framework
40 | - SplITS-Experiments        Repository for SplITS Experimentation
41 |     - Crashes               Scripts and Inputs for Reproduction of Newly Discovered Crashes
42 |     - Fuzzing               Dataset for Fuzzing Test Binaries
43 | - Images                    Miscellaneous items for documentation
44 | - README                    Installation and Operating Instructions
45 | ```
46 | 
47 | # Instructions
48 | SplITS can used using the Fuzzware style commands. AFL++ mode with Split Input To State is enabled by default.
49 | 
50 | From a folder with an appripriate config file, run the following commands to start a 24 hour fuzzing campaign:
51 | 
52 | ```bash
53 | workon fuzzware
54 | fuzzware pipeline --run-for 24:00:00
55 | ```
56 | 
57 | More details on interacting with Fuzzware to run and analyse fuzzing campaigns are available [here.](https://github.com/fuzzware-fuzzer/fuzzware)
58 | 
59 | # Overview of SplITS
60 | SplITS allows Split Input To State mapping and replacement for non-contiguous strings. In particular, it is focused on string replacement in monolithic firmware fuzzing.
61 | 
62 | By repeatedly monitoring the contents of memory buffers during execution of mutated test cases, the byte corresponding to each byte used to form a string can be identified.
63 | 
64 | To assist in forming suitable test cases for replacement, we include additional coverage instrumentation to give feedback to the fuzzer when it discovers inputs that load sufficient data into string buffers used in comparisons.
65 | 
66 | ![SplITS Overview](images/overview.png)
67 | 
68 | SplITS is built using [AFLplusplus](https://github.com/SplITS-Fuzzer/AFLplusplus) for the fuzzer, and [Fuzzware](https://github.com/SplITS-Fuzzer/fuzzware) for emulation.
69 | 
70 | # Experiments
71 | Information regarding our experiments and results are made available [here.](https://github.com/SplITS-Fuzzer/SplITS-Experiments)
72 | 
73 | # Found an issue?
74 | If you encounter an issue using SplITS please open an [issue](https://github.com/SplITS-Fuzzer/SplITS/issues).
75 | 


--------------------------------------------------------------------------------
/images/overview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SplITS-Fuzzer/SplITS/b78f98a32196fd0ee4eba8035c880967737a1b29/images/overview.png


--------------------------------------------------------------------------------