├── .github └── workflows │ └── recompile_readme.yaml ├── .gitignore ├── README.md ├── README.md.template ├── compilation_script ├── compile.py └── requirements.txt ├── papers.csv └── resources.csv /.github/workflows/recompile_readme.yaml: -------------------------------------------------------------------------------- 1 | name: Recompile README.md 2 | on: 3 | push: 4 | branches: 5 | - main 6 | paths: 7 | - "resources.csv" 8 | - "papers.csv" 9 | 10 | jobs: 11 | build: 12 | runs-on: ubuntu-latest 13 | steps: 14 | 15 | - name: Checkout the repository content 16 | uses: actions/checkout@v2 17 | 18 | - name: Use Python 3.9 19 | uses: actions/setup-python@v2 20 | with: 21 | python-version: "3.9" 22 | 23 | - name: Install the required packages 24 | working-directory: ./compilation_script 25 | run: | 26 | python -m pip install --upgrade pip 27 | pip install -r requirements.txt 28 | 29 | - name: Execute the Python script 30 | working-directory: ./compilation_script 31 | run: python compile.py 32 | 33 | - name: Commit the changes 34 | run: | 35 | git config --local user.email "action@github.com" 36 | git config --local user.name "GitHub Action" 37 | git add -A 38 | git commit -m "Recompiles README.md" -a 39 | 40 | - name: Push the commit 41 | uses: ad-m/github-push-action@v0.6.0 42 | with: 43 | github_token: ${{ secrets.GITHUB_TOKEN }} 44 | branch: main 45 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | credentials.json 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Awesome Embedded Fuzzing 2 | 3 | ![Last Update](https://img.shields.io/github/last-commit/andreia-oca/awesome-embedded-fuzzing) 4 | 5 | --- 6 | 7 | - [Description](#description) 8 | - [Labels Indexes](#labels-indexes) 9 | - [By Type](#by-type) 10 | - [By Purpose](#by-purpose) 11 | - [Papers](#papers) 12 | - [Resources](#resources) 13 | - [Contribution](#contribution) 14 | - [Credits](#credits) 15 | 16 | --- 17 | 18 | ## Description 19 | 20 | A **list of helpful fuzzing tools and research materials** for embedded applications can be found in this repository. 21 | 22 | All resources are alphabetically organized and labeled, making it simple to locate them simply searching one item from the index on the entire page (with `CTRL+F`). The ones not having a link attached are present in the `documents/` folder. 23 | 24 | ## Labels Indexes 25 | 26 | ### By Type 27 | 28 | - ![Type: awesome](https://img.shields.io/badge/Type-awesome-lightgrey) 29 | - ![Type: benchmark](https://img.shields.io/badge/Type-benchmark-lightgrey) 30 | - ![Type: blog%20post](https://img.shields.io/badge/Type-blog%20post-lightgrey) 31 | - ![Type: book](https://img.shields.io/badge/Type-book-lightgrey) 32 | - ![Type: code%20snippets](https://img.shields.io/badge/Type-code%20snippets-lightgrey) 33 | - ![Type: community](https://img.shields.io/badge/Type-community-lightgrey) 34 | - ![Type: demo](https://img.shields.io/badge/Type-demo-lightgrey) 35 | - ![Type: emulator](https://img.shields.io/badge/Type-emulator-lightgrey) 36 | - ![Type: library](https://img.shields.io/badge/Type-library-lightgrey) 37 | - ![Type: presentation](https://img.shields.io/badge/Type-presentation-lightgrey) 38 | - ![Type: reverse%20engineering](https://img.shields.io/badge/Type-reverse%20engineering-lightgrey) 39 | - ![Type: testbed](https://img.shields.io/badge/Type-testbed-lightgrey) 40 | - ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 41 | - ![Type: tutorial](https://img.shields.io/badge/Type-tutorial-lightgrey) 42 | - ![Type: video](https://img.shields.io/badge/Type-video-lightgrey) 43 | 44 | ### By Purpose 45 | 46 | - ![Purpose: benchmark](https://img.shields.io/badge/Purpose-benchmark-blue) 47 | - ![Purpose: binary%20analysis](https://img.shields.io/badge/Purpose-binary%20analysis-blue) 48 | - ![Purpose: binary%20disassembly](https://img.shields.io/badge/Purpose-binary%20disassembly-blue) 49 | - ![Purpose: directed%20fuzzing](https://img.shields.io/badge/Purpose-directed%20fuzzing-blue) 50 | - ![Purpose: embedded%20fuzzing](https://img.shields.io/badge/Purpose-embedded%20fuzzing-blue) 51 | - ![Purpose: emulation](https://img.shields.io/badge/Purpose-emulation-blue) 52 | - ![Purpose: firmware%20rehosting](https://img.shields.io/badge/Purpose-firmware%20rehosting-blue) 53 | - ![Purpose: firmware%20testing](https://img.shields.io/badge/Purpose-firmware%20testing-blue) 54 | - ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) 55 | - ![Purpose: fuzzing%20firmware](https://img.shields.io/badge/Purpose-fuzzing%20firmware-blue) 56 | - ![Purpose: fuzzing%20network%20protocols](https://img.shields.io/badge/Purpose-fuzzing%20network%20protocols-blue) 57 | - ![Purpose: fuzzing%20x86%20binaries](https://img.shields.io/badge/Purpose-fuzzing%20x86%20binaries-blue) 58 | - ![Purpose: instrumentation](https://img.shields.io/badge/Purpose-instrumentation-blue) 59 | - ![Purpose: symbolic%20execution](https://img.shields.io/badge/Purpose-symbolic%20execution-blue) 60 | - ![Purpose: synthetic%20bugs](https://img.shields.io/badge/Purpose-synthetic%20bugs-blue) 61 | 62 | ## Papers 63 | 64 | | Paper Title | Abstract | Venue | Publication Date | 65 | | --- | --- | --- | --- | 66 | | **[JetSet](https://www.usenix.org/system/files/sec21-johnson.pdf)** |
Click to see the abstract! The ability to execute code in an emulator is a fundamental part of modern vulnerability testing. Unfortunately, this poses a challenge for many embedded systems, where firmware expects to interact with hardware devices specific to the target. Getting embedded system firmware to run outside its native environment, termed rehosting, requires emulating these hardware devices with enough accuracy to convince the firmware that it is executing on the target hardware. However, full fidelity emulation of target devices (which requires considerable engineering effort) may not be necessary to boot the firmware to a point of interest for an analyst (for example, a point where fuzzer input can be injected). We hypothesized that, for the firmware to boot successfully, it is sufficient to emulate only the behavior expected by the firmware, and that this behavior could be inferred automatically. To test this hypothesis, we developed and implemented Jetset, a system that uses symbolic execution to infer what behavior firmware expects from a target device. Jetset can generate devices models for hardware peripherals in C, allowing an analyst to boot the firmware in an emulator (e.g., QEMU). We successfully applied Jetset to thirteen distinct pieces of firmware together representing three architectures, three application domains (power grid, avionics, and consumer electronics), and five different operating systems. We also demonstrate how Jetset-assisted rehosting facilitates fuzztesting, a common security analysis technique, on an avionics embedded system, in which we found a previously unknown privilege escalation vulnerability
| USENIX 2021 | 2021 | 67 | | **[SoK: Enabling Security Analyses of Embedded Systems via Rehosting](https://megele.io/rehosting-sok-asiaccs2021.pdf)** |
Click to see the abstract! Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically wellsupported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call “rehosting” poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmwarecentric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research.
| ASIACCS 2021 | 2021 | 68 | 69 | 70 | ## Resources 71 | 72 | - **[AFL](https://github.com/google/AFL)** 73 | - Description: state-of-the-art fuzzer 74 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 75 | - Purpose: ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) 76 | - **[AFL++](https://github.com/AFLplusplus/AFLplusplus)** 77 | - Description: state-of-the-art fuzzer 78 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 79 | - Purpose: ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) 80 | - **[afl-unicorn](https://github.com/Battelle/afl-unicorn)** 81 | - Description: AFL-based fuzzer integrated with Unicorn 82 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 83 | - Purpose: ![Purpose: fuzzing%20firmware](https://img.shields.io/badge/Purpose-fuzzing%20firmware-blue) 84 | - **[afl-unicorn: Fuzzing Arbitrary Binary Code](https://medium.com/hackernoon/afl-unicorn-fuzzing-arbitrary-binary-code-563ca28936bf)** 85 | - Description: tutorial for afl-unicorn 86 | - Type: ![Type: blog%20post](https://img.shields.io/badge/Type-blog%20post-lightgrey) ![Type: tutorial](https://img.shields.io/badge/Type-tutorial-lightgrey) 87 | - Purpose: ![Purpose: emulation](https://img.shields.io/badge/Purpose-emulation-blue) ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) 88 | - **[afl-unicorn: Part 2 Fuzzing the ‘Unfuzzable’](https://hackernoon.com/afl-unicorn-part-2-fuzzing-the-unfuzzable-bea8de3540a5)** 89 | - Description: tutorial for afl-unicorn 90 | - Type: ![Type: blog%20post](https://img.shields.io/badge/Type-blog%20post-lightgrey) ![Type: tutorial](https://img.shields.io/badge/Type-tutorial-lightgrey) 91 | - Purpose: ![Purpose: emulation](https://img.shields.io/badge/Purpose-emulation-blue) ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) 92 | - **[AFLGo](https://github.com/aflgo/aflgo)** 93 | - Description: directed fuzzer 94 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 95 | - Purpose: ![Purpose: directed%20fuzzing](https://img.shields.io/badge/Purpose-directed%20fuzzing-blue) 96 | - **[Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part I](https://github.com/nahueldsanchez/blogpost_qiling_dlink_1)** 97 | - Description: reverse enginerring for DLINK DIR645 98 | - Type: ![Type: reverse%20engineering](https://img.shields.io/badge/Type-reverse%20engineering-lightgrey) ![Type: tutorial](https://img.shields.io/badge/Type-tutorial-lightgrey) 99 | - Purpose: ![Purpose: emulation](https://img.shields.io/badge/Purpose-emulation-blue) ![Purpose: fuzzing%20firmware](https://img.shields.io/badge/Purpose-fuzzing%20firmware-blue) 100 | - **[Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part II](https://github.com/nahueldsanchez/blogpost_qiling_dlink_2)** 101 | - Description: reverse enginerring for DLINK DIR645 102 | - Type: ![Type: reverse%20engineering](https://img.shields.io/badge/Type-reverse%20engineering-lightgrey) ![Type: tutorial](https://img.shields.io/badge/Type-tutorial-lightgrey) 103 | - Purpose: ![Purpose: emulation](https://img.shields.io/badge/Purpose-emulation-blue) ![Purpose: fuzzing%20firmware](https://img.shields.io/badge/Purpose-fuzzing%20firmware-blue) 104 | - **[Analyzing Programs with Z3](https://youtu.be/ruNFcH-KibY)** 105 | - Description: symbolic execution with Z3 106 | - Type: ![Type: tutorial](https://img.shields.io/badge/Type-tutorial-lightgrey) ![Type: video](https://img.shields.io/badge/Type-video-lightgrey) 107 | - Purpose: ![Purpose: symbolic%20execution](https://img.shields.io/badge/Purpose-symbolic%20execution-blue) 108 | - **[angr](https://github.com/angr/angr)** 109 | - Description: binary analysis platform 110 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 111 | - Purpose: ![Purpose: binary%20analysis](https://img.shields.io/badge/Purpose-binary%20analysis-blue) 112 | - **[Avatar2](https://github.com/avatartwo/avatar2)** 113 | - Description: dynamic analysis of embedded devices' firmware! 114 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 115 | - Purpose: ![Purpose: binary%20analysis](https://img.shields.io/badge/Purpose-binary%20analysis-blue) 116 | - **[Awesome list for directed-fuzzing](https://github.com/strongcourage/awesome-directed-fuzzing)** 117 | - Description: awesome list for directed-fuzzing 118 | - Type: ![Type: awesome](https://img.shields.io/badge/Type-awesome-lightgrey) 119 | - Purpose: ![Purpose: directed%20fuzzing](https://img.shields.io/badge/Purpose-directed%20fuzzing-blue) 120 | - **[Capstone](https://www.capstone-engine.org/)** 121 | - Description: disassembly platform 122 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 123 | - Purpose: ![Purpose: binary%20disassembly](https://img.shields.io/badge/Purpose-binary%20disassembly-blue) 124 | - **[DICE](https://github.com/RiS3-Lab/DICE-DMA-Emulation)** 125 | - Description: nan 126 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 127 | - Purpose: ![Purpose: embedded%20fuzzing](https://img.shields.io/badge/Purpose-embedded%20fuzzing-blue) ![Purpose: firmware%20rehosting](https://img.shields.io/badge/Purpose-firmware%20rehosting-blue) 128 | - **[Firmware Rehosting Community](https://rehosti.ng/)** 129 | - Description: firmware Rehosting Community 130 | - Type: ![Type: community](https://img.shields.io/badge/Type-community-lightgrey) 131 | - Purpose: ![Purpose: firmware%20rehosting](https://img.shields.io/badge/Purpose-firmware%20rehosting-blue) 132 | - **[FIT IoT-LAB](https://www.iot-lab.info/)** 133 | - Description: nan 134 | - Type: ![Type: testbed](https://img.shields.io/badge/Type-testbed-lightgrey) 135 | - Purpose: ![Purpose: firmware%20testing](https://img.shields.io/badge/Purpose-firmware%20testing-blue) 136 | - **[Google FuzzBench](https://github.com/google/fuzzbench)** 137 | - Description: benchmark for fuzzers 138 | - Type: ![Type: benchmark](https://img.shields.io/badge/Type-benchmark-lightgrey) 139 | - Purpose: ![Purpose: benchmark](https://img.shields.io/badge/Purpose-benchmark-blue) ![Purpose: fuzzing%20x86%20binaries](https://img.shields.io/badge/Purpose-fuzzing%20x86%20binaries-blue) 140 | - **[GynvaelEN - Hacking Livestream #17: Basics of fuzzing](https://youtu.be/BrDujogxYSk)** 141 | - Description: fuzzing 101 tutorial 142 | - Type: ![Type: tutorial](https://img.shields.io/badge/Type-tutorial-lightgrey) ![Type: video](https://img.shields.io/badge/Type-video-lightgrey) 143 | - Purpose: ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) 144 | - **[GynvaelEN - Hacking Livestream #18: Genetic fuzzing](https://youtu.be/JhsHGms_7JQ)** 145 | - Description: fuzzing 101 tutorial 146 | - Type: ![Type: tutorial](https://img.shields.io/badge/Type-tutorial-lightgrey) ![Type: video](https://img.shields.io/badge/Type-video-lightgrey) 147 | - Purpose: ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) 148 | - **[GynvaelEN - Hacking Livestream #19: Genetic fuzzing](https://youtu.be/HN_tI601jNU)** 149 | - Description: fuzzing 101 tutorial 150 | - Type: ![Type: tutorial](https://img.shields.io/badge/Type-tutorial-lightgrey) ![Type: video](https://img.shields.io/badge/Type-video-lightgrey) 151 | - Purpose: ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) 152 | - **[Hack In The Box Security Conference - VIRTUAL LAB: Qiling Framework: Build a Fuzzer Based on a 1day Bug - Lau Kai Jern](https://youtu.be/e3_T3KLh2NU)** 153 | - Description: workshop about Qiling (emulator) 154 | - Type: ![Type: demo](https://img.shields.io/badge/Type-demo-lightgrey) 155 | - Purpose: ![Purpose: emulation](https://img.shields.io/badge/Purpose-emulation-blue) 156 | - **[hal-fuzz](https://github.com/ucsb-seclab/hal-fuzz)** 157 | - Description: embedded fuzzer based in HALucinator 158 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 159 | - Purpose: ![Purpose: fuzzing%20firmware](https://img.shields.io/badge/Purpose-fuzzing%20firmware-blue) 160 | - **[HALucinator](https://github.com/embedded-sec/halucinator)** 161 | - Description: nan 162 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 163 | - Purpose: ![Purpose: firmware%20rehosting](https://img.shields.io/badge/Purpose-firmware%20rehosting-blue) 164 | - **[JetSet](https://www.youtube.com/watch?v=xp3gTOS0Zq8&ab_channel=USENIX)** 165 | - Description: presentation for Jetset 166 | - Type: ![Type: video](https://img.shields.io/badge/Type-video-lightgrey) 167 | - Purpose: ![Purpose: firmware%20rehosting](https://img.shields.io/badge/Purpose-firmware%20rehosting-blue) 168 | - **[JetSet](https://github.com/aerosec/jetset)** 169 | - Description: repository for JetSet 170 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 171 | - Purpose: ![Purpose: firmware%20rehosting](https://img.shields.io/badge/Purpose-firmware%20rehosting-blue) 172 | - **[LAVA](https://github.com/panda-re/lava)** 173 | - Description: benchmark for fuzzers 174 | - Type: ![Type: benchmark](https://img.shields.io/badge/Type-benchmark-lightgrey) 175 | - Purpose: ![Purpose: benchmark](https://img.shields.io/badge/Purpose-benchmark-blue) ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) ![Purpose: synthetic%20bugs](https://img.shields.io/badge/Purpose-synthetic%20bugs-blue) 176 | - **[LIEF](https://lief.quarkslab.com/)** 177 | - Description: library to do binary instrumentation 178 | - Type: ![Type: library](https://img.shields.io/badge/Type-library-lightgrey) 179 | - Purpose: ![Purpose: instrumentation](https://img.shields.io/badge/Purpose-instrumentation-blue) 180 | - **[Maat](https://maat.re/)** 181 | - Description: symbolic execution framework 182 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 183 | - Purpose: ![Purpose: symbolic%20execution](https://img.shields.io/badge/Purpose-symbolic%20execution-blue) 184 | - **[Magma](https://github.com/HexHive/magma)** 185 | - Description: benchmark for fuzzers 186 | - Type: ![Type: benchmark](https://img.shields.io/badge/Type-benchmark-lightgrey) 187 | - Purpose: ![Purpose: benchmark](https://img.shields.io/badge/Purpose-benchmark-blue) ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) ![Purpose: synthetic%20bugs](https://img.shields.io/badge/Purpose-synthetic%20bugs-blue) 188 | - **[NDC Conferences - Fuzzing with AFL - Erlend Oftedal](https://youtu.be/DFQT1YxvpDo)** 189 | - Description: fuzzing 101 tutorial 190 | - Type: ![Type: tutorial](https://img.shields.io/badge/Type-tutorial-lightgrey) ![Type: video](https://img.shields.io/badge/Type-video-lightgrey) 191 | - Purpose: ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) 192 | - **[ndss18_wycinwyc](https://github.com/avatartwo/ndss18_wycinwyc)** 193 | - Description: fuzzing experiments from the paper "What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices" 194 | - Type: ![Type: code%20snippets](https://img.shields.io/badge/Type-code%20snippets-lightgrey) 195 | - Purpose: ![Purpose: embedded%20fuzzing](https://img.shields.io/badge/Purpose-embedded%20fuzzing-blue) 196 | - **[P2IM](https://github.com/RiS3-Lab/p2im)** 197 | - Description: nan 198 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 199 | - Purpose: ![Purpose: embedded%20fuzzing](https://img.shields.io/badge/Purpose-embedded%20fuzzing-blue) ![Purpose: firmware%20rehosting](https://img.shields.io/badge/Purpose-firmware%20rehosting-blue) 200 | - **[Practical Binary Analysis. Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly](https://www.amazon.com/Practical-Binary-Analysis-Instrumentation-Disassembly-ebook/dp/B07BPKWJVT)** 201 | - Description: book with example and approaches for binary analysis 202 | - Type: ![Type: book](https://img.shields.io/badge/Type-book-lightgrey) 203 | - Purpose: ![Purpose: binary%20analysis](https://img.shields.io/badge/Purpose-binary%20analysis-blue) 204 | - **[Pretender](https://github.com/ucsb-seclab/pretender)** 205 | - Description: nan 206 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 207 | - Purpose: ![Purpose: embedded%20fuzzing](https://img.shields.io/badge/Purpose-embedded%20fuzzing-blue) ![Purpose: firmware%20rehosting](https://img.shields.io/badge/Purpose-firmware%20rehosting-blue) 208 | - **[ProFuzzBench](https://github.com/profuzzbench/profuzzbench)** 209 | - Description: benchmark for fuzzers focused on network protocols 210 | - Type: ![Type: benchmark](https://img.shields.io/badge/Type-benchmark-lightgrey) 211 | - Purpose: ![Purpose: benchmark](https://img.shields.io/badge/Purpose-benchmark-blue) ![Purpose: fuzzing%20network%20protocols](https://img.shields.io/badge/Purpose-fuzzing%20network%20protocols-blue) 212 | - **[Qemu](https://www.qemu.org/)** 213 | - Description: nan 214 | - Type: ![Type: emulator](https://img.shields.io/badge/Type-emulator-lightgrey) 215 | - Purpose: ![Purpose: emulation](https://img.shields.io/badge/Purpose-emulation-blue) 216 | - **[Qiling](https://github.com/qilingframework/qiling)** 217 | - Description: nan 218 | - Type: ![Type: emulator](https://img.shields.io/badge/Type-emulator-lightgrey) 219 | - Purpose: ![Purpose: emulation](https://img.shields.io/badge/Purpose-emulation-blue) 220 | - **[Renode](https://renode.io/)** 221 | - Description: nan 222 | - Type: ![Type: testbed](https://img.shields.io/badge/Type-testbed-lightgrey) 223 | - Purpose: ![Purpose: firmware%20testing](https://img.shields.io/badge/Purpose-firmware%20testing-blue) 224 | - **[S2E](https://github.com/S2E/s2e)** 225 | - Description: symbolic execution 226 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 227 | - Purpose: ![Purpose: symbolic%20execution](https://img.shields.io/badge/Purpose-symbolic%20execution-blue) 228 | - **[STÖK - Fuzzing for Beginners](https://youtu.be/O3hb6HV1ZQo)** 229 | - Description: fuzzing 101 tutorial 230 | - Type: ![Type: tutorial](https://img.shields.io/badge/Type-tutorial-lightgrey) ![Type: video](https://img.shields.io/badge/Type-video-lightgrey) 231 | - Purpose: ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) 232 | - **[Symbolic Execution Summary](https://docs.google.com/presentation/d/1E3uE-4mYpenw0s40rtMbIdxj3fJgC79aHCeiIlJSY5Y/edit#slide=id.g11285b0bdfc_0_310)** 233 | - Description: presentation on Symbolic Execution 234 | - Type: ![Type: presentation](https://img.shields.io/badge/Type-presentation-lightgrey) 235 | - Purpose: ![Purpose: symbolic%20execution](https://img.shields.io/badge/Purpose-symbolic%20execution-blue) 236 | - **[The fuzzing book](https://www.fuzzingbook.org)** 237 | - Description: book with practical examples about fuzzing 238 | - Type: ![Type: book](https://img.shields.io/badge/Type-book-lightgrey) 239 | - Purpose: ![Purpose: fuzzing](https://img.shields.io/badge/Purpose-fuzzing-blue) 240 | - **[Triforce-AFL](https://github.com/nccgroup/TriforceAFL)** 241 | - Description: AFL/QEMU fuzzing with full-system emulation. 242 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 243 | - Purpose: ![Purpose: fuzzing%20firmware](https://img.shields.io/badge/Purpose-fuzzing%20firmware-blue) 244 | - **[Triton](https://triton.quarkslab.com/)** 245 | - Description: symbolic execution 246 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 247 | - Purpose: ![Purpose: symbolic%20execution](https://img.shields.io/badge/Purpose-symbolic%20execution-blue) 248 | - **[Unicorn](https://github.com/unicorn-engine/unicorn)** 249 | - Description: nan 250 | - Type: ![Type: emulator](https://img.shields.io/badge/Type-emulator-lightgrey) 251 | - Purpose: ![Purpose: emulation](https://img.shields.io/badge/Purpose-emulation-blue) 252 | - **[unicornafl](https://github.com/AFLplusplus/unicornafl)** 253 | - Description: AFL-based fuzzer integrated with Unicorn 254 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 255 | - Purpose: ![Purpose: fuzzing%20firmware](https://img.shields.io/badge/Purpose-fuzzing%20firmware-blue) 256 | - **[Z3 - SMT solver](https://github.com/Z3Prover/z3)** 257 | - Description: symbolic execution 258 | - Type: ![Type: tool](https://img.shields.io/badge/Type-tool-lightgrey) 259 | - Purpose: ![Purpose: symbolic%20execution](https://img.shields.io/badge/Purpose-symbolic%20execution-blue) 260 | 261 | 262 | ## Contribution 263 | 264 | 1. Edit the `resources.csv` file. 265 | 2. Push the changes into the GitHub repository. 266 | 3. Wait for the GitHub action to automatically recompile `README.md`. 267 | 268 | ## Credits 269 | 270 | The template is inspired from this [repository](https://github.com/CyberReasoningSystem/awesome-binary-analysis). 271 | -------------------------------------------------------------------------------- /README.md.template: -------------------------------------------------------------------------------- 1 | # Awesome Embedded Fuzzing 2 | 3 | ![Last Update](https://img.shields.io/github/last-commit/andreia-oca/awesome-embedded-fuzzing) 4 | 5 | --- 6 | 7 | - [Description](#description) 8 | - [Labels Indexes](#labels-indexes) 9 | - [By Type](#by-type) 10 | - [By Purpose](#by-purpose) 11 | - [Papers](#papers) 12 | - [Resources](#resources) 13 | - [Contribution](#contribution) 14 | - [Credits](#credits) 15 | 16 | --- 17 | 18 | ## Description 19 | 20 | A **list of helpful fuzzing tools and research materials** for embedded applications can be found in this repository. 21 | 22 | All resources are alphabetically organized and labeled, making it simple to locate them simply searching one item from the index on the entire page (with `CTRL+F`). The ones not having a link attached are present in the `documents/` folder. 23 | 24 | ## Labels Indexes 25 | 26 | ### By Type 27 | 28 | {type_labels} 29 | 30 | ### By Purpose 31 | 32 | {purpose_labels} 33 | 34 | ## Papers 35 | 36 | | Paper Title | Abstract | Venue | Publication Date | 37 | | --- | --- | --- | --- | 38 | {papers} 39 | 40 | ## Resources 41 | 42 | {resources} 43 | 44 | ## Contribution 45 | 46 | 1. Edit the `resources.csv` file. 47 | 2. Push the changes into the GitHub repository. 48 | 3. Wait for the GitHub action to automatically recompile `README.md`. 49 | 50 | ## Credits 51 | 52 | The template is inspired from this [repository](https://github.com/CyberReasoningSystem/awesome-binary-analysis). 53 | -------------------------------------------------------------------------------- /compilation_script/compile.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """Script for regenerating the README.md file.""" 3 | 4 | import typing 5 | import urllib.parse 6 | 7 | import pandas 8 | 9 | 10 | def sanitize_text(text: str) -> str: 11 | """Sanitize the text to be included in the badge URL. 12 | 13 | Args: 14 | text (str): Text to sanitize 15 | 16 | Returns: 17 | str: Sanitiezed text 18 | """ 19 | text = text.replace("-", "--") 20 | 21 | return urllib.parse.quote(text) 22 | 23 | 24 | def create_badge(title: str, text: str, color: str) -> str: 25 | """Create a Markdown badge. 26 | 27 | Args: 28 | title (str): Title 29 | text (str): Text 30 | color (str): Color 31 | 32 | Returns: 33 | str: Markdown badge 34 | """ 35 | title = sanitize_text(title) 36 | text = sanitize_text(text) 37 | 38 | return (f"![{title}:" 39 | f" {text}](https://img.shields.io/badge/{title}-{text}-{color})") 40 | 41 | 42 | def make_type_label_shield(label: str) -> str: 43 | """Create a Markdown type badge. 44 | 45 | Args: 46 | label (str): Type 47 | 48 | Returns: 49 | str: Markdown badge 50 | """ 51 | return create_badge("Type", label, "lightgrey") 52 | 53 | 54 | def make_purpose_label_shield(label: str) -> str: 55 | """Create a Markdown purpose badge. 56 | 57 | Args: 58 | label (str): Purpose 59 | 60 | Returns: 61 | str: Markdown badge 62 | """ 63 | return create_badge("Purpose", label, "blue") 64 | 65 | 66 | def create_list_of_shields( 67 | labels: typing.List[str], 68 | shields_creation_func: typing.Callable[[str], str], 69 | prefix: typing.Optional[str] = "- ", 70 | suffix: typing.Optional[str] = "\n", 71 | ) -> str: 72 | """Create a Markdown list of shields. 73 | 74 | Args: 75 | labels (typing.List[str]): Elements 76 | shields_creation_func (typing.Callable[[str], str]): Function to create 77 | each individual shield 78 | prefix (str, optional): Prefix. Defaults to "- ". 79 | suffix (str, optional): Suffix. Defaults to new line. 80 | 81 | Returns: 82 | str: Markdown list of badges 83 | """ 84 | labels = list(set(labels)) 85 | labels.sort() 86 | 87 | labels_list = [ 88 | f"{prefix}{shields_creation_func(label)}" for label in labels 89 | ] 90 | 91 | if suffix is None: 92 | suffix = "" 93 | 94 | return suffix.join(labels_list) 95 | 96 | 97 | def create_resource_item( 98 | name: str, 99 | url: str, 100 | description: str, 101 | types: typing.Optional[typing.List[str]], 102 | purpose: typing.Optional[typing.List[str]], 103 | ) -> str: 104 | """Create a Markdown list element based on the resource information. 105 | 106 | Args: 107 | name (str): Name 108 | url (str): URL 109 | description (str): Description 110 | types (typing.Optional[typing.List[str]]): Types labels 111 | purpose (typing.Optional[typing.List[str]]): Purpose labels 112 | 113 | Returns: 114 | str: Markdown list element 115 | """ 116 | if url is not None: 117 | title = f"[{name}]({url})" 118 | else: 119 | title = name 120 | 121 | types_labels = (create_list_of_shields( 122 | types, make_type_label_shield, prefix="", suffix=" ") if types else "") 123 | purpose_labels = (create_list_of_shields( 124 | purpose, make_purpose_label_shield, prefix="", suffix=" ") 125 | if purpose else "") 126 | 127 | return f"""\ 128 | - **{title}** 129 | - Description: {description} 130 | - Type: {types_labels} 131 | - Purpose: {purpose_labels} 132 | """ 133 | 134 | 135 | def create_paper_item( 136 | name: str, 137 | url: str, 138 | abstract: str, 139 | venue: str, 140 | date: str, 141 | ) -> str: 142 | """Create a Markdown list element based on the paper information. 143 | 144 | Args: 145 | name (str): Name 146 | url (str): URL 147 | abstract (str): Abstract 148 | venue (str): Venue 149 | date (str): Publication Date 150 | 151 | Returns: 152 | str: Markdown list element 153 | """ 154 | if url is not None: 155 | title = f"[{name}]({url})" 156 | else: 157 | title = name 158 | 159 | return f"""\ 160 | | **{title}** |
Click to see the abstract! {abstract}
| {venue} | {date} | 161 | """ 162 | 163 | def read_sorted_resources_as_df() -> pandas.DataFrame: 164 | """Read and sort the CSV file with resources. 165 | 166 | Returns: 167 | pandas.DataFrame: pandas dataframe with resources 168 | """ 169 | resources_df = pandas.read_csv("../resources.csv") 170 | resources_df.sort_values(by="Name", 171 | key=lambda col: col.str.lower(), 172 | inplace=True) 173 | 174 | return resources_df 175 | 176 | def read_sorted_papers_as_df () -> pandas.DataFrame: 177 | """Read and sort the CSV file with resources. 178 | 179 | Returns: 180 | pandas.DataFrame: pandas dataframe with resources 181 | """ 182 | papers_df = pandas.read_csv("../papers.csv") 183 | papers_df.sort_values(by="Name", 184 | key=lambda col: col.str.lower(), 185 | inplace=True) 186 | 187 | return papers_df 188 | 189 | def dump_to_readme(papers: str, resources: str, type_labels: str, 190 | purpose_labels: str) -> None: 191 | """Dump the information into README.md. 192 | 193 | Args: 194 | resources (str): Markdown list of resources 195 | type_labels (str): Markdown shields for resources types 196 | purpose_labels (str): Markdown shields for purpose types 197 | """ 198 | with open("../README.md.template", "r", encoding="utf-8") as template_file: 199 | template = template_file.read() 200 | 201 | readme_content = template.format( 202 | papers=papers, 203 | resources=resources, 204 | type_labels=type_labels, 205 | purpose_labels=purpose_labels, 206 | ) 207 | 208 | with open("../README.md", "w", encoding="utf-8") as readme_file: 209 | readme_file.write(readme_content) 210 | 211 | 212 | def main() -> None: 213 | """Run main functionality.""" 214 | resources_df = read_sorted_resources_as_df() 215 | papers_df = read_sorted_papers_as_df() 216 | 217 | papers = [] 218 | resources = [] 219 | type_labels = [] 220 | purpose_labels = [] 221 | 222 | for _, row in papers_df.iterrows(): 223 | # Create element 224 | name = row["Name"] 225 | url = row["URL"] if not pandas.isna(row["URL"]) else None 226 | abstract = row["Abstract"] 227 | venue = row["Venue"] 228 | date = row["Publication Date"] 229 | papers.append( 230 | create_paper_item(name, url, abstract, venue, date)) 231 | 232 | for _, row in resources_df.iterrows(): 233 | # Keep track of types 234 | types = None 235 | if not pandas.isna(row["Type"]): 236 | types = row["Type"].split(", ") 237 | type_labels.extend(types) 238 | 239 | # Keep track of topics 240 | purpose = None 241 | if not pandas.isna(row["Topics"]): 242 | purpose = row["Topics"].split(", ") 243 | purpose_labels.extend(purpose) 244 | 245 | # Create element 246 | name = row["Name"] 247 | url = row["URL"] if not pandas.isna(row["URL"]) else None 248 | description = row["Description"] 249 | resources.append( 250 | create_resource_item(name, url, description, types, purpose)) 251 | 252 | inline_papers = "".join(papers) 253 | inline_resources = "".join(resources) 254 | type_labels_list = create_list_of_shields(type_labels, 255 | make_type_label_shield) 256 | purpose_labels_list = create_list_of_shields(purpose_labels, 257 | make_purpose_label_shield) 258 | 259 | dump_to_readme(inline_papers, inline_resources, type_labels_list, purpose_labels_list) 260 | 261 | 262 | if __name__ == "__main__": 263 | main() 264 | -------------------------------------------------------------------------------- /compilation_script/requirements.txt: -------------------------------------------------------------------------------- 1 | pandas 2 | -------------------------------------------------------------------------------- /papers.csv: -------------------------------------------------------------------------------- 1 | Name,URL,Abstract,Venue,Publication Date 2 | JetSet,https://www.usenix.org/system/files/sec21-johnson.pdf,"The ability to execute code in an emulator is a fundamental part of modern vulnerability testing. Unfortunately, this poses a challenge for many embedded systems, where firmware expects to interact with hardware devices specific to the target. Getting embedded system firmware to run outside its native environment, termed rehosting, requires emulating these hardware devices with enough accuracy to convince the firmware that it is executing on the target hardware. However, full fidelity emulation of target devices (which requires considerable engineering effort) may not be necessary to boot the firmware to a point of interest for an analyst (for example, a point where fuzzer input can be injected). We hypothesized that, for the firmware to boot successfully, it is sufficient to emulate only the behavior expected by the firmware, and that this behavior could be inferred automatically. To test this hypothesis, we developed and implemented Jetset, a system that uses symbolic execution to infer what behavior firmware expects from a target device. Jetset can generate devices models for hardware peripherals in C, allowing an analyst to boot the firmware in an emulator (e.g., QEMU). We successfully applied Jetset to thirteen distinct pieces of firmware together representing three architectures, three application domains (power grid, avionics, and consumer electronics), and five different operating systems. We also demonstrate how Jetset-assisted rehosting facilitates fuzztesting, a common security analysis technique, on an avionics embedded system, in which we found a previously unknown privilege escalation vulnerability",USENIX 2021,2021 3 | SoK: Enabling Security Analyses of Embedded Systems via Rehosting,https://megele.io/rehosting-sok-asiaccs2021.pdf,"Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically wellsupported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call “rehosting” poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmwarecentric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research.",ASIACCS 2021,2021 -------------------------------------------------------------------------------- /resources.csv: -------------------------------------------------------------------------------- 1 | Name,URL,Description,Type,Topics 2 | The fuzzing book,https://www.fuzzingbook.org,book with practical examples about fuzzing,book,fuzzing 3 | "Practical Binary Analysis. Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly",https://www.amazon.com/Practical-Binary-Analysis-Instrumentation-Disassembly-ebook/dp/B07BPKWJVT,book with example and approaches for binary analysis,book,binary analysis 4 | STÖK - Fuzzing for Beginners,https://youtu.be/O3hb6HV1ZQo,fuzzing 101 tutorial,"video, tutorial",fuzzing 5 | NDC Conferences - Fuzzing with AFL - Erlend Oftedal,https://youtu.be/DFQT1YxvpDo,fuzzing 101 tutorial,"video, tutorial",fuzzing 6 | GynvaelEN - Hacking Livestream #17: Basics of fuzzing,https://youtu.be/BrDujogxYSk,fuzzing 101 tutorial,"video, tutorial",fuzzing 7 | GynvaelEN - Hacking Livestream #18: Genetic fuzzing,https://youtu.be/JhsHGms_7JQ,fuzzing 101 tutorial,"video, tutorial",fuzzing 8 | GynvaelEN - Hacking Livestream #19: Genetic fuzzing,https://youtu.be/HN_tI601jNU,fuzzing 101 tutorial,"video, tutorial",fuzzing 9 | Analyzing Programs with Z3,https://youtu.be/ruNFcH-KibY,symbolic execution with Z3,"video, tutorial",symbolic execution 10 | Hack In The Box Security Conference - VIRTUAL LAB: Qiling Framework: Build a Fuzzer Based on a 1day Bug - Lau Kai Jern,https://youtu.be/e3_T3KLh2NU,workshop about Qiling (emulator),demo,emulation 11 | afl-unicorn: Fuzzing Arbitrary Binary Code,https://medium.com/hackernoon/afl-unicorn-fuzzing-arbitrary-binary-code-563ca28936bf,tutorial for afl-unicorn,"blog post, tutorial","emulation, fuzzing" 12 | afl-unicorn: Part 2 Fuzzing the ‘Unfuzzable’,https://hackernoon.com/afl-unicorn-part-2-fuzzing-the-unfuzzable-bea8de3540a5,tutorial for afl-unicorn,"blog post, tutorial","emulation, fuzzing" 13 | "Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part I",https://github.com/nahueldsanchez/blogpost_qiling_dlink_1,reverse enginerring for DLINK DIR645,"tutorial, reverse engineering","emulation, fuzzing firmware" 14 | "Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part II",https://github.com/nahueldsanchez/blogpost_qiling_dlink_2,reverse enginerring for DLINK DIR645,"tutorial, reverse engineering","emulation, fuzzing firmware" 15 | Awesome list for directed-fuzzing,https://github.com/strongcourage/awesome-directed-fuzzing,awesome list for directed-fuzzing,awesome,directed fuzzing 16 | AFL,https://github.com/google/AFL,state-of-the-art fuzzer,tool,fuzzing 17 | AFL++,https://github.com/AFLplusplus/AFLplusplus,state-of-the-art fuzzer,tool,fuzzing 18 | AFLGo,https://github.com/aflgo/aflgo,directed fuzzer,tool,directed fuzzing 19 | afl-unicorn,https://github.com/Battelle/afl-unicorn,AFL-based fuzzer integrated with Unicorn,tool,fuzzing firmware 20 | unicornafl,https://github.com/AFLplusplus/unicornafl,AFL-based fuzzer integrated with Unicorn,tool,fuzzing firmware 21 | hal-fuzz,https://github.com/ucsb-seclab/hal-fuzz,embedded fuzzer based in HALucinator,tool,fuzzing firmware 22 | Triforce-AFL,https://github.com/nccgroup/TriforceAFL,AFL/QEMU fuzzing with full-system emulation.,tool,fuzzing firmware 23 | Google FuzzBench,https://github.com/google/fuzzbench,benchmark for fuzzers,benchmark,"benchmark, fuzzing x86 binaries" 24 | ProFuzzBench,https://github.com/profuzzbench/profuzzbench,benchmark for fuzzers focused on network protocols,benchmark,"benchmark, fuzzing network protocols" 25 | LAVA,https://github.com/panda-re/lava,benchmark for fuzzers,benchmark,"benchmark, fuzzing, synthetic bugs" 26 | Magma,https://github.com/HexHive/magma,benchmark for fuzzers,benchmark,"benchmark, fuzzing, synthetic bugs" 27 | Avatar2,https://github.com/avatartwo/avatar2,dynamic analysis of embedded devices' firmware!,tool,binary analysis 28 | angr,https://github.com/angr/angr,binary analysis platform,tool,binary analysis 29 | LIEF,https://lief.quarkslab.com/,library to do binary instrumentation,library,instrumentation 30 | Capstone,https://www.capstone-engine.org/,disassembly platform,tool,binary disassembly 31 | S2E,https://github.com/S2E/s2e,symbolic execution,tool,symbolic execution 32 | Triton,https://triton.quarkslab.com/,symbolic execution,tool,symbolic execution 33 | Z3 - SMT solver,https://github.com/Z3Prover/z3,symbolic execution,tool,symbolic execution 34 | Firmware Rehosting Community,https://rehosti.ng/,firmware Rehosting Community,community,firmware rehosting 35 | HALucinator,https://github.com/embedded-sec/halucinator,,tool,firmware rehosting 36 | P2IM,https://github.com/RiS3-Lab/p2im,,tool,"embedded fuzzing, firmware rehosting" 37 | DICE,https://github.com/RiS3-Lab/DICE-DMA-Emulation,,tool,"embedded fuzzing, firmware rehosting" 38 | Pretender,https://github.com/ucsb-seclab/pretender,,tool,"embedded fuzzing, firmware rehosting" 39 | ndss18_wycinwyc,https://github.com/avatartwo/ndss18_wycinwyc,"fuzzing experiments from the paper ""What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices""",code snippets,embedded fuzzing 40 | Qiling,https://github.com/qilingframework/qiling,,emulator,emulation 41 | Unicorn,https://github.com/unicorn-engine/unicorn,,emulator,emulation 42 | Qemu,https://www.qemu.org/,,emulator,emulation 43 | FIT IoT-LAB,https://www.iot-lab.info/,,testbed,firmware testing 44 | Renode,https://renode.io/,,testbed,firmware testing 45 | JetSet,https://www.youtube.com/watch?v=xp3gTOS0Zq8&ab_channel=USENIX,presentation for Jetset,video,firmware rehosting 46 | JetSet,https://github.com/aerosec/jetset,repository for JetSet,tool,firmware rehosting 47 | Symbolic Execution Summary,https://docs.google.com/presentation/d/1E3uE-4mYpenw0s40rtMbIdxj3fJgC79aHCeiIlJSY5Y/edit#slide=id.g11285b0bdfc_0_310,presentation on Symbolic Execution ,presentation,symbolic execution 48 | Maat,https://maat.re/,symbolic execution framework,tool,symbolic execution --------------------------------------------------------------------------------