├── .gitignore ├── .gitmodules ├── Dockerfile ├── LICENSE ├── README.md ├── build_docker.sh ├── docs ├── README.md ├── coverage_analysis.md ├── crash_analysis.md ├── fuzzware_utils.md ├── manipulating_inputs.md └── target_configuration.md ├── examples ├── P2IM │ ├── CNC │ │ ├── CNC.bin │ │ ├── CNC.elf │ │ ├── base_inputs │ │ │ └── random │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Console │ │ ├── Console.bin │ │ ├── Console.elf │ │ ├── base_inputs │ │ │ └── random │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Drone │ │ ├── Drone.bin │ │ ├── Drone.elf │ │ ├── base_inputs │ │ │ └── ex1 │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Gateway │ │ ├── Gateway.bin │ │ ├── Gateway.elf │ │ ├── base_inputs │ │ │ └── ex7_new │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Heat_Press │ │ ├── Heat_Press.bin │ │ ├── Heat_Press.elf │ │ ├── base_inputs │ │ │ └── random │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── PLC │ │ ├── PLC.bin │ │ ├── PLC.elf │ │ ├── base_inputs │ │ │ └── modbus_cmd3 │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Reflow_Oven │ │ ├── Reflow_Oven.bin │ │ ├── Reflow_Oven.elf │ │ ├── base_inputs │ │ │ └── random │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Robot │ │ ├── Robot.bin │ │ ├── Robot.elf │ │ ├── base_inputs │ │ │ └── ex7_new │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Soldering_Iron │ │ ├── Soldering_Iron.bin │ │ ├── Soldering_Iron.elf │ │ ├── base_inputs │ │ │ └── random │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ └── Steering_Control │ │ ├── Steering_Control.bin │ │ ├── Steering_Control.elf │ │ ├── base_inputs │ │ └── random │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt ├── configs │ ├── fuzzing │ │ └── round_robin_interrupts.yml │ └── hw │ │ ├── boards │ │ ├── MK64FN1M0VLL12.yml │ │ ├── SAM3X8E.yml │ │ ├── STM32F103RB.yml │ │ ├── STM32F429ZI.yml │ │ ├── STM32f746zg.yml │ │ ├── atsamr21_xpro.yml │ │ ├── disco_l475_iot1.yml │ │ ├── nrf52840_pca10056.yml │ │ └── nrf52_pca10040.yml │ │ └── cortexm_memory.yml └── pw-recovery │ ├── ARCH_PRO │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── EFM32GG_STK3700 │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── EFM32LG_STK3600 │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── LPC1549 │ ├── LPC15XX_datasheet.pdf │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── LPC1768 │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── MOTE_L152RC │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── NUCLEO_F103RB │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── NUCLEO_F207ZG │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── NUCLEO_L152RE │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ └── UBLOX_C027 │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt ├── install_local.sh ├── modeling ├── fuzzware_model.py ├── fuzzware_modeling │ ├── __init__.py │ ├── analyze_mmio.py │ ├── angr_utils.py │ ├── arch_specific │ │ ├── __init__.py │ │ ├── arm_cortexm_mmio_ranges.py │ │ ├── arm_thumb_quirks.py │ │ └── arm_thumb_regs.py │ ├── base_state_snapshot.py │ ├── exploration_techniques.py │ ├── fuzzware_utils │ │ ├── __init__.py │ │ ├── config.py │ │ ├── persist_results.py │ │ └── trace_serialization.py │ ├── inspect_breakpoints.py │ ├── liveness_plugin.py │ ├── logging_utils.py │ ├── model_detection.py │ └── rq_worker.py ├── requirements.txt ├── setup.py └── setup.sh ├── run_docker.sh ├── scripts ├── cartographer_cov_conversion.py ├── idapython │ ├── idapy_detect_exitats.py │ ├── idapy_dump_symbols_yml.py │ └── idapy_dump_valid_basic_block_list.py └── set_inotify_limits.sh ├── ubuntu_install_docker.sh └── update.sh /.gitignore: -------------------------------------------------------------------------------- 1 | # Build Files 2 | build 3 | dist 4 | 5 | # IDEs 6 | .idea 7 | .vscode 8 | 9 | # Binary files 10 | *.pyc 11 | *.egg-info 12 | __pycache__ 13 | 14 | *.so 15 | *.o 16 | 17 | # FS relics 18 | core* 19 | .fuse_hidden* 20 | 21 | # ida stuff 22 | *.id0 23 | *.id1 24 | *.id2 25 | *.nam 26 | *.til 27 | *.idb -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "pipeline"] 2 | path = pipeline 3 | url = ../fuzzware-pipeline 4 | [submodule "emulator"] 5 | path = emulator 6 | url = ../fuzzware-emulator 7 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 as fuzzware-base 2 | ENV LANG=C.UTF-8 LC_ALL=C.UTF-8 3 | RUN apt-get update && \ 4 | apt-get upgrade -y && \ 5 | apt-get install -y python3 python3-pip automake tmux redis wget autoconf sudo htop cmake clang vim unzip git binutils-arm-none-eabi && \ 6 | pip3 install virtualenv virtualenvwrapper cython setuptools 7 | 8 | ENV FUZZWARE=/home/user/fuzzware 9 | ENV WORKON_HOME=/home/user/.virtualenvs 10 | RUN useradd -l -u 1000 -d /home/user user && \ 11 | mkdir -p $FUZZWARE /home/user/.cache && \ 12 | chown -R user:user /home/user && \ 13 | echo "user ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers 14 | 15 | RUN USER=user GROUP=user VERSION=0.5.1 && \ 16 | wget https://github.com/boxboat/fixuid/releases/download/v$VERSION/fixuid-$VERSION-linux-amd64.tar.gz && \ 17 | tar -C /usr/local/bin -xzf fixuid-$VERSION-linux-amd64.tar.gz && \ 18 | chown root:root /usr/local/bin/fixuid && \ 19 | chmod 4755 /usr/local/bin/fixuid && \ 20 | mkdir -p /etc/fixuid && \ 21 | printf "user: $USER\ngroup: $GROUP\npaths:\n - /home/user/.cache\n" > /etc/fixuid/config.yml 22 | 23 | 24 | # Modeling container 25 | FROM fuzzware-base as fuzzware-modeling 26 | USER user 27 | # First copy and install requirements 28 | COPY modeling/requirements.txt /requirements-modeling.txt 29 | RUN python3 -m virtualenv --python=/usr/bin/python3 $WORKON_HOME/fuzzware-modeling && \ 30 | . $WORKON_HOME/fuzzware-modeling/bin/activate && \ 31 | pip install -r /requirements-modeling.txt 32 | # Then copy and install modeling, then we don't need to install the requirements on each code change 33 | COPY --chown=user modeling $FUZZWARE/modeling 34 | RUN . $WORKON_HOME/fuzzware-modeling/bin/activate && \ 35 | pip install $FUZZWARE/modeling 36 | 37 | 38 | # Main container 39 | FROM fuzzware-base as fuzzware 40 | USER root 41 | # As above install requirements first 42 | COPY pipeline/requirements.txt /requirements-pipeline.txt 43 | COPY emulator/requirements.txt /requirements-emulator.txt 44 | RUN pip3 install -r /requirements-emulator.txt -r /requirements-pipeline.txt 45 | # Build and install emulator dependencies: afl, unicorn 46 | COPY --chown=user emulator/get_afl.sh emulator/afl.patch $FUZZWARE/emulator/ 47 | COPY --chown=user emulator/unicorn/ $FUZZWARE/emulator/unicorn 48 | WORKDIR $FUZZWARE/emulator 49 | USER user 50 | RUN ./get_afl.sh && \ 51 | UNICORN_QEMU_FLAGS="--python=/usr/bin/python3" make -C $FUZZWARE/emulator/afl clean all && \ 52 | make -C $FUZZWARE/emulator/AFLplusplus clean all && \ 53 | cd $FUZZWARE/emulator/unicorn && \ 54 | ./build_unicorn.sh 55 | 56 | # Then copy and install emulator and pipeline 57 | COPY --chown=user emulator $FUZZWARE/emulator 58 | RUN make -C $FUZZWARE/emulator/harness/fuzzware_harness/native clean all 59 | COPY --chown=user pipeline $FUZZWARE/pipeline 60 | USER root 61 | RUN pip3 install -e $FUZZWARE/emulator/harness && \ 62 | pip3 install -e $FUZZWARE/pipeline 63 | 64 | # Finally copy the modeling venv 65 | COPY --chown=user --from=fuzzware-modeling $WORKON_HOME/ $WORKON_HOME/ 66 | 67 | USER user:user 68 | WORKDIR $FUZZWARE/targets 69 | entrypoint ["fixuid", "-q"] 70 | # entrypoint ["fuzzware-start-tmux-docker"] 71 | -------------------------------------------------------------------------------- /build_docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | if [[ -z "$1" ]]; then 5 | echo "[INFO] No cmd-line-options provided, building default-image" 6 | if [[ ! -e emulator/setup.sh || ! -e pipeline/setup.sh ]]; then 7 | "$DIR"/update.sh 8 | fi 9 | TAG="latest" 10 | else 11 | echo "[INFO] Building fuzzware-image with tag: $1" 12 | TAG=$1 13 | fi 14 | 15 | if [[ ! -e emulator/setup.sh || ! -e pipeline/setup.sh ]]; then 16 | echo "[ERROR] Could not pull emulator and pipeline repos, exiting."; exit 1 17 | fi 18 | 19 | docker build -t "fuzzware:$TAG" "$DIR" -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # Documentation Files 2 | The following files are meant to give you additional insight into how to use and deal with different stages of the Fuzzware workflow. 3 | 4 | | File | Description | 5 | | ---- | ----------- | 6 | | [target_configuration.md](target_configuration.md) | Tipps on creating an initial config and most importantly, refining an existing configuration to get the most out of your fuzzing cycles | 7 | | [coverage_analysis.md](coverage_analysis.md) | Given a `fuzzware-project` directory, figure out how the fuzzer is doing and where/why it gets stuck. | 8 | | [crash_analysis.md](crash_analysis.md) | Checking for crashes, bucketing them, and analyzing their root cause. | 9 | | [fuzzware_utils.md](fuzzware_utils.md) | An overview of some of the (other) Fuzzware tools and when they could be useful | 10 | | [manipulating_inputs.md](manipulating_inputs.md) | How to understand and manipulate inputs on your own, if you really need to | 11 | | [fuzzware-emulator/README_config.yml](https://github.com/fuzzware-fuzzer/fuzzware-emulator/blob/main/README_config.yml) | A pretty detailed (even if maybe not quite definitive) description of the config.yml syntax and supported options. | 12 | | [fuzzware-pipeline/README.md](https://github.com/fuzzware-fuzzer/fuzzware-pipeline/blob/main/README_pipeline_architecture.md) | An overview of the how the pipeline component is implented. | 13 | 14 | As always, you don't necessarily need to treat the code itself as a black box. Feel free to also check out the emulator- as well as the pipeline source code itself. -------------------------------------------------------------------------------- /docs/coverage_analysis.md: -------------------------------------------------------------------------------- 1 | # Analyzing Code Coverage 2 | 3 | After freshly configuring a firmware image and fuzzing it, we are naturally interested in how the fuzzer is doing. Fuzzware provides the `fuzzware cov` utility to analyze code coverage over a given `fuzzware-project` directory. There are different levels of detail in which we want to gather information about the current coverage and we give some examples of how to use `fuzzware cov` command-line arguments to achieve different goals. 4 | 5 | ## Coverage Overview 6 | 7 | To get an overview on coverage on stdout, we can simply use `fuzzware cov` without arguments. 8 | 9 | ``` 10 | fuzzware cov 11 | ``` 12 | 13 | This will print information on covered and non-covered functions and basic blocks to stdout. 14 | 15 | For a machine-readable coverage format, we can also dump a file: 16 | 17 | ``` 18 | fuzzware cov --out cov.txt 19 | ``` 20 | 21 | This will dump a list of the covered basic blocks in hexadecimal ascii format to `cov.txt`. We can import this file in a coverage visualization such as [lighthouse](https://github.com/gaasedelen/lighthouse) (for IDA) or [dragondance](https://github.com/0ffffffffh/dragondance)/[Cartographer](https://github.com/nccgroup/Cartographer) (for Ghidra). 22 | For Cartographer, there is a simple [conversion script](../scripts/cartographer_cov_conversion.py) that creates a compatible [EZCOV file](https://github.com/nccgroup/Cartographer/blob/main/EZCOV.md). 23 | 24 | ## Searching for Specific Coverage 25 | 26 | It is likely that upon inspecting the coverage and looking at the firmware code ourselves, we are looking for inputs that actually cover a specific piece of functionality. To find an input that covers the `main` function, we can use: 27 | 28 | ``` 29 | fuzzware cov main 30 | ``` 31 | 32 | To cycle through some inputs, we can also use the `--skip-num` and `--num-matches` arguments to find multiple inputs that cover the functionality we are looking for. 33 | 34 | We may also want to find some combination of coverage that we would like to find an input for. To achieve this, simply supply multiple symbols: 35 | 36 | ``` 37 | fuzzware cov my_init_function main 38 | ``` 39 | 40 | And if we identified some error cases (for example, in the firmware's initialization code), we may want to check whether there is an input which reaches certain functionality without previously viting another piece of code. This can be done using the `--exclude` argument: 41 | 42 | ``` 43 | fuzzware cov --exclude="my_init_failure_bb_1,my_init_failure_bb_2" my_init_function main 44 | ``` 45 | 46 | Which will try to find an input which leads to covering `my_init_function` and `main` without covering either `my_init_failure_bb_1` or `my_init_failure_bb_2`. 47 | 48 | ## Replaying Inputs 49 | 50 | After we identified inputs which are worth investigating, we can re-run them in the emulator using the `fuzzware replay` utility (which accepts the same additional arguments as `fuzzware emu` does for extra debug output, setting breakpoints, generating traces, and the like. Refer to `fuzzware emu -h` for a full set of options). 51 | 52 | ``` 53 | fuzzware replay -t 54 | ``` 55 | 56 | As a shortcut, the following also works to replay the first input that can be found which covers the `main` function: 57 | 58 | ``` 59 | fuzzware replay --covering main 60 | ``` 61 | 62 | From here, understanding the behavior of a given input works in the same way as understanding crashing inputs. Refer to [crash_analysis.md](crash_analysis.md) for more information. -------------------------------------------------------------------------------- /docs/fuzzware_utils.md: -------------------------------------------------------------------------------- 1 | # Fuzzware Utilities 2 | 3 | Here we go into some of Fuzzware's utilities. Note that some of this duplicates with the other READMEs and not all utilities are covered exhaustively. For help on the different components of fuzzware, use the `fuzzware -h` command. 4 | 5 | Running fuzzware typically means running the pipeline component (command `"fuzzware pipeline"` in a configured directory) which performs the job of fuzzing, looking at interesting traces and updating the emulator (with MMIO models) on the fly. Fuzzware will create a `fuzzware-project` directory next to your firmware image containing all the data upon which it operates. 6 | 7 | To make sense of pipeline results (contents of a `fuzzware-project` directory), additional fuzzware utilities are used. Manual tasks on pipeline results include finding input files which trigger certain behaviors (`fuzzware cov`), analyzing firmware behavior for a specific crashing or non-crashing input (`fuzzware replay`). These other utilities are introduced later in this document. 8 | 9 | Before trying to run fuzzware, make sure that everything has been installed *and that you are in the correct virtualenv* in case you are using a local setup rather than in docker. When fuzzing is involved, also make sure your system is set up for afl to agree with its environment (as root, on host): 10 | ``` 11 | echo core >/proc/sys/kernel/core_pattern 12 | cd /sys/devices/system/cpu 13 | echo performance | tee cpu*/cpufreq/scaling_governor 14 | ``` 15 | 16 | When running fuzzware directly on a host system, make sure to also execute everything in a virtualenv: 17 | ``` 18 | workon fuzzware 19 | ``` 20 | 21 | ## Starting the Pipeline 22 | The pipeline is what you want to be using whenever you start fuzzing a firmware image as it automatically manages fuzzing and model generation for you. It will generate the configurations and inputs that you can use to perform manual triaging and troubleshooting. 23 | 24 | For a properly configured firmware image and when within the installed `fuzzware` docker container or the `fuzzware` virtualenv on your locally installed system, you can get started by simply navigating to a correctly configured target directory in [the examples subdirectory](../examples) and starting the pipeline with default arguments: 25 | 26 | Using Docker: 27 | ``` 28 | ./run_docker.sh ./examples fuzzware pipeline ./pw-recovery/ARCH_PRO 29 | ``` 30 | 31 | On your local host setup: 32 | ``` 33 | workon fuzzware && fuzzware pipeline ./examples/pw-recovery/ARCH_PRO 34 | ``` 35 | This will create a `fuzzware-project` subdirectory and start the full pipeline which handles fuzzing, modeling and configuration migrations automatically. The fuzzing results will be written to `examples/pw-recovery/ARCH_PRO/fuzzware-project` in both of the above cases: 36 | 37 | - `fuzzware-project/mainXXX`: Emulator configuration iterations 38 | - `fuzzware-project/mainXXX/fuzzers/fuzzerY`: Fuzzer directory for the given configuration 39 | - `fuzzware-project/mainXXX/fuzzers/fuzzerY/queue`: Fuzzer inputs 40 | - `fuzzware-project/mainXXX/fuzzers/fuzzerY/traces`: Pipeline-generated compact traces (detailed traces can be generated manually using `fuzzware replay` or `fuzzware emu`) 41 | 42 | For more information on the results stored in the `fuzzware-project` directory, refer to the pipeline's README [fuzzware-pipeline/README.md](https://github.com/fuzzware-fuzzer/fuzzware-pipeline/blob/main/README.md). 43 | 44 | There are situations where you might want to use a sub-component in isolation. This may be the case for troubleshooting, debugging, crash triaging and during fuzzware development. For a full list of supported commands, use: 45 | ``` 46 | fuzzware -h 47 | ``` 48 | 49 | ## Coverage Analysis 50 | As a means to more easily find inputs which lead to particular coverage, the `fuzzware cov` utility finds an input which contains a given basic block or symbol in its trace. This can be used to find an input to use with `fuzzware replay`. 51 | 52 | To find an input file within the current project that reaches the `main` function, use: 53 | ``` 54 | fuzzware cov main 55 | ``` 56 | 57 | For a full list of options: 58 | ``` 59 | fuzzware cov -h 60 | ``` 61 | 62 | ## Replaying Emulation Runs 63 | Once the pipeline has been running for a while, you may be interested in what is actually going on in the configurations and the inputs (and maybe crashes) that it generated. 64 | 65 | `fuzzware replay` can be used to easily reproduce single emulation runs for a pipeline-residing input file. It is a wrapper around `fuzzware emu` which automatically locates the correct configuration file and command-line arguments for an emulator configuration iteration. It allows you to re-run the emulation of a given input as it was executed within a fuzzer instance. To help you with the correct invocation and to reduce verbosity when compared to the raw `fuzzware emu` interface, it translates trace- to corresponding input file paths and resolves numeric input ids. 66 | 67 | To replay an input or an input corresponding to a trace file for the first configuration iteration, use: 68 | ``` 69 | # By an input file 70 | fuzzware replay fuzzware-project/main001/fuzzers/fuzzer1/queue/id:000000* 71 | # By a trace file 72 | fuzzware replay fuzzware-project/main001/fuzzers/fuzzer1/traces/bblset_id:000000* 73 | ``` 74 | 75 | To replay an input based on its id (here, the first input id `000000` is used) of the latest configuration iteration, run from within the project base directory: 76 | ``` 77 | fuzzware replay 0 78 | ``` 79 | You can also replay an input by just giving its name and fuzzware will find the exact path for you, as long as the input file name is unique. 80 | 81 | Finally, to save an extra invocation of `fuzzware cov` to find a suitable input file, you can also have fuzzware find an input path which covers a specific address or symbol and replay it automatically for you. To replay the first input file reaching the `main` function, use: 82 | ``` 83 | fuzzware replay --covering main 84 | ``` 85 | 86 | You can provide the same additional arguments to the `replay` command as you would to the `emu` command as shown previously. Note that for projects containing multiple fuzzer instances this may become ambiguous for numeric ids. In that case, fuzzware will complain and you will need to add arguments or navigate to a deeper working directory inside the project. 87 | 88 | For all replay-supported options, use: 89 | ``` 90 | fuzzware replay -h 91 | ``` 92 | 93 | ## Raw Emulation Runs 94 | The following code snippets assume that your current working directory is the firmware target directory (for the `Getting Started` examples, this would be `examples/pw-recovery/ARCH_PRO`). 95 | 96 | For additional debugging output for the initial input: 97 | ``` 98 | fuzzware emu -c fuzzware-project/main001/config.yml --debug -t -M fuzzware-project/main001/fuzzers/fuzzer1/queue/id:000000,* 99 | ``` 100 | 101 | Re-run a crashing input to triage the crash: 102 | ``` 103 | fuzzware emu -c fuzzware-project/main001/config.yml fuzzware-project/main001/fuzzers/fuzzer1/crashes/id:000000,sig:11,XXXXX 104 | ``` 105 | 106 | Setting a breakpoint on a crashing input: 107 | ``` 108 | fuzzware emu -c fuzzware-project/main001/config.yml --debug -t -M --breakpoint 0x12345678 fuzzware-project/main001/fuzzers/fuzzer1/crashes/id:000000,* 109 | ``` 110 | 111 | To generate trace files for further analysis: 112 | ``` 113 | fuzzware emu -c fuzzware-project/main001/config.yml --bb-trace-out=bb_trace.txt --mmio-trace-out=mmio_trace.txt --ram-trace-out=ram_trace.txt fuzzware-project/main001/fuzzers/fuzzer1/crashes/id:000000,sig:11,XXXXX 114 | ``` 115 | 116 | For all emulator-supported options, use: 117 | ``` 118 | fuzzware emu -h 119 | ``` 120 | 121 | ## Raw Fuzzing 122 | This is likely not what you want to be doing during regular fuzzing (use `fuzzware pipeline` instead!), as no MMIO access modeling is performed and you are unable to make use of boot guidance by configuration (which is implemented by the pipeline component by inspecting traces and configuring the fuzzers to start from a valid booted state once one is found according to the configured specification). 123 | 124 | That said, if you are confident in a configuration that you built or the pipeline built for you over time and which you are sure will not be updated anymore, you can also run a standalone fuzzer without modeling or other pipeline features. 125 | 126 | You can run a standalone fuzzer (make sure you are in the correct virtualenv in local setups) in the following way: 127 | ``` 128 | # in a local setup: workon fuzzware 129 | cd examples/pw-recovery/ARCH_PRO 130 | fuzzware fuzz afl-output-dir 131 | ``` 132 | 133 | For a full list of options: 134 | ``` 135 | fuzzware fuzz -h 136 | ``` 137 | 138 | ## Generating Statistics 139 | 140 | To aggregate data on a given `fuzzware-project` directory, we can use `fuzzware genstats` to generate matrics about code coverage, how much time was spent on different types of pipeline jobs, the fuzzing input consumption of different MMIO models, and on the contexts in which crashes occured: 141 | 142 | For a full list of options: 143 | ``` 144 | fuzzware genstats -h 145 | ``` 146 | 147 | ## Generating Traces 148 | 149 | By default, the pipeline component only generates set-based traces which are quick to compute and storage-light. However, Fuzzware's emulation component is also able to generate full traces. While taking longer to compute and taking up more disk space, these traces contain a full list of sequential trace events and can be parsed automatically. Generating such traces could be interesting for manually looking into firmware behavior or for scripting some trace-based analysis. 150 | 151 | For a full list of options: 152 | ``` 153 | fuzzware gentraces -h 154 | ``` -------------------------------------------------------------------------------- /docs/manipulating_inputs.md: -------------------------------------------------------------------------------- 1 | # Manipulating Inputs 2 | 3 | Quite frankly, manually manipulating inputs is not well supported by Fuzzware tooling at the time of writing, and as a consequence, it is very finicky. With that said, let us know if you would like to tinker in this direction and build proper input patching tooling! 4 | 5 | An input to Fuzzware's emulator is basically a sequence of bytes which get consumed on-demand as firmware is executed. As the emulator behaves the same for a given input on every run, we can replay it to reproduce a given behavior. However, we do not know upfront how the bytes within the input file correspond to MMIO reads during firmware emulation. 6 | 7 | ## Generating an MMIO Trace 8 | To figure out the mapping between input byte and MMIO read, we need to first generate an MMIO trace: 9 | 10 | ``` 11 | fuzzware emu --mmio-trace-out=mmio_trace.txt 12 | ``` 13 | 14 | ## Understanding the MMIO Trace 15 | 16 | The resulting MMIO trace file `mmio_trace.txt` contains one entry for each MMIO access (read and write) that was performed during the emulation run for the given input file. Each line has the following structure: 17 | 18 | ``` 19 | # event_id, pc, lr, mode, orig_access_size, access_fuzz_ind, num_consumed_fuzz_bytes, address, val_text 20 | ``` 21 | 22 | As an example (taken from the `ARCH_PRO` target): 23 | 24 | ``` 25 | 009e: e98 641 r 1 118 0 0x4000c014:1 26 | 009f: ea4 641 r 1 118 1 0x4000c000:43 27 | 00a0: e98 641 r 1 119 0 0x4000c014:1 28 | ``` 29 | 30 | The first line is interpreted in the following way: At `pc` address `0xe98` at which point `lr` had value `0x641`, a `read` operation on address `0x4000c014` was performed. The mmio access had a size of `1`, and the fuzzing input cursor was at position `118` (decimal) into the input file. For this MMIO access, no input was consumed (`0` bytes of fuzzing bytes consumed), and the value `1` got returned for the read. 31 | 32 | Referring back to the MMIO model for this access, we find: 33 | ``` 34 | mmio_models: 35 | constant: 36 | pc_00000e98_mmio_4000c014: 37 | access_size: 0x1 38 | addr: 0x4000c014 39 | pc: 0xe98 40 | val: 0x1 41 | ``` 42 | 43 | This corresponds to what we would expect: Accesses from `pc=0xe98` to MMIO address `0x4000c014` return a constant value of `1`. 44 | 45 | Looking at the second MMIO access, we find: At `pc` address `0xea4` at which point `lr` had value `0x641`, a `read` operation on address `0x4000c000` was performed. The mmio access had a size of `1`, and the fuzzing input cursor was at position `118` (decimal) into the input file. For this MMIO access, one byte of input was consumed, and the value `0x43` got returned for the read. 46 | 47 | Once again, referring back to the MMIO model configuration, we find a model which fits the trace entry (`unmodeled ("identity model" in paper speech)` means consuming as much input as was requested): 48 | ``` 49 | unmodeled: 50 | pc_00000ea4_mmio_4000c000: 51 | access_size: 0x1 52 | addr: 0x4000c000 53 | pc: 0xea4 54 | ``` 55 | 56 | From this excerpt of the input file, we see that byte `118` within the input file is returned for an access to address `0x4000c000` from `pc=0xea4`. Looking into what this corresponds in firmware code we find that this actually represents a serial input character. 57 | 58 | ## Patching the Input File 59 | 60 | Based on this knowledge, we can now start patching input bytes at known offsets within the binary input file to change what values are read. 61 | 62 | You can make sure by re-running the input in the emulator that the change you performed actually had the desired effect: 63 | 64 | ``` 65 | fuzzware emu --mmio-trace-out=mmio_trace_patched.txt 66 | ``` 67 | 68 | Diffing the two traces should now show that the given MMIO access changed according to your prediction. -------------------------------------------------------------------------------- /examples/P2IM/CNC/CNC.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/CNC/CNC.bin -------------------------------------------------------------------------------- /examples/P2IM/CNC/CNC.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/CNC/CNC.elf -------------------------------------------------------------------------------- /examples/P2IM/CNC/base_inputs/random: -------------------------------------------------------------------------------- 1 | [DEFAULT] # fuzzing only config 2 | base = /home/bo/iot/iot-os-fuzzer 3 | run = 1.0 4 | #program = modbus 5 | #program = firmata 6 | #program = quad_copter 7 | program = soldering_iron 8 | working_dir = %(base)s/run/%(program)s/%(run)s 9 | 10 | [afl] # fuzzing only config 11 | bin = %(base)s/afl/afl-fuzz 12 | timeout = 150+ 13 | input = %(working_dir)s/inputs 14 | output = %(working_dir)s/outputs 15 | 16 | [cov] # fuzzing coverage counting config 17 | #count_hang = False 18 | count_hang = True 19 | bbl_cov_read_sz = 20000000 ; 20MB w/o hang 20 | #bbl_cov_read_sz = 20000000 ; 20MB w/ hang 21 | timeout = 1 ; 1s 22 | 23 | [qemu] 24 | bin = %(base)s/afl/qemu_mode/bin_pm9.5.5/qemu-system-gnuarmeclipse 25 | #bin = /home/bo/Work/qemu/install/debian64/qemu/bin/qemu-system-gnuarmeclipse 26 | log = unimp,guest_errors,int 27 | #log = unimp,guest_errors,exec,int -D qemu.log 28 | 29 | [program] 30 | #board = STM32F429I-Discovery 31 | #mcu = STM32F429ZI 32 | board = NUCLEO-F103RB 33 | mcu = STM32F103RB 34 | #board = Arduino-Due 35 | #mcu = SAM3X8E 36 | #board = FRDM-K64F 37 | #mcu = MK64FN1M0VLL12 38 | 39 | #img = %(working_dir)s/modbus.ino.elf 40 | #img = %(working_dir)s/StandardFirmata.ino.elf 41 | img = %(working_dir)s/TS100_EN.elf 42 | #img = /home/bo/nfs/iot/os/arduino/modbus/build/modbus.ino.elf 43 | 44 | #img = /home/bo/iot/os/iot-fuzzer-RIOT-new/examples/f103/usart/bin/nucleo-f103/hello-world.elf 45 | #img = /home/bo/iot/os/iot-fuzzer-RIOT-new/examples/usart_frdm/bin/frdm-k64f/hello-world.elf 46 | 47 | #img = /home/bo/iot/os/arduino/f103/ADC/build/ADC.ino.elf 48 | #img = /home/bo/iot/os/arduino/ad/Serial/build/Serial.ino.elf 49 | 50 | #img = /home/bo/iot/os/nuttxenv_f103/nuttx/nuttx 51 | #img = /home/bo/iot/os/nuttxenv_ad/nuttx/nuttx 52 | #img = /home/bo/iot/os/nuttxenv_frdm/nuttx/nuttx 53 | 54 | #img = /home/bo/iot/os/grbl_stm32f4/grbl_stm32f4 55 | #img = /home/bo/iot/os/ts100/workspace/TS100/Hexfile/TS100_EN.elf 56 | #img = /home/bo/Firmware_V101-103C8.elf 57 | 58 | [model] 59 | retry_num = 3 60 | peri_addr_range = 512 61 | objdump = /home/bo/iot/toolchains/gcc-arm-none-eabi-6-2017-q2-update/bin/arm-none-eabi-objdump 62 | # config below are fuzzing only 63 | bin = %(base)s/model_extraction/me.py 64 | log_file = %(working_dir)s/me.log 65 | -------------------------------------------------------------------------------- /examples/P2IM/CNC/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x20000000 16 | permissions: rw- 17 | size: 0x40000 18 | text: 19 | base_addr: 0x8000000 20 | file: CNC.bin 21 | permissions: r-x 22 | size: 0x0d000 23 | -------------------------------------------------------------------------------- /examples/P2IM/Console/Console.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Console/Console.bin -------------------------------------------------------------------------------- /examples/P2IM/Console/Console.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Console/Console.elf -------------------------------------------------------------------------------- /examples/P2IM/Console/base_inputs/random: -------------------------------------------------------------------------------- 1 | [DEFAULT] # fuzzing only config 2 | base = /home/bo/iot/iot-os-fuzzer 3 | run = 1.0 4 | #program = modbus 5 | #program = firmata 6 | #program = quad_copter 7 | program = soldering_iron 8 | working_dir = %(base)s/run/%(program)s/%(run)s 9 | 10 | [afl] # fuzzing only config 11 | bin = %(base)s/afl/afl-fuzz 12 | timeout = 150+ 13 | input = %(working_dir)s/inputs 14 | output = %(working_dir)s/outputs 15 | 16 | [cov] # fuzzing coverage counting config 17 | #count_hang = False 18 | count_hang = True 19 | bbl_cov_read_sz = 20000000 ; 20MB w/o hang 20 | #bbl_cov_read_sz = 20000000 ; 20MB w/ hang 21 | timeout = 1 ; 1s 22 | 23 | [qemu] 24 | bin = %(base)s/afl/qemu_mode/bin_pm9.5.5/qemu-system-gnuarmeclipse 25 | #bin = /home/bo/Work/qemu/install/debian64/qemu/bin/qemu-system-gnuarmeclipse 26 | log = unimp,guest_errors,int 27 | #log = unimp,guest_errors,exec,int -D qemu.log 28 | 29 | [program] 30 | #board = STM32F429I-Discovery 31 | #mcu = STM32F429ZI 32 | board = NUCLEO-F103RB 33 | mcu = STM32F103RB 34 | #board = Arduino-Due 35 | #mcu = SAM3X8E 36 | #board = FRDM-K64F 37 | #mcu = MK64FN1M0VLL12 38 | 39 | #img = %(working_dir)s/modbus.ino.elf 40 | #img = %(working_dir)s/StandardFirmata.ino.elf 41 | img = %(working_dir)s/TS100_EN.elf 42 | #img = /home/bo/nfs/iot/os/arduino/modbus/build/modbus.ino.elf 43 | 44 | #img = /home/bo/iot/os/iot-fuzzer-RIOT-new/examples/f103/usart/bin/nucleo-f103/hello-world.elf 45 | #img = /home/bo/iot/os/iot-fuzzer-RIOT-new/examples/usart_frdm/bin/frdm-k64f/hello-world.elf 46 | 47 | #img = /home/bo/iot/os/arduino/f103/ADC/build/ADC.ino.elf 48 | #img = /home/bo/iot/os/arduino/ad/Serial/build/Serial.ino.elf 49 | 50 | #img = /home/bo/iot/os/nuttxenv_f103/nuttx/nuttx 51 | #img = /home/bo/iot/os/nuttxenv_ad/nuttx/nuttx 52 | #img = /home/bo/iot/os/nuttxenv_frdm/nuttx/nuttx 53 | 54 | #img = /home/bo/iot/os/grbl_stm32f4/grbl_stm32f4 55 | #img = /home/bo/iot/os/ts100/workspace/TS100/Hexfile/TS100_EN.elf 56 | #img = /home/bo/Firmware_V101-103C8.elf 57 | 58 | [model] 59 | retry_num = 3 60 | peri_addr_range = 512 61 | objdump = /home/bo/iot/toolchains/gcc-arm-none-eabi-6-2017-q2-update/bin/arm-none-eabi-objdump 62 | # config below are fuzzing only 63 | bin = %(base)s/model_extraction/me.py 64 | log_file = %(working_dir)s/me.log 65 | -------------------------------------------------------------------------------- /examples/P2IM/Console/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x1fff0000 16 | permissions: rw- 17 | size: 0x10000 18 | text: 19 | base_addr: 0x0 20 | file: Console.bin 21 | permissions: r-x 22 | size: 0x8000 23 | -------------------------------------------------------------------------------- /examples/P2IM/Drone/Drone.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Drone/Drone.bin -------------------------------------------------------------------------------- /examples/P2IM/Drone/Drone.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Drone/Drone.elf -------------------------------------------------------------------------------- /examples/P2IM/Drone/base_inputs/ex1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Drone/base_inputs/ex1 -------------------------------------------------------------------------------- /examples/P2IM/Drone/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | flash: 15 | base_addr: 0x00000000 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x100000 22 | text: 23 | base_addr: 0x8000000 24 | file: Drone.bin 25 | permissions: r-x 26 | size: 0xd000 27 | -------------------------------------------------------------------------------- /examples/P2IM/Drone/syms.yml: -------------------------------------------------------------------------------- 1 | symbols: 2 | 0x8000000: g_pfnVectors 3 | 0x8000110: __do_global_dtors_aux 4 | 0x8000134: frame_dummy 5 | 0x8000150: strlen 6 | 0x8000160: __aeabi_drsub 7 | 0x8000168: __subdf3 8 | 0x800016c: __aeabi_dadd 9 | 0x80003e4: __floatunsidf 10 | 0x8000404: __floatsidf 11 | 0x8000428: __extendsfdf2 12 | 0x8000464: __floatundidf 13 | 0x8000474: __floatdidf 14 | 0x80004d0: __muldf3 15 | 0x8000724: __divdf3 16 | 0x80008f4: __gtdf2 17 | 0x80008fc: __ltdf2 18 | 0x8000904: __nedf2 19 | 0x8000980: __aeabi_cdrcmple 20 | 0x8000990: __aeabi_cdcmple 21 | 0x80009a0: __aeabi_dcmpeq 22 | 0x80009b4: __aeabi_dcmplt 23 | 0x80009c8: __aeabi_dcmple 24 | 0x80009dc: __aeabi_dcmpge 25 | 0x80009f0: __aeabi_dcmpgt 26 | 0x8000a04: __unorddf2 27 | 0x8000a30: __truncdfsf2 28 | 0x8000ad0: __aeabi_frsub 29 | 0x8000ad8: __subsf3 30 | 0x8000adc: __aeabi_fadd 31 | 0x8000c3c: __floatunsisf 32 | 0x8000c44: __floatsisf 33 | 0x8000c60: __floatundisf 34 | 0x8000c70: __floatdisf 35 | 0x8000cec: __mulsf3 36 | 0x8000e54: __divsf3 37 | 0x8000f8c: __gtsf2 38 | 0x8000f94: __ltsf2 39 | 0x8000f9c: __nesf2 40 | 0x8000ffc: __aeabi_cfrcmple 41 | 0x8001004: __aeabi_cfcmple 42 | 0x8001014: __aeabi_fcmpeq 43 | 0x8001028: __aeabi_fcmplt 44 | 0x800103c: __aeabi_fcmple 45 | 0x8001050: __aeabi_fcmpge 46 | 0x8001064: __aeabi_fcmpgt 47 | 0x8001078: __fixsfsi 48 | 0x80010c4: __fixunssfsi 49 | 0x8001104: HAL_InitTick 50 | 0x8001128: HAL_Init 51 | 0x800114c: HAL_IncTick 52 | 0x800115c: HAL_GetTick 53 | 0x8001168: HAL_Delay 54 | 0x8001170: HAL_NVIC_SetPriorityGrouping 55 | 0x8001194: HAL_NVIC_SetPriority 56 | 0x80011fc: HAL_NVIC_EnableIRQ 57 | 0x8001214: HAL_SYSTICK_Config 58 | 0x8001240: HAL_SYSTICK_CLKSourceConfig 59 | 0x8001258: HAL_SYSTICK_Callback 60 | 0x800125a: HAL_SYSTICK_IRQHandler 61 | 0x8001264: HAL_GPIO_Init 62 | 0x8001424: HAL_GPIO_WritePin 63 | 0x800142e: HAL_GPIO_TogglePin 64 | 0x8001436: I2C_IsAcknowledgeFailed 65 | 0x8001460: I2C_WaitOnMasterAddressFlagUntilTimeout 66 | 0x80014e2: I2C_WaitOnTXEFlagUntilTimeout 67 | 0x8001530: I2C_RequestMemoryWrite 68 | 0x80015e4: Flag 69 | 0x80015e8: I2C_RequestMemoryRead 70 | 0x80016f4: I2C_WaitOnRXNEFlagUntilTimeout 71 | 0x8001754: HAL_I2C_Init 72 | 0x8001828: HAL_I2C_Mem_Write 73 | 0x8001938: HAL_I2C_Mem_Read 74 | 0x8001b58: HAL_RCC_OscConfig 75 | 0x8002008: HAL_RCC_GetSysClockFreq 76 | 0x800209c: HAL_RCC_ClockConfig 77 | 0x8002214: HAL_RCC_GetHCLKFreq 78 | 0x8002220: HAL_RCC_GetPCLK1Freq 79 | 0x8002250: HAL_RCC_GetPCLK2Freq 80 | 0x8002280: TIM_OC1_SetConfig 81 | 0x80022d0: TIM_OC3_SetConfig 82 | 0x8002324: TIM_OC4_SetConfig 83 | 0x8002368: TIM_Base_SetConfig 84 | 0x80023d0: HAL_TIM_PWM_Init 85 | 0x8002404: TIM_OC2_SetConfig 86 | 0x800245c: HAL_TIM_PWM_ConfigChannel 87 | 0x800247e: jpt_800247A 88 | 0x80024ac: def_800247A 89 | 0x8002520: TIM_CCxChannelCmd 90 | 0x8002538: HAL_TIM_PWM_Start 91 | 0x8002564: HAL_TIMEx_ConfigBreakDeadTime 92 | 0x80025a4: HAL_TIMEx_MasterConfigSynchronization 93 | 0x80025e8: UART_SetConfig 94 | 0x8002724: HAL_UART_Init 95 | 0x800277c: HAL_UART_Transmit 96 | 0x80028a6: HAL_UART_Receive_IT 97 | 0x800290a: HAL_UART_TxCpltCallback 98 | 0x800290c: UART_Receive_IT 99 | 0x8002998: HAL_UART_ErrorCallback 100 | 0x800299a: HAL_UART_IRQHandler 101 | 0x8002ad0: MPU9250_Init 102 | 0x8002b44: file 103 | 0x8002b48: MPU9250_ReadAccelData 104 | 0x8002bf0: MPU9250_ReadGyroData 105 | 0x8002cb0: AK8963_Init 106 | 0x8002d88: AK8963_ReadData 107 | 0x8002ea0: IMU_Init 108 | 0x8002ebc: _beta 109 | 0x8002ec0: AHRS_GetPitch 110 | 0x8002ed0: var 111 | 0x8002ed4: AHRS_GetRoll 112 | 0x8002ee8: AHRS_GetYaw 113 | 0x8002f28: AHRS_ComputeAngles 114 | 0x8003010: angle 115 | 0x8003034: MS5611_ReadADC 116 | 0x8003068: MS5611_GetFilteredAltitude 117 | 0x8003078: MS5611_Update 118 | 0x8003298: MS5611_Init 119 | 0x8003314: MadgwickSetBeta 120 | 0x8003320: MadgwickSetDelta 121 | 0x8003330: MadgwickQuaternionUpdate 122 | 0x8003eac: CB_Write 123 | 0x8003ed6: CB_Init 124 | 0x8003ef2: lowPassFilter 125 | 0x8003f20: toggleLED 126 | 0x8003f5c: GPIOx 127 | 0x8003f60: LED_StartupSequence 128 | 0x8003fa8: Motor1_SetPWM 129 | 0x8003fb4: Motor2_SetPWM 130 | 0x8003fc0: Motor3_SetPWM 131 | 0x8003fcc: Motor4_SetPWM 132 | 0x8003fd8: PWM_Init 133 | 0x8004004: htim 134 | 0x800400c: Devices_Init 135 | 0x8004020: I2C_WriteByte 136 | 0x8004058: hi2c 137 | 0x8004060: I2C_ReadByte 138 | 0x800409c: I2C_ReadBytes 139 | 0x80040cc: I2C_ReadByteArray 140 | 0x8004100: taskScheduler 141 | 0x8004178: setup 142 | 0x8004192: main 143 | 0x80041a2: Motor_StopAll 144 | 0x80041c0: Motor_SetSpeed 145 | 0x8004248: Motor_DistributeSpeed 146 | 0x80042dc: MSP_SendFrame 147 | 0x8004320: data 148 | 0x8004324: MSP_SendIdent 149 | 0x8004360: MSP_SendStatus 150 | 0x8004398: MSP_SendRawIMU 151 | 0x80043cc: MSP_SendMotor 152 | 0x80043ec: MSP_SendAttitude 153 | 0x8004410: MSP_SendAltitude 154 | 0x8004434: MSP_SendPID 155 | 0x800446c: _Error_Handler 156 | 0x80044f0: SystemClock_Config 157 | 0x8004568: Peripherals_Init 158 | 0x80047f4: huart 159 | 0x8004818: PID_Compute 160 | 0x8004954: PID_Init 161 | 0x8004a0c: PID_UpdateAltitude 162 | 0x8004a60: PID_Update 163 | 0x8004bcc: pid 164 | 0x8004bf4: serialWrite 165 | 0x8004c0c: HAL_UART_RxCpltCallback 166 | 0x8004c38: cb 167 | 0x8004c40: serialFlush 168 | 0x8004c4c: serialBegin 169 | 0x8004c68: serialPrint 170 | 0x8004c88: serialInt 171 | 0x8004ca8: HAL_MspInit 172 | 0x8004d24: HAL_I2C_MspInit 173 | 0x8004d68: HAL_TIM_PWM_MspInit 174 | 0x8004df0: HAL_TIM_MspPostInit 175 | 0x8004e58: HAL_UART_MspInit 176 | 0x8004ec0: NMI_Handler 177 | 0x8004ec2: HardFault_Handler 178 | 0x8004ec4: MemManage_Handler 179 | 0x8004ec6: BusFault_Handler 180 | 0x8004ec8: UsageFault_Handler 181 | 0x8004eca: SVC_Handler 182 | 0x8004ecc: DebugMon_Handler 183 | 0x8004ece: PendSV_Handler 184 | 0x8004ed0: SysTick_Handler 185 | 0x8004ee0: USART1_IRQHandler 186 | 0x8004eec: SystemInit 187 | 0x8004f38: millis 188 | 0x8004f3c: micros 189 | 0x8004f40: delay_ms 190 | 0x8004f44: Reset_Handler 191 | 0x8004f48: CopyDataInit 192 | 0x8004f50: LoopCopyDataInit 193 | 0x8004f5e: FillZerobss 194 | 0x8004f64: LoopFillZerobss 195 | 0x8004f8c: WWDG_IRQHandler 196 | 0x8004f90: __libc_init_array 197 | 0x8004fd8: sprintf 198 | 0x8005020: __ssputs_r 199 | 0x80050d8: _svfprintf_r 200 | 0x80052c0: _printf_common 201 | 0x80053b0: _printf_i 202 | 0x80055f0: memchr 203 | 0x800560c: memcpy 204 | 0x8005622: memmove 205 | 0x8005658: _free_r 206 | 0x80056f0: _malloc_r 207 | 0x80057ac: _realloc_r 208 | 0x80057f8: _sbrk_r 209 | 0x8005818: __malloc_lock 210 | 0x800581a: __malloc_unlock 211 | 0x800581c: _malloc_usable_size_r 212 | 0x8005830: asin 213 | 0x80058d8: atan2 214 | 0x80058dc: pow 215 | 0x8005ba4: sqrt 216 | 0x8005c50: __ieee754_asin 217 | 0x8006050: __ieee754_atan2 218 | 0x8006208: __ieee754_pow 219 | 0x8006bec: __ieee754_sqrt 220 | 0x8006d48: atan 221 | 0x800706c: fabs 222 | 0x8007072: finite 223 | 0x800707e: matherr 224 | 0x8007084: nan 225 | 0x8007090: rint 226 | 0x80071a0: scalbn 227 | 0x800727c: copysign 228 | 0x800728c: __errno 229 | 0x8007298: _sbrk 230 | 0x80072b4: _init 231 | 0x80072c0: _fini 232 | 0x80072cc: _etext 233 | 0x80072e0: aSrcMpu9250C 234 | 0x80072f1: aSrcMs5611C 235 | 0x8007301: aSrcI2cC 236 | 0x800730e: aM 237 | 0x8007312: aSrcPeripherals 238 | 0x8007327: aErrorWith 239 | 0x8007333: aAtLine 240 | 0x800733e: aI 241 | 0x8007341: AHBPrescTable 242 | 0x8007351: APBPrescTable 243 | 0x8007359: a0 244 | 0x800735f: aHll 245 | 0x8007363: aEfgefg 246 | 0x800736a: a0123456789abcd_0 247 | 0x800737b: a0123456789abcd 248 | 0x800738c: aAsin 249 | 0x8007391: aPow 250 | 0x8007395: aSqrt 251 | 0x80073a0: bp 252 | 0x80073b0: dp_h 253 | 0x80073c0: dp_l 254 | 0x80073d0: atanhi 255 | 0x80073f0: atanlo 256 | 0x8007410: TWO52 257 | 0x8007420: __exidx_start 258 | 0x8007424: __do_global_dtors_aux_fini_array_entry 259 | 0x20000000: gyroBias 260 | 0x2000000c: lpf_pitch 261 | 0x20000014: lpf_roll 262 | 0x2000001c: mRes 263 | 0x20000020: magBias 264 | 0x2000002c: magScale 265 | 0x20000038: MS5611_OSR 266 | 0x2000003c: q 267 | 0x2000004c: pid_altitude 268 | 0x200000a8: pid_pitch 269 | 0x20000104: pid_roll 270 | 0x20000160: pid_yaw 271 | 0x200001bc: SystemCoreClock 272 | 0x200001c0: _impure_ptr 273 | 0x200001c4: impure_data 274 | 0x20000224: __fdlib_version 275 | 0x20000228: _edata 276 | 0x2000022c: object.8677 277 | 0x20000244: uwTick 278 | 0x20000248: AHRS_Angle 279 | 0x20000254: AHRS_lastUpdate 280 | 0x20000258: AHRS_timeNow 281 | 0x2000025c: MS5611_Coefficients 282 | 0x2000026c: MS5611_RawPressure 283 | 0x20000270: MS5611_RawTemperature 284 | 0x20000274: PRESSURE_READY 285 | 0x20000275: TEMP_READY 286 | 0x20000278: pressure_time 287 | 0x2000027c: temp_time 288 | 0x20000280: joystick 289 | 0x20000288: last_tick1 290 | 0x2000028c: last_tick2 291 | 0x20000290: last_tick3 292 | 0x20000294: motor_pwm 293 | 0x200002a4: ALT_FLAG 294 | 0x200002a8: __malloc_free_list 295 | 0x200002ac: __malloc_sbrk_start 296 | 0x200002b0: heap_end.4116 297 | 0x200002b4: magRaw 298 | 0x200002ba: gyroRaw 299 | 0x200002c0: gyroData 300 | 0x200002cc: accelData 301 | 0x200002d8: magData 302 | 0x200002e4: magCalib 303 | 0x200002f0: accelRaw 304 | 0x200002f8: MS5611_FilteredAltitude 305 | 0x200002fc: alt_filter 306 | 0x2000034c: MS5611_Altitude 307 | 0x20000350: MS5611_CompensatedPressure 308 | 0x20000354: MS5611_CompensatedTemperature 309 | 0x20000358: beta 310 | 0x2000035c: deltat 311 | 0x20000360: rxc 312 | 0x20000b66: txc 313 | 0x2000136c: msp_txf_analog 314 | 0x20001373: msp_rxf_pid 315 | 0x20001391: msp_txf_attitude 316 | 0x20001397: msp_txf_pid 317 | 0x200013b5: msp_txf_status 318 | 0x200013c0: msp_txf_rc_tuning 319 | 0x200013c7: msp_rxf_box 320 | 0x200013c9: msp_rxf_raw_rc 321 | 0x200013d9: msp_txf_motor 322 | 0x200013e1: msp_rxf_motor 323 | 0x200013e9: msp_rxf_misc 324 | 0x200013ff: msp_txf_misc 325 | 0x20001415: msp_txf_motor_pins 326 | 0x2000141d: msp_rxf_head 327 | 0x2000141f: msp_txf_ident 328 | 0x20001426: msp_txf_raw_imu 329 | 0x20001438: rxf 330 | 0x200014a4: msp_rxf_led 331 | 0x200014a7: msp_txf_altitude 332 | 0x200014ad: msp_rxf_rc_tuning 333 | 0x200014b4: msp_txf_rc 334 | 0x200014c4: htim4 335 | 0x20001500: hi2c1 336 | 0x2000153c: htim3 337 | 0x20001578: huart1 338 | 0x200015b8: htim1 339 | 0x200015f4: htim2 340 | 0x20001630: rx_buffer 341 | 0x20001632: tx_buffer 342 | 0x20001698: errno 343 | 0x2000169c: __bss_end__ 344 | 0x20001c9c: BootRAM 345 | 0x20001ca0: _Min_Stack_Size 346 | 0x20001ca4: _sidata 347 | 0x20001ca8: _Min_Heap_Size 348 | 0x20001cac: malloc_getpagesize_P 349 | 0x20001cb0: _estack 350 | -------------------------------------------------------------------------------- /examples/P2IM/Gateway/Gateway.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Gateway/Gateway.bin -------------------------------------------------------------------------------- /examples/P2IM/Gateway/Gateway.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Gateway/Gateway.elf -------------------------------------------------------------------------------- /examples/P2IM/Gateway/base_inputs/ex7_new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Gateway/base_inputs/ex7_new -------------------------------------------------------------------------------- /examples/P2IM/Gateway/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x20000000 16 | permissions: rw- 17 | size: 0x40000 18 | text: 19 | base_addr: 0x8000000 20 | file: Gateway.bin 21 | permissions: r-x 22 | size: 0xB000 23 | -------------------------------------------------------------------------------- /examples/P2IM/Heat_Press/Heat_Press.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Heat_Press/Heat_Press.bin -------------------------------------------------------------------------------- /examples/P2IM/Heat_Press/Heat_Press.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Heat_Press/Heat_Press.elf -------------------------------------------------------------------------------- /examples/P2IM/Heat_Press/base_inputs/random: -------------------------------------------------------------------------------- 1 | [DEFAULT] # fuzzing only config 2 | base = /home/bo/iot/iot-os-fuzzer 3 | run = 1.0 4 | #program = modbus 5 | #program = firmata 6 | #program = quad_copter 7 | program = soldering_iron 8 | working_dir = %(base)s/run/%(program)s/%(run)s 9 | 10 | [afl] # fuzzing only config 11 | bin = %(base)s/afl/afl-fuzz 12 | timeout = 150+ 13 | input = %(working_dir)s/inputs 14 | output = %(working_dir)s/outputs 15 | 16 | [cov] # fuzzing coverage counting config 17 | #count_hang = False 18 | count_hang = True 19 | bbl_cov_read_sz = 20000000 ; 20MB w/o hang 20 | #bbl_cov_read_sz = 20000000 ; 20MB w/ hang 21 | timeout = 1 ; 1s 22 | 23 | [qemu] 24 | bin = %(base)s/afl/qemu_mode/bin_pm9.5.5/qemu-system-gnuarmeclipse 25 | #bin = /home/bo/Work/qemu/install/debian64/qemu/bin/qemu-system-gnuarmeclipse 26 | log = unimp,guest_errors,int 27 | #log = unimp,guest_errors,exec,int -D qemu.log 28 | 29 | [program] 30 | #board = STM32F429I-Discovery 31 | #mcu = STM32F429ZI 32 | board = NUCLEO-F103RB 33 | mcu = STM32F103RB 34 | #board = Arduino-Due 35 | #mcu = SAM3X8E 36 | #board = FRDM-K64F 37 | #mcu = MK64FN1M0VLL12 38 | 39 | #img = %(working_dir)s/modbus.ino.elf 40 | #img = %(working_dir)s/StandardFirmata.ino.elf 41 | img = %(working_dir)s/TS100_EN.elf 42 | #img = /home/bo/nfs/iot/os/arduino/modbus/build/modbus.ino.elf 43 | 44 | #img = /home/bo/iot/os/iot-fuzzer-RIOT-new/examples/f103/usart/bin/nucleo-f103/hello-world.elf 45 | #img = /home/bo/iot/os/iot-fuzzer-RIOT-new/examples/usart_frdm/bin/frdm-k64f/hello-world.elf 46 | 47 | #img = /home/bo/iot/os/arduino/f103/ADC/build/ADC.ino.elf 48 | #img = /home/bo/iot/os/arduino/ad/Serial/build/Serial.ino.elf 49 | 50 | #img = /home/bo/iot/os/nuttxenv_f103/nuttx/nuttx 51 | #img = /home/bo/iot/os/nuttxenv_ad/nuttx/nuttx 52 | #img = /home/bo/iot/os/nuttxenv_frdm/nuttx/nuttx 53 | 54 | #img = /home/bo/iot/os/grbl_stm32f4/grbl_stm32f4 55 | #img = /home/bo/iot/os/ts100/workspace/TS100/Hexfile/TS100_EN.elf 56 | #img = /home/bo/Firmware_V101-103C8.elf 57 | 58 | [model] 59 | retry_num = 3 60 | peri_addr_range = 512 61 | objdump = /home/bo/iot/toolchains/gcc-arm-none-eabi-6-2017-q2-update/bin/arm-none-eabi-objdump 62 | # config below are fuzzing only 63 | bin = %(base)s/model_extraction/me.py 64 | log_file = %(working_dir)s/me.log 65 | -------------------------------------------------------------------------------- /examples/P2IM/Heat_Press/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x20070000 16 | permissions: rw- 17 | size: 0x40000 18 | text: 19 | base_addr: 0x00080000 20 | file: Heat_Press.bin 21 | permissions: r-x 22 | size: 0x7000 23 | -------------------------------------------------------------------------------- /examples/P2IM/Heat_Press/syms.yml: -------------------------------------------------------------------------------- 1 | symbols: 2 | 0x80000: _sfixed 3 | 0x800f4: __do_global_dtors_aux 4 | 0x80118: frame_dummy 5 | 0x80148: _ZN6Modbus5beginEl 6 | 0x801ac: _ZN6Modbus11getRxBufferEv 7 | 0x80218: _ZN6Modbus7calcCRCEh 8 | 0x80254: _ZN6Modbus12sendTxBufferEv 9 | 0x802d6: _ZN6Modbus5queryE8modbus_t 10 | 0x8031e: jpt_8031A 11 | 0x803b0: def_8031A 12 | 0x803d0: _ZN6Modbus14validateAnswerEv 13 | 0x8040c: _ZN6Modbus7get_FC3Ev 14 | 0x8043a: _ZN6Modbus4pollEv 15 | 0x804a4: setup 16 | 0x805c4: loop 17 | 0x805e0: jpt_805DC 18 | 0x8071a: def_805DC 19 | 0x80a78: _GLOBAL__sub_I__ZN6ModbusC2Ev 20 | 0x80aa8: cstr 21 | 0x80ab8: _Z11serialEventv 22 | 0x80abc: UART_Handler 23 | 0x80ac8: _Z12serialEvent1v 24 | 0x80aca: _Z12serialEvent2v 25 | 0x80acc: _Z12serialEvent3v 26 | 0x80ad0: USART0_Handler 27 | 0x80adc: USART1_Handler 28 | 0x80ae8: USART3_Handler 29 | 0x80af4: init 30 | 0x80c1c: _GLOBAL__sub_I_g_APinDescription 31 | 0x80cb8: pUart 32 | 0x80cd0: pUsart 33 | 0x80cf0: _Z14serialEventRunv 34 | 0x80d34: PIO_PullUp 35 | 0x80d3e: PIO_SetPeripheral 36 | 0x80d48: jpt_80D44 37 | 0x80d60: def_80D44 38 | 0x80d64: PIO_SetInput 39 | 0x80d8a: PIO_SetOutput 40 | 0x80db0: PIO_Configure 41 | 0x80dc4: jpt_80DC0 42 | 0x80e00: def_80DC0 43 | 0x80e14: PIO_GetOutputDataStatus 44 | 0x80e28: pmc_enable_periph_clk 45 | 0x80e6c: pmc_disable_periph_clk 46 | 0x80eac: SystemInit 47 | 0x80f34: Reset_Handler 48 | 0x80fac: adc_init 49 | 0x81044: adc_configure_trigger 50 | 0x81052: adc_configure_timing 51 | 0x8106c: adc_disable_channel 52 | 0x81076: adc_disable_all_channel 53 | 0x8107e: adc_disable_interrupt 54 | 0x81084: UOTGHS_Handler 55 | 0x81094: PIOA_Handler 56 | 0x810cc: PIOB_Handler 57 | 0x81104: PIOC_Handler 58 | 0x8113c: PIOD_Handler 59 | 0x81174: __halt 60 | 0x81176: SVC_Handler 61 | 0x8117a: PendSV_Handler 62 | 0x8117e: SysTick_Handler 63 | 0x81194: __false 64 | 0x81198: __halt_0 65 | 0x8119c: _sbrk 66 | 0x811b8: link 67 | 0x811be: _close 68 | 0x811c4: _fstat 69 | 0x811ce: _isatty 70 | 0x811d2: _lseek 71 | 0x811d6: _read 72 | 0x811dc: _write 73 | 0x81200: _exit 74 | 0x81210: _kill 75 | 0x81212: _getpid 76 | 0x81218: millis 77 | 0x81230: delay 78 | 0x81232: analogOutputInit 79 | 0x81234: pinMode 80 | 0x8133c: digitalWrite 81 | 0x813ac: tickReset 82 | 0x813cc: _ZN10RingBufferC2Ev 83 | 0x813e6: _ZN10RingBuffer10store_charEh 84 | 0x81404: _ZN9UARTClasscvbEv 85 | 0x81408: _ZN9UARTClass9availableEv 86 | 0x8141a: _ZN9UARTClass4peekEv 87 | 0x81436: _ZN9UARTClass4readEv 88 | 0x81460: _ZN9UARTClass5flushEv 89 | 0x81478: _ZN9UARTClass5writeEh 90 | 0x814cc: _ZN9UARTClass3endEv 91 | 0x81508: _ZN9UARTClassC2EP4Uart4IRQnmP10RingBufferS4_ 92 | 0x8152c: _ZN9UARTClass4initEmm 93 | 0x8159c: _ZN9UARTClass5beginEm 94 | 0x815a4: _ZN9UARTClass10IrqHandlerEv 95 | 0x815ee: _ZN10USARTClass5beginEm 96 | 0x815f8: _ZN10USARTClassC2EP5Usart4IRQnmP10RingBufferS4_ 97 | 0x8161c: _Z8makeWordhh 98 | 0x81622: _ZN6StringD2Ev 99 | 0x81630: _ZN6String10invalidateEv 100 | 0x81646: _ZN6String12changeBufferEj 101 | 0x8165e: _ZN6String7reserveEj 102 | 0x81680: _ZN6String4copyEPKcj 103 | 0x816a6: _ZN6StringC2EPKc 104 | 0x816ca: initVariant 105 | 0x816cc: main 106 | 0x816f8: _watchdogDefaultSetup 107 | 0x81704: _ZN5Print5writeEPKhj 108 | 0x81728: TimeTick_Increment 109 | 0x81738: WDT_Disable 110 | 0x81740: __aeabi_frsub 111 | 0x81748: __subsf3 112 | 0x8174c: __aeabi_fadd 113 | 0x818ac: __floatunsisf 114 | 0x818b4: __floatsisf 115 | 0x818d0: __floatundisf 116 | 0x818e0: __floatdisf 117 | 0x8195c: __mulsf3 118 | 0x81ac4: __divsf3 119 | 0x81bfc: __gtsf2 120 | 0x81c04: __ltsf2 121 | 0x81c0c: __nesf2 122 | 0x81c6c: __aeabi_cfrcmple 123 | 0x81c74: __aeabi_cfcmple 124 | 0x81c84: __aeabi_fcmpeq 125 | 0x81c98: __aeabi_fcmplt 126 | 0x81cac: __aeabi_fcmple 127 | 0x81cc0: __aeabi_fcmpge 128 | 0x81cd4: __aeabi_fcmpgt 129 | 0x81ce8: __fixsfsi 130 | 0x81d34: __fixunssfsi 131 | 0x81d74: __aeabi_atexit 132 | 0x81d80: __cxa_atexit 133 | 0x81d94: __libc_init_array 134 | 0x81de4: iprintf 135 | 0x81e0c: malloc 136 | 0x81e1c: free 137 | 0x81e2c: _malloc_r 138 | 0x82364: memcpy 139 | 0x82450: memmove 140 | 0x8251c: memset 141 | 0x825b0: __malloc_lock 142 | 0x825b4: __malloc_unlock 143 | 0x825b8: realloc 144 | 0x825c8: _realloc_r 145 | 0x82988: _sbrk_r 146 | 0x829ac: strcpy 147 | 0x82a68: strlen 148 | 0x82ac8: kill 149 | 0x82ad8: __sprint_r.part.0 150 | 0x82b50: _vfiprintf_r 151 | 0x82c3c: jpt_82C38 152 | 0x831ea: def_82C38 153 | 0x837a4: __sbprintf 154 | 0x83820: __swsetup_r 155 | 0x838e4: __register_exitproc 156 | 0x8398c: register_fini 157 | 0x839a0: atexit 158 | 0x839ac: __sflush_r 159 | 0x83af4: _fflush_r 160 | 0x83b20: _cleanup_r 161 | 0x83b2c: __sinit 162 | 0x83c20: __sfp_lock_acquire 163 | 0x83c24: __sfp_lock_release 164 | 0x83c28: __libc_fini_array 165 | 0x83c58: _fputwc_r 166 | 0x83d18: _malloc_trim_r 167 | 0x83db4: _free_r 168 | 0x83f4c: __sfvwrite_r 169 | 0x84260: _fwalk 170 | 0x842a8: __locale_charset 171 | 0x842b0: __locale_mb_cur_max 172 | 0x842bc: __smakebuf_r 173 | 0x8439c: memchr 174 | 0x84430: _kill_r 175 | 0x84458: __sread 176 | 0x8447c: __swrite 177 | 0x844b4: __sseek 178 | 0x844d4: __sclose 179 | 0x844dc: __swbuf_r 180 | 0x84584: _wcrtomb_r 181 | 0x845d4: __ascii_wctomb 182 | 0x845f0: _write_r 183 | 0x84618: _close_r 184 | 0x8463c: _fclose_r 185 | 0x846bc: fclose 186 | 0x846cc: _fstat_r 187 | 0x846f4: _isatty_r 188 | 0x84718: _lseek_r 189 | 0x84740: _read_r 190 | 0x84768: __aeabi_uldivmod 191 | 0x84794: __gnu_ldivmod_helper 192 | 0x847c4: __gnu_uldivmod_helper 193 | 0x847f4: __aeabi_ldiv0 194 | 0x847f8: __divdi3 195 | 0x84a98: __udivdi3 196 | 0x84d28: _ZL12fctsupported 197 | 0x84d30: g_APinDescription 198 | 0x8579c: aExitingWithSta 199 | 0x857b8: _ZTV9UARTClass 200 | 0x857e8: _ZTV10USARTClass 201 | 0x8581c: _global_impure_ptr 202 | 0x85820: blanks.6717 203 | 0x85844: a0123456789abcd 204 | 0x85858: aNull 205 | 0x85860: zeroes.6718 206 | 0x85870: _init 207 | 0x8587c: __preinit_array_start 208 | 0x85880: __frame_dummy_init_array_entry 209 | 0x8588c: __init_array_end 210 | 0x85898: __fini_array_start 211 | 0x8589c: _efixed 212 | 0x20070000: banzai 213 | 0x2007002c: __dso_handle 214 | 0x20070030: SystemCoreClock 215 | 0x20070034: _ZL5ticks 216 | 0x20070038: impure_data 217 | 0x20070460: _impure_ptr 218 | 0x20070464: __malloc_av_ 219 | 0x2007086c: __malloc_trim_threshold 220 | 0x20070870: __malloc_sbrk_base 221 | 0x20070874: lc_ctype_charset 222 | 0x20070894: __mb_cur_max 223 | 0x20070898: __wctomb 224 | 0x2007089c: _szero 225 | 0x200708a0: object.7862 226 | 0x200708b8: sst 227 | 0x200708bc: reloj 228 | 0x200708c0: ep1 229 | 0x200708c4: u32wait 230 | 0x200708c8: au16data 231 | 0x20070908: ssres 232 | 0x2007090c: pid1 233 | 0x20070910: kip1 234 | 0x20070914: terminar_ciclo 235 | 0x20070918: YN 236 | 0x2007091c: estado 237 | 0x20070920: minutos 238 | 0x20070924: segundos 239 | 0x20070928: incre 240 | 0x2007092c: e1 241 | 0x20070930: dutybajo1 242 | 0x20070934: tiempo_espera 243 | 0x20070938: in1 244 | 0x2007093c: tempe_z1 245 | 0x20070940: tempe_z2 246 | 0x20070944: u8state 247 | 0x20070948: kia1 248 | 0x2007094c: mmres 249 | 0x20070950: RxString 250 | 0x2007095c: espera_plancha 251 | 0x20070960: minutosp 252 | 0x20070964: segundosp 253 | 0x20070968: kdp1 254 | 0x2007096c: duty1 255 | 0x20070970: duty2 256 | 0x20070974: mmt 257 | 0x20070978: telegram 258 | 0x200709c0: kda1 259 | 0x200709c4: temperatura1 260 | 0x200709c8: data8024 261 | 0x200709dc: tiempopid1 262 | 0x200709e0: master 263 | 0x20070a44: dutyalto1 264 | 0x20070a48: kpa1 265 | 0x20070a4c: tx_buffer2 266 | 0x20070ad4: tx_buffer1 267 | 0x20070b5c: Serial 268 | 0x20070b80: rx_buffer1 269 | 0x20070c08: Serial1 270 | 0x20070c30: Serial2 271 | 0x20070c58: Serial3 272 | 0x20070c80: tx_buffer3 273 | 0x20070d08: tx_buffer4 274 | 0x20070d90: g_pinStatus 275 | 0x20070de0: rx_buffer2 276 | 0x20070e68: rx_buffer3 277 | 0x20070ef0: rx_buffer4 278 | 0x20070f78: gpf_isr 279 | 0x20070f7c: callbacksPioA 280 | 0x20070ffc: callbacksPioB 281 | 0x2007107c: callbacksPioC 282 | 0x200710fc: callbacksPioD 283 | 0x2007117c: heap.6420 284 | 0x20071180: _dwTickCount 285 | 0x20071184: __malloc_max_total_mem 286 | 0x20071188: __malloc_max_sbrked_mem 287 | 0x2007118c: __malloc_top_pad 288 | 0x20071190: __malloc_current_mallinfo 289 | 0x200711b8: timehack 290 | 0x200711c0: errno 291 | 0x200711c4: _end 292 | 0x200711c8: __StackTop 293 | 0x200711cc: __StackLimit 294 | 0x200711d0: _estack 295 | -------------------------------------------------------------------------------- /examples/P2IM/PLC/PLC.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/PLC/PLC.bin -------------------------------------------------------------------------------- /examples/P2IM/PLC/PLC.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/PLC/PLC.elf -------------------------------------------------------------------------------- /examples/P2IM/PLC/base_inputs/modbus_cmd3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/PLC/base_inputs/modbus_cmd3 -------------------------------------------------------------------------------- /examples/P2IM/PLC/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | zero: 15 | base_addr: 0x00000000 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x08000000 24 | file: PLC.bin 25 | permissions: r-x 26 | size: 0x7000 27 | -------------------------------------------------------------------------------- /examples/P2IM/Reflow_Oven/Reflow_Oven.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Reflow_Oven/Reflow_Oven.bin -------------------------------------------------------------------------------- /examples/P2IM/Reflow_Oven/Reflow_Oven.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Reflow_Oven/Reflow_Oven.elf -------------------------------------------------------------------------------- /examples/P2IM/Reflow_Oven/base_inputs/random: -------------------------------------------------------------------------------- 1 | [DEFAULT] # fuzzing only config 2 | base = /home/bo/iot/iot-os-fuzzer 3 | run = 1.0 4 | #program = modbus 5 | #program = firmata 6 | #program = quad_copter 7 | program = soldering_iron 8 | working_dir = %(base)s/run/%(program)s/%(run)s 9 | 10 | [afl] # fuzzing only config 11 | bin = %(base)s/afl/afl-fuzz 12 | timeout = 150+ 13 | input = %(working_dir)s/inputs 14 | output = %(working_dir)s/outputs 15 | 16 | [cov] # fuzzing coverage counting config 17 | #count_hang = False 18 | count_hang = True 19 | bbl_cov_read_sz = 20000000 ; 20MB w/o hang 20 | #bbl_cov_read_sz = 20000000 ; 20MB w/ hang 21 | timeout = 1 ; 1s 22 | 23 | [qemu] 24 | bin = %(base)s/afl/qemu_mode/bin_pm9.5.5/qemu-system-gnuarmeclipse 25 | #bin = /home/bo/Work/qemu/install/debian64/qemu/bin/qemu-system-gnuarmeclipse 26 | log = unimp,guest_errors,int 27 | #log = unimp,guest_errors,exec,int -D qemu.log 28 | 29 | [program] 30 | #board = STM32F429I-Discovery 31 | #mcu = STM32F429ZI 32 | board = NUCLEO-F103RB 33 | mcu = STM32F103RB 34 | #board = Arduino-Due 35 | #mcu = SAM3X8E 36 | #board = FRDM-K64F 37 | #mcu = MK64FN1M0VLL12 38 | 39 | #img = %(working_dir)s/modbus.ino.elf 40 | #img = %(working_dir)s/StandardFirmata.ino.elf 41 | img = %(working_dir)s/TS100_EN.elf 42 | #img = /home/bo/nfs/iot/os/arduino/modbus/build/modbus.ino.elf 43 | 44 | #img = /home/bo/iot/os/iot-fuzzer-RIOT-new/examples/f103/usart/bin/nucleo-f103/hello-world.elf 45 | #img = /home/bo/iot/os/iot-fuzzer-RIOT-new/examples/usart_frdm/bin/frdm-k64f/hello-world.elf 46 | 47 | #img = /home/bo/iot/os/arduino/f103/ADC/build/ADC.ino.elf 48 | #img = /home/bo/iot/os/arduino/ad/Serial/build/Serial.ino.elf 49 | 50 | #img = /home/bo/iot/os/nuttxenv_f103/nuttx/nuttx 51 | #img = /home/bo/iot/os/nuttxenv_ad/nuttx/nuttx 52 | #img = /home/bo/iot/os/nuttxenv_frdm/nuttx/nuttx 53 | 54 | #img = /home/bo/iot/os/grbl_stm32f4/grbl_stm32f4 55 | #img = /home/bo/iot/os/ts100/workspace/TS100/Hexfile/TS100_EN.elf 56 | #img = /home/bo/Firmware_V101-103C8.elf 57 | 58 | [model] 59 | retry_num = 3 60 | peri_addr_range = 512 61 | objdump = /home/bo/iot/toolchains/gcc-arm-none-eabi-6-2017-q2-update/bin/arm-none-eabi-objdump 62 | # config below are fuzzing only 63 | bin = %(base)s/model_extraction/me.py 64 | log_file = %(working_dir)s/me.log 65 | -------------------------------------------------------------------------------- /examples/P2IM/Reflow_Oven/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | zero: 15 | base_addr: 0x00000000 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x8000000 24 | file: Reflow_Oven.bin 25 | permissions: r-x 26 | size: 0xc000 27 | -------------------------------------------------------------------------------- /examples/P2IM/Robot/Robot.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Robot/Robot.bin -------------------------------------------------------------------------------- /examples/P2IM/Robot/Robot.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Robot/Robot.elf -------------------------------------------------------------------------------- /examples/P2IM/Robot/base_inputs/ex7_new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Robot/base_inputs/ex7_new -------------------------------------------------------------------------------- /examples/P2IM/Robot/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | zero: 15 | base_addr: 0x00000000 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x08000000 24 | file: Robot.bin 25 | permissions: r-x 26 | size: 0xb000 27 | -------------------------------------------------------------------------------- /examples/P2IM/Robot/syms.yml: -------------------------------------------------------------------------------- 1 | symbols: 2 | 0x8000000: g_pfnVectors 3 | 0x8000110: __do_global_dtors_aux 4 | 0x8000134: frame_dummy 5 | 0x8000150: __aeabi_drsub 6 | 0x8000158: __subdf3 7 | 0x800015c: __aeabi_dadd 8 | 0x80003d4: __floatunsidf 9 | 0x80003f4: __floatsidf 10 | 0x8000418: __extendsfdf2 11 | 0x800045c: __floatundidf 12 | 0x800046c: __floatdidf 13 | 0x80004c8: __muldf3 14 | 0x800071c: __divdf3 15 | 0x80008ec: __gtdf2 16 | 0x80008f4: __ltdf2 17 | 0x80008fc: __nedf2 18 | 0x8000978: __aeabi_cdrcmple 19 | 0x8000988: __aeabi_cdcmple 20 | 0x8000998: __aeabi_dcmpeq 21 | 0x80009ac: __aeabi_dcmplt 22 | 0x80009c0: __aeabi_dcmple 23 | 0x80009d4: __aeabi_dcmpge 24 | 0x80009e8: __aeabi_dcmpgt 25 | 0x80009fc: __truncdfsf2 26 | 0x8000a9c: __aeabi_frsub 27 | 0x8000aa4: __subsf3 28 | 0x8000aa8: __aeabi_fadd 29 | 0x8000c08: __floatunsisf 30 | 0x8000c10: __floatsisf 31 | 0x8000c2c: __floatundisf 32 | 0x8000c3c: __floatdisf 33 | 0x8000cb8: __mulsf3 34 | 0x8000e20: __divsf3 35 | 0x8000f58: __gtsf2 36 | 0x8000f60: __ltsf2 37 | 0x8000f68: __nesf2 38 | 0x8000fc8: __aeabi_cfrcmple 39 | 0x8000fd0: __aeabi_cfcmple 40 | 0x8000fe0: __aeabi_fcmpeq 41 | 0x8000ff4: __aeabi_fcmplt 42 | 0x8001008: __aeabi_fcmple 43 | 0x800101c: __aeabi_fcmpge 44 | 0x8001030: __aeabi_fcmpgt 45 | 0x8001044: __fixunssfsi 46 | 0x8001084: memcpy 47 | 0x8001170: __unorddf2 48 | 0x800119c: __fixdfsi 49 | 0x80011ec: __aeabi_uldivmod 50 | 0x800121c: __udivmoddi4 51 | 0x80014ec: __aeabi_ldiv0 52 | 0x80014f0: HAL_Init 53 | 0x800151c: HAL_InitTick 54 | 0x800157c: HAL_IncTick 55 | 0x80015a0: HAL_GetTick 56 | 0x80015b4: NVIC_SetPriorityGrouping 57 | 0x80015fc: NVIC_GetPriorityGrouping 58 | 0x8001618: NVIC_SetPriority 59 | 0x800166c: NVIC_EncodePriority 60 | 0x80016d0: SysTick_Config 61 | 0x8001714: HAL_NVIC_SetPriorityGrouping 62 | 0x800172a: HAL_NVIC_SetPriority 63 | 0x8001762: HAL_SYSTICK_Config 64 | 0x800177c: HAL_SYSTICK_CLKSourceConfig 65 | 0x80017b4: HAL_SYSTICK_IRQHandler 66 | 0x80017c4: HAL_GPIO_Init 67 | 0x8001a80: HAL_GPIO_WritePin 68 | 0x8001ab0: HAL_I2C_Init 69 | 0x8001cb8: HAL_I2C_MspInit 70 | 0x8001ccc: HAL_I2C_Mem_Write 71 | 0x8001f6c: HAL_I2C_Mem_Read 72 | 0x8002640: I2C_RequestMemoryWrite 73 | 0x80027f0: Flag 74 | 0x80027f4: I2C_RequestMemoryRead 75 | 0x8002ad8: I2C_WaitOnMasterAddressFlagUntilTimeout 76 | 0x8002bb4: I2C_WaitOnTXEFlagUntilTimeout 77 | 0x8002c2e: I2C_WaitOnBTFFlagUntilTimeout 78 | 0x8002ca8: I2C_WaitOnRXNEFlagUntilTimeout 79 | 0x8002d3c: I2C_IsAcknowledgeFailed 80 | 0x8002d8a: HAL_MspInit 81 | 0x8002d98: HAL_RCC_OscConfig 82 | 0x8003260: HAL_RCC_ClockConfig 83 | 0x8003440: HAL_RCC_GetSysClockFreq 84 | 0x8003504: HAL_RCC_GetHCLKFreq 85 | 0x8003518: HAL_RCC_GetPCLK1Freq 86 | 0x8003540: HAL_RCC_GetPCLK2Freq 87 | 0x8003568: RCC_Delay 88 | 0x80035a4: HAL_TIM_Base_Init 89 | 0x80035fa: HAL_TIM_Base_MspInit 90 | 0x800360c: HAL_TIM_Base_Start_IT 91 | 0x8003640: HAL_TIM_PWM_Init 92 | 0x8003696: HAL_TIM_PWM_MspInit 93 | 0x80036a8: HAL_TIM_PWM_Start 94 | 0x80036f8: HAL_TIM_IRQHandler 95 | 0x8003908: HAL_TIM_PWM_ConfigChannel 96 | 0x8003940: jpt_800393C 97 | 0x8003a78: def_800393C 98 | 0x8003a94: HAL_TIM_ConfigClockSource 99 | 0x8003c4a: HAL_TIM_OC_DelayElapsedCallback 100 | 0x8003c5c: HAL_TIM_IC_CaptureCallback 101 | 0x8003c6e: HAL_TIM_PWM_PulseFinishedCallback 102 | 0x8003c80: HAL_TIM_TriggerCallback 103 | 0x8003c94: TIM_Base_SetConfig 104 | 0x8003d60: TIM_OC1_SetConfig 105 | 0x8003e38: TIM_OC2_SetConfig 106 | 0x8003f18: TIM_OC3_SetConfig 107 | 0x8003ff8: TIM_OC4_SetConfig 108 | 0x80040a0: TIM_TI1_ConfigInputStage 109 | 0x8004104: TIM_TI2_ConfigInputStage 110 | 0x800416a: TIM_ITRx_SetConfig 111 | 0x80041a8: TIM_ETR_SetConfig 112 | 0x80041ea: TIM_CCxChannelCmd 113 | 0x800422e: HAL_TIMEx_ConfigBreakDeadTime 114 | 0x80042de: HAL_TIMEx_MasterConfigSynchronization 115 | 0x8004366: HAL_TIMEx_CommutationCallback 116 | 0x8004378: HAL_TIMEx_BreakCallback 117 | 0x800438a: HAL_UART_Init 118 | 0x8004424: HAL_UART_MspInit 119 | 0x8004436: HAL_UART_Transmit 120 | 0x8004568: UART_WaitOnFlagUntilTimeout 121 | 0x80045fc: UART_SetConfig 122 | 0x800482c: mpu6050_init 123 | 0x80048dc: mpu6050_calibrate 124 | 0x80049f0: mpu6050_update 125 | 0x8004ae8: mpu6050_calc_pitch 126 | 0x8004c88: mpu6050_calc_acc_pitch_roll 127 | 0x8004d7c: _i2c_write_reg 128 | 0x8004dbc: hi2c 129 | 0x8004dc0: _i2c_read_reg 130 | 0x8004e04: _get_ms_tick 131 | 0x8004e14: uart_print 132 | 0x8004e34: huart 133 | 0x8004e38: flush_strbuf 134 | 0x8004e50: HAL_TIM_PeriodElapsedCallback 135 | 0x80050c4: str 136 | 0x80050f4: GPIOx 137 | 0x80050fc: main 138 | 0x8005164: htim 139 | 0x8005170: SystemClock_Config 140 | 0x8005210: file 141 | 0x8005218: MX_I2C1_Init 142 | 0x8005280: MX_TIM1_Init 143 | 0x80053d0: MX_TIM2_Init 144 | 0x8005468: MX_USART1_UART_Init 145 | 0x80054c4: MX_GPIO_Init 146 | 0x8005544: _Error_Handler 147 | 0x8005550: HAL_TIM_MspPostInit 148 | 0x800558c: NMI_Handler 149 | 0x8005598: HardFault_Handler 150 | 0x800559e: MemManage_Handler 151 | 0x80055a4: BusFault_Handler 152 | 0x80055aa: UsageFault_Handler 153 | 0x80055b0: SVC_Handler 154 | 0x80055bc: DebugMon_Handler 155 | 0x80055c8: PendSV_Handler 156 | 0x80055d4: SysTick_Handler 157 | 0x80055e4: TIM2_IRQHandler 158 | 0x80055f8: _sbrk 159 | 0x8005650: SystemInit 160 | 0x80056b8: Reset_Handler 161 | 0x80056bc: CopyDataInit 162 | 0x80056c4: LoopCopyDataInit 163 | 0x80056d2: FillZerobss 164 | 0x80056d8: LoopFillZerobss 165 | 0x8005700: WWDG_IRQHandler 166 | 0x8005704: atan2 167 | 0x8005708: __ieee754_atan2 168 | 0x80058c0: atan 169 | 0x8005bdc: fabs 170 | 0x8005be4: __errno 171 | 0x8005bf0: __libc_init_array 172 | 0x8005c38: memset 173 | 0x8005ccc: sprintf 174 | 0x8005d10: strlen 175 | 0x8005d6c: _svfprintf_r 176 | 0x8005e32: jpt_8005E2E 177 | 0x800651a: def_8005E2E 178 | 0x8007258: register_fini 179 | 0x800726c: atexit 180 | 0x8007278: quorem 181 | 0x80073a0: _dtoa_r 182 | 0x8007524: jpt_8007520 183 | 0x8007e62: def_8007520 184 | 0x80081d0: __libc_fini_array 185 | 0x8008204: _localeconv_r 186 | 0x8008220: __retarget_lock_acquire_recursive 187 | 0x8008224: __retarget_lock_release_recursive 188 | 0x8008228: _malloc_r 189 | 0x800874c: memchr 190 | 0x80087d8: __malloc_lock 191 | 0x80087e4: __malloc_unlock 192 | 0x80087f0: _Balloc 193 | 0x800883c: _Bfree 194 | 0x8008850: __multadd 195 | 0x80088d4: __hi0bits 196 | 0x8008914: __lo0bits 197 | 0x8008974: __i2b 198 | 0x8008988: __multiply 199 | 0x8008ad4: __pow5mult 200 | 0x8008b74: __lshift 201 | 0x8008c28: __mcmp 202 | 0x8008c60: __mdiff 203 | 0x8008d60: __d2b 204 | 0x8008e10: _sbrk_r 205 | 0x8008e34: __ssprint_r 206 | 0x8008f28: __register_exitproc 207 | 0x8008fe8: _calloc_r 208 | 0x8009054: _malloc_trim_r 209 | 0x80090f4: _free_r 210 | 0x80092dc: __ascii_mbtowc 211 | 0x8009308: memmove 212 | 0x80093cc: _realloc_r 213 | 0x8009740: __ascii_wctomb 214 | 0x8009758: _init 215 | 0x8009764: _fini 216 | 0x8009770: _etext 217 | 0x8009784: aPitchF 218 | 0x8009790: aSrcMainC 219 | 0x80097a0: AHBPrescTable 220 | 0x80097b0: APBPrescTable 221 | 0x80097b8: atanhi 222 | 0x80097d8: atanlo 223 | 0x80097f8: _global_impure_ptr 224 | 0x800980c: a0123456789abcd_0 225 | 0x8009820: a0123456789abcd 226 | 0x8009834: aNull 227 | 0x800983c: a0 228 | 0x8009840: blanks.7276 229 | 0x8009850: zeroes.7277 230 | 0x800986c: aNan 231 | 0x8009870: __mprec_bigtens 232 | 0x8009898: __mprec_tens 233 | 0x8009960: p05.6092 234 | 0x800997c: _ctype_ 235 | 0x8009a80: __exidx_start 236 | 0x8009a88: __exidx_end 237 | 0x8009a8c: __frame_dummy_init_array_entry 238 | 0x8009a90: __do_global_dtors_aux_fini_array_entry 239 | 0x20000000: uwTickPrio 240 | 0x20000004: uwTickFreq 241 | 0x20000005: first_run.5202 242 | 0x20000006: first_run.5211 243 | 0x20000008: I2C_TIMEOUT 244 | 0x2000000c: UART_TIMEOUT 245 | 0x20000010: maxPwm 246 | 0x20000014: setpoint 247 | 0x20000018: SystemCoreClock 248 | 0x2000001c: _impure_ptr 249 | 0x20000020: impure_data 250 | 0x20000448: __atexit_recursive_mutex 251 | 0x2000044c: __malloc_av_ 252 | 0x20000854: __malloc_sbrk_base 253 | 0x20000858: __malloc_trim_threshold 254 | 0x2000085c: __global_locale 255 | 0x200009c8: _edata 256 | 0x200009cc: object.8659 257 | 0x200009e4: total_pitch.5203 258 | 0x200009e8: total_pitch.5212 259 | 0x200009ec: total_roll.5213 260 | 0x200009f0: minPwm 261 | 0x200009f4: error 262 | 0x200009f8: lastError 263 | 0x200009fc: Kp 264 | 0x20000a00: Ki 265 | 0x20000a04: Kd 266 | 0x20000a08: __env 267 | 0x20000a0c: heap_end.5959 268 | 0x20000a10: __malloc_current_mallinfo 269 | 0x20000a38: __malloc_max_sbrked_mem 270 | 0x20000a3c: __malloc_max_total_mem 271 | 0x20000a40: __malloc_top_pad 272 | 0x20000a44: uwTick 273 | 0x20000a48: I2C_Read_Reg 274 | 0x20000a4c: Get_ms_tick 275 | 0x20000a50: I2C_Write_Reg 276 | 0x20000a54: D 277 | 0x20000a58: mpu6050 278 | 0x20000a84: hi2c1 279 | 0x20000ad8: huart1 280 | 0x20000b18: htim1 281 | 0x20000b58: I 282 | 0x20000b5c: htim2 283 | 0x20000b9c: pitch 284 | 0x20000ba0: roll 285 | 0x20000ba4: strbuf 286 | 0x20000be4: P 287 | 0x20000be8: __lock___atexit_recursive_mutex 288 | 0x20000bec: __lock___arc4random_mutex 289 | 0x20000bf0: __lock___env_recursive_mutex 290 | 0x20000bf4: __lock___sinit_recursive_mutex 291 | 0x20000bf8: __lock___malloc_recursive_mutex 292 | 0x20000bfc: __lock___at_quick_exit_mutex 293 | 0x20000c00: __lock___dd_hash_mutex 294 | 0x20000c04: __lock___tz_mutex 295 | 0x20000c08: __lock___sfp_recursive_mutex 296 | 0x20000c0c: errno 297 | 0x20000c10: __bss_end__ 298 | 0x20001210: BootRAM 299 | 0x20001214: _Min_Stack_Size 300 | 0x20001218: _sidata 301 | 0x2000121c: _Min_Heap_Size 302 | 0x20001220: _estack 303 | 0x20001330: _printf_float 304 | -------------------------------------------------------------------------------- /examples/P2IM/Soldering_Iron/Soldering_Iron.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Soldering_Iron/Soldering_Iron.bin -------------------------------------------------------------------------------- /examples/P2IM/Soldering_Iron/Soldering_Iron.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Soldering_Iron/Soldering_Iron.elf -------------------------------------------------------------------------------- /examples/P2IM/Soldering_Iron/base_inputs/random: -------------------------------------------------------------------------------- 1 | [DEFAULT] # fuzzing only config 2 | base = /home/bo/iot/iot-os-fuzzer 3 | run = 1.0 4 | #program = modbus 5 | #program = firmata 6 | #program = quad_copter 7 | program = soldering_iron 8 | working_dir = %(base)s/run/%(program)s/%(run)s 9 | 10 | [afl] # fuzzing only config 11 | bin = %(base)s/afl/afl-fuzz 12 | timeout = 150+ 13 | input = %(working_dir)s/inputs 14 | output = %(working_dir)s/outputs 15 | 16 | [cov] # fuzzing coverage counting config 17 | #count_hang = False 18 | count_hang = True 19 | bbl_cov_read_sz = 20000000 ; 20MB w/o hang 20 | #bbl_cov_read_sz = 20000000 ; 20MB w/ hang 21 | timeout = 1 ; 1s 22 | 23 | [qemu] 24 | bin = %(base)s/afl/qemu_mode/bin_pm9.5.5/qemu-system-gnuarmeclipse 25 | #bin = /home/bo/Work/qemu/install/debian64/qemu/bin/qemu-system-gnuarmeclipse 26 | log = unimp,guest_errors,int 27 | #log = unimp,guest_errors,exec,int -D qemu.log 28 | 29 | [program] 30 | #board = STM32F429I-Discovery 31 | #mcu = STM32F429ZI 32 | board = NUCLEO-F103RB 33 | mcu = STM32F103RB 34 | #board = Arduino-Due 35 | #mcu = SAM3X8E 36 | #board = FRDM-K64F 37 | #mcu = MK64FN1M0VLL12 38 | 39 | #img = %(working_dir)s/modbus.ino.elf 40 | #img = %(working_dir)s/StandardFirmata.ino.elf 41 | img = %(working_dir)s/TS100_EN.elf 42 | #img = /home/bo/nfs/iot/os/arduino/modbus/build/modbus.ino.elf 43 | 44 | #img = /home/bo/iot/os/iot-fuzzer-RIOT-new/examples/f103/usart/bin/nucleo-f103/hello-world.elf 45 | #img = /home/bo/iot/os/iot-fuzzer-RIOT-new/examples/usart_frdm/bin/frdm-k64f/hello-world.elf 46 | 47 | #img = /home/bo/iot/os/arduino/f103/ADC/build/ADC.ino.elf 48 | #img = /home/bo/iot/os/arduino/ad/Serial/build/Serial.ino.elf 49 | 50 | #img = /home/bo/iot/os/nuttxenv_f103/nuttx/nuttx 51 | #img = /home/bo/iot/os/nuttxenv_ad/nuttx/nuttx 52 | #img = /home/bo/iot/os/nuttxenv_frdm/nuttx/nuttx 53 | 54 | #img = /home/bo/iot/os/grbl_stm32f4/grbl_stm32f4 55 | #img = /home/bo/iot/os/ts100/workspace/TS100/Hexfile/TS100_EN.elf 56 | #img = /home/bo/Firmware_V101-103C8.elf 57 | 58 | [model] 59 | retry_num = 3 60 | peri_addr_range = 512 61 | objdump = /home/bo/iot/toolchains/gcc-arm-none-eabi-6-2017-q2-update/bin/arm-none-eabi-objdump 62 | # config below are fuzzing only 63 | bin = %(base)s/model_extraction/me.py 64 | log_file = %(working_dir)s/me.log 65 | -------------------------------------------------------------------------------- /examples/P2IM/Soldering_Iron/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | zero: 15 | base_addr: 0x00000000 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x8000000 24 | file: Soldering_Iron.bin 25 | permissions: r-x 26 | size: 0x11000 27 | -------------------------------------------------------------------------------- /examples/P2IM/Steering_Control/Steering_Control.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Steering_Control/Steering_Control.bin -------------------------------------------------------------------------------- /examples/P2IM/Steering_Control/Steering_Control.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/P2IM/Steering_Control/Steering_Control.elf -------------------------------------------------------------------------------- /examples/P2IM/Steering_Control/base_inputs/random: -------------------------------------------------------------------------------- 1 | [DEFAULT] # fuzzing only config 2 | base = /home/bo/iot/iot-os-fuzzer 3 | run = 1.0 4 | #program = modbus 5 | #program = firmata 6 | #program = quad_copter 7 | program = soldering_iron 8 | working_dir = %(base)s/run/%(program)s/%(run)s 9 | 10 | [afl] # fuzzing only config 11 | bin = %(base)s/afl/afl-fuzz 12 | timeout = 150+ 13 | input = %(working_dir)s/inputs 14 | output = %(working_dir)s/outputs 15 | 16 | [cov] # fuzzing coverage counting config 17 | #count_hang = False 18 | count_hang = True 19 | bbl_cov_read_sz = 20000000 ; 20MB w/o hang 20 | #bbl_cov_read_sz = 20000000 ; 20MB w/ hang 21 | timeout = 1 ; 1s 22 | 23 | [qemu] 24 | bin = %(base)s/afl/qemu_mode/bin_pm9.5.5/qemu-system-gnuarmeclipse 25 | #bin = /home/bo/Work/qemu/install/debian64/qemu/bin/qemu-system-gnuarmeclipse 26 | log = unimp,guest_errors,int 27 | #log = unimp,guest_errors,exec,int -D qemu.log 28 | 29 | [program] 30 | #board = STM32F429I-Discovery 31 | #mcu = STM32F429ZI 32 | board = NUCLEO-F103RB 33 | mcu = STM32F103RB 34 | #board = Arduino-Due 35 | #mcu = SAM3X8E 36 | #board = FRDM-K64F 37 | #mcu = MK64FN1M0VLL12 38 | 39 | #img = %(working_dir)s/modbus.ino.elf 40 | #img = %(working_dir)s/StandardFirmata.ino.elf 41 | img = %(working_dir)s/TS100_EN.elf 42 | #img = /home/bo/nfs/iot/os/arduino/modbus/build/modbus.ino.elf 43 | 44 | #img = /home/bo/iot/os/iot-fuzzer-RIOT-new/examples/f103/usart/bin/nucleo-f103/hello-world.elf 45 | #img = /home/bo/iot/os/iot-fuzzer-RIOT-new/examples/usart_frdm/bin/frdm-k64f/hello-world.elf 46 | 47 | #img = /home/bo/iot/os/arduino/f103/ADC/build/ADC.ino.elf 48 | #img = /home/bo/iot/os/arduino/ad/Serial/build/Serial.ino.elf 49 | 50 | #img = /home/bo/iot/os/nuttxenv_f103/nuttx/nuttx 51 | #img = /home/bo/iot/os/nuttxenv_ad/nuttx/nuttx 52 | #img = /home/bo/iot/os/nuttxenv_frdm/nuttx/nuttx 53 | 54 | #img = /home/bo/iot/os/grbl_stm32f4/grbl_stm32f4 55 | #img = /home/bo/iot/os/ts100/workspace/TS100/Hexfile/TS100_EN.elf 56 | #img = /home/bo/Firmware_V101-103C8.elf 57 | 58 | [model] 59 | retry_num = 3 60 | peri_addr_range = 512 61 | objdump = /home/bo/iot/toolchains/gcc-arm-none-eabi-6-2017-q2-update/bin/arm-none-eabi-objdump 62 | # config below are fuzzing only 63 | bin = %(base)s/model_extraction/me.py 64 | log_file = %(working_dir)s/me.log 65 | -------------------------------------------------------------------------------- /examples/P2IM/Steering_Control/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x20070000 16 | permissions: rw- 17 | size: 0x40000 18 | text: 19 | base_addr: 0x00080000 20 | file: Steering_Control.bin 21 | permissions: r-x 22 | size: 0x7000 23 | -------------------------------------------------------------------------------- /examples/P2IM/Steering_Control/syms.yml: -------------------------------------------------------------------------------- 1 | symbols: 2 | 0x80000: _sfixed 3 | 0x800f4: __do_global_dtors_aux 4 | 0x80118: frame_dummy 5 | 0x80148: _Z15straightAndStopv 6 | 0x80168: _GLOBAL__sub_I_steering 7 | 0x801c4: setup 8 | 0x8022c: loop 9 | 0x803a0: c 10 | 0x803b8: str 11 | 0x803d0: cstr 12 | 0x803d8: _ZL8_initISRP2Tcmm4IRQn 13 | 0x80428: _Z13Servo_Handler18timer16_Sequence_tP2Tch 14 | 0x80534: TC3_Handler 15 | 0x80544: TC4_Handler 16 | 0x80554: TC5_Handler 17 | 0x80564: TC2_Handler 18 | 0x80574: TC0_Handler 19 | 0x80584: _ZN5ServoC2Ev 20 | 0x805c4: _ZN5Servo6attachEiii 21 | 0x80674: tc 22 | 0x8067c: _ZN5Servo6attachEi 23 | 0x80688: _ZN5Servo17writeMicrosecondsEi 24 | 0x806d4: _ZN5Servo5writeEi 25 | 0x80716: _Z11serialEventv 26 | 0x80718: UART_Handler 27 | 0x80724: _Z12serialEvent1v 28 | 0x80726: _Z12serialEvent2v 29 | 0x80728: _Z12serialEvent3v 30 | 0x8072c: USART0_Handler 31 | 0x80738: USART1_Handler 32 | 0x80744: USART3_Handler 33 | 0x80750: init 34 | 0x80878: _GLOBAL__sub_I_g_APinDescription 35 | 0x80914: pUart 36 | 0x8092c: pUsart 37 | 0x8094c: _Z14serialEventRunv 38 | 0x80990: PIO_PullUp 39 | 0x8099a: PIO_SetPeripheral 40 | 0x809a4: jpt_809A0 41 | 0x809bc: def_809A0 42 | 0x809c0: PIO_SetInput 43 | 0x809e6: PIO_SetOutput 44 | 0x80a0c: PIO_Configure 45 | 0x80a20: jpt_80A1C 46 | 0x80a5c: def_80A1C 47 | 0x80a70: PIO_GetOutputDataStatus 48 | 0x80a84: pmc_enable_periph_clk 49 | 0x80ac8: pmc_disable_periph_clk 50 | 0x80b08: TC_Configure 51 | 0x80b40: TC_Start 52 | 0x80b6c: TC_SetRA 53 | 0x80b74: SystemInit 54 | 0x80bfc: Reset_Handler 55 | 0x80c74: adc_init 56 | 0x80d0c: adc_configure_trigger 57 | 0x80d1a: adc_configure_timing 58 | 0x80d34: adc_disable_channel 59 | 0x80d3e: adc_disable_all_channel 60 | 0x80d46: adc_disable_interrupt 61 | 0x80d4c: UOTGHS_Handler 62 | 0x80d5c: PIOA_Handler 63 | 0x80d94: PIOB_Handler 64 | 0x80dcc: PIOC_Handler 65 | 0x80e04: PIOD_Handler 66 | 0x80e3c: __halt 67 | 0x80e3e: SVC_Handler 68 | 0x80e42: PendSV_Handler 69 | 0x80e46: SysTick_Handler 70 | 0x80e5c: __false 71 | 0x80e60: __halt_0 72 | 0x80e64: _sbrk 73 | 0x80e80: link 74 | 0x80e86: _close 75 | 0x80e8c: _fstat 76 | 0x80e96: _isatty 77 | 0x80e9a: _lseek 78 | 0x80e9e: _read 79 | 0x80ea4: _write 80 | 0x80ec8: _exit 81 | 0x80ed8: _kill 82 | 0x80eda: _getpid 83 | 0x80ee0: millis 84 | 0x80ee4: delay 85 | 0x80ee6: analogOutputInit 86 | 0x80ee8: pinMode 87 | 0x80ff0: digitalWrite 88 | 0x81060: _ZN5Print5writeEPKhj 89 | 0x81082: _ZN5Print5writeEPKc 90 | 0x810a0: _ZN5Print5printEPKc 91 | 0x810a8: _ZN5Print5printEc 92 | 0x810b4: _ZN5Print7printlnEv 93 | 0x810c4: _ZN5Print7printlnEPKc 94 | 0x810d8: _ZN5Print11printNumberEmh 95 | 0x81116: _ZN5Print5printEli 96 | 0x81152: _ZN5Print5printEii 97 | 0x81156: _ZN5Print7printlnEii 98 | 0x8116c: tickReset 99 | 0x8118c: _ZN10RingBufferC2Ev 100 | 0x811a6: _ZN10RingBuffer10store_charEh 101 | 0x811c4: _ZN6Stream9timedReadEv 102 | 0x811f0: _ZN6Stream15readStringUntilEc 103 | 0x81220: _ZN9UARTClasscvbEv 104 | 0x81224: _ZN9UARTClass9availableEv 105 | 0x81236: _ZN9UARTClass4peekEv 106 | 0x81252: _ZN9UARTClass4readEv 107 | 0x8127c: _ZN9UARTClass5flushEv 108 | 0x81294: _ZN9UARTClass5writeEh 109 | 0x812e8: _ZN9UARTClass3endEv 110 | 0x81324: _ZN9UARTClassC2EP4Uart4IRQnmP10RingBufferS4_ 111 | 0x81348: _ZN9UARTClass4initEmm 112 | 0x813b8: _ZN9UARTClass5beginEm 113 | 0x813c0: _ZN9UARTClass10IrqHandlerEv 114 | 0x8140a: _ZN10USARTClass5beginEm 115 | 0x81414: _ZN10USARTClassC2EP5Usart4IRQnmP10RingBufferS4_ 116 | 0x81438: _Z3maplllll 117 | 0x8144c: _ZNK6String14StringIfHelperEv 118 | 0x8144e: _ZN6StringD2Ev 119 | 0x8145c: _ZN6String10invalidateEv 120 | 0x81472: _ZN6String12changeBufferEj 121 | 0x8148a: _ZN6String7reserveEj 122 | 0x814ac: _ZN6String4copyEPKcj 123 | 0x814d2: _ZN6StringC2EPKc 124 | 0x814f8: _ZN6String4moveERS_ 125 | 0x8153c: _ZN6StringaSEOS_ 126 | 0x8154c: _ZN6String6concatEPKcj 127 | 0x8157a: _ZN6String6concatEc 128 | 0x81594: _ZNK6String6equalsEPKc 129 | 0x815ba: _ZNK6String5toIntEv 130 | 0x815c4: initVariant 131 | 0x815c8: main 132 | 0x815f4: _watchdogDefaultSetup 133 | 0x81600: pulseIn 134 | 0x81660: countPulseASM 135 | 0x816a4: TimeTick_Increment 136 | 0x816b4: GetTickCount 137 | 0x816c0: WDT_Disable 138 | 0x816c8: __aeabi_atexit 139 | 0x816d4: __assert_func 140 | 0x81710: atol 141 | 0x81718: __cxa_atexit 142 | 0x8172c: fiprintf 143 | 0x81754: __libc_init_array 144 | 0x817a4: iprintf 145 | 0x817cc: malloc 146 | 0x817dc: free 147 | 0x817ec: _malloc_r 148 | 0x81d24: memcpy 149 | 0x81e10: memmove 150 | 0x81edc: memset 151 | 0x81f70: __malloc_lock 152 | 0x81f74: __malloc_unlock 153 | 0x81f78: realloc 154 | 0x81f88: _realloc_r 155 | 0x82348: _sbrk_r 156 | 0x8236c: strcmp 157 | 0x825a8: strcpy 158 | 0x82664: strlen 159 | 0x826c4: _strtol_r 160 | 0x827d8: strtol 161 | 0x827f0: kill 162 | 0x82800: __sprint_r.part.0 163 | 0x82878: _vfiprintf_r 164 | 0x82964: jpt_82960 165 | 0x82f12: def_82960 166 | 0x834cc: __sbprintf 167 | 0x83548: __swsetup_r 168 | 0x8360c: __register_exitproc 169 | 0x836b4: register_fini 170 | 0x836c8: abort 171 | 0x836d8: atexit 172 | 0x836e4: __sflush_r 173 | 0x8382c: _fflush_r 174 | 0x83858: _cleanup_r 175 | 0x83864: __sinit 176 | 0x83958: __sfp_lock_acquire 177 | 0x8395c: __sfp_lock_release 178 | 0x83960: __libc_fini_array 179 | 0x83990: _fputwc_r 180 | 0x83a50: _malloc_trim_r 181 | 0x83aec: _free_r 182 | 0x83c84: __sfvwrite_r 183 | 0x83f98: _fwalk 184 | 0x83fe0: __locale_charset 185 | 0x83fe8: __locale_mb_cur_max 186 | 0x83ff4: __smakebuf_r 187 | 0x840d4: memchr 188 | 0x84168: _raise_r 189 | 0x841c0: raise 190 | 0x841d0: _kill_r 191 | 0x841f8: _getpid_r 192 | 0x841fc: __sread 193 | 0x84220: __swrite 194 | 0x84258: __sseek 195 | 0x84278: __sclose 196 | 0x84280: __swbuf_r 197 | 0x84328: _wcrtomb_r 198 | 0x84378: __ascii_wctomb 199 | 0x84394: _write_r 200 | 0x843bc: _close_r 201 | 0x843e0: _fclose_r 202 | 0x84460: fclose 203 | 0x84470: _fstat_r 204 | 0x84498: _isatty_r 205 | 0x844bc: _lseek_r 206 | 0x844e4: _read_r 207 | 0x8450c: __aeabi_uldivmod 208 | 0x84538: __gnu_ldivmod_helper 209 | 0x84568: __gnu_uldivmod_helper 210 | 0x84598: __aeabi_ldiv0 211 | 0x8459c: __divdi3 212 | 0x8483c: __udivdi3 213 | 0x84acc: aError 214 | 0x84ad2: aEnteredManualC 215 | 0x84af1: aEnteredAutonom 216 | 0x84b12: aSteer 217 | 0x84b18: aMotor 218 | 0x84b20: g_APinDescription 219 | 0x8554c: __func__.6792 220 | 0x85559: aSourceTcC 221 | 0x85568: aDwchannelSizeo 222 | 0x855ad: __func__.6798 223 | 0x855f8: aExitingWithSta 224 | 0x85614: aNan 225 | 0x85618: aInf 226 | 0x8561c: aOvf 227 | 0x85620: _ZTV9UARTClass 228 | 0x85650: _ZTV10USARTClass 229 | 0x85680: aFunction 230 | 0x85690: aAssertionSFail 231 | 0x856c4: _global_impure_ptr 232 | 0x856c8: blanks.6717 233 | 0x856ec: a0123456789abcd 234 | 0x85700: aNull 235 | 0x85708: zeroes.6718 236 | 0x85718: _ctype_ 237 | 0x8581c: _init 238 | 0x85828: __preinit_array_start 239 | 0x8582c: __frame_dummy_init_array_entry 240 | 0x85838: __init_array_end 241 | 0x85844: __fini_array_start 242 | 0x85848: _efixed 243 | 0x20070000: banzai 244 | 0x2007002c: __dso_handle 245 | 0x20070030: SystemCoreClock 246 | 0x20070034: _ZL5ticks 247 | 0x20070038: impure_data 248 | 0x20070460: _impure_ptr 249 | 0x20070464: __malloc_av_ 250 | 0x2007086c: __malloc_trim_threshold 251 | 0x20070870: __malloc_sbrk_base 252 | 0x20070874: __ctype_ptr__ 253 | 0x20070878: lc_ctype_charset 254 | 0x20070898: __mb_cur_max 255 | 0x2007089c: __wctomb 256 | 0x200708a0: _szero 257 | 0x200708a4: object.7862 258 | 0x200708bc: rxMode 259 | 0x200708c0: LEDstatus 260 | 0x200708c4: value 261 | 0x200708d0: steering 262 | 0x200708d4: rxSteer 263 | 0x200708d8: command 264 | 0x200708e4: throttle 265 | 0x200708e7: mode 266 | 0x200708e8: rxMotor 267 | 0x200708ec: ServoCount 268 | 0x200708ed: _ZL7Channel 269 | 0x200708f4: _ZL6servos 270 | 0x20070ad4: tx_buffer2 271 | 0x20070b5c: tx_buffer1 272 | 0x20070be4: Serial 273 | 0x20070c08: rx_buffer1 274 | 0x20070c90: Serial1 275 | 0x20070cb8: Serial2 276 | 0x20070ce0: Serial3 277 | 0x20070d08: tx_buffer3 278 | 0x20070d90: tx_buffer4 279 | 0x20070e18: g_pinStatus 280 | 0x20070e68: rx_buffer2 281 | 0x20070ef0: rx_buffer3 282 | 0x20070f78: rx_buffer4 283 | 0x20071000: gpf_isr 284 | 0x20071004: callbacksPioA 285 | 0x20071084: callbacksPioB 286 | 0x20071104: callbacksPioC 287 | 0x20071184: callbacksPioD 288 | 0x20071204: heap.6420 289 | 0x20071208: _dwTickCount 290 | 0x2007120c: __malloc_max_total_mem 291 | 0x20071210: __malloc_max_sbrked_mem 292 | 0x20071214: __malloc_top_pad 293 | 0x20071218: __malloc_current_mallinfo 294 | 0x20071240: errno 295 | 0x20071244: _end 296 | 0x20071248: __StackTop 297 | 0x2007124c: __StackLimit 298 | 0x20071250: _estack 299 | -------------------------------------------------------------------------------- /examples/configs/fuzzing/round_robin_interrupts.yml: -------------------------------------------------------------------------------- 1 | interrupt_triggers: 2 | time_based_round_robin: 3 | fuzz_mode: round_robin 4 | every_nth_tick: 1000 -------------------------------------------------------------------------------- /examples/configs/hw/boards/MK64FN1M0VLL12.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../cortexm_memory.yml 3 | 4 | memory_map: 5 | ivt: {base_addr: 0x0, file: '*.bin', 6 | permissions: r-x, size: 0x800000, is_entry: True} 7 | bss: {base_addr: 0x1fff0000, permissions: rW-, size: 0x10000} -------------------------------------------------------------------------------- /examples/configs/hw/boards/SAM3X8E.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../cortexm_memory.yml 3 | 4 | memory_map: 5 | ivt: {base_addr: 0x0, file: '*.bin', 6 | permissions: r-x, size: 0x80000} 7 | rom: {base_addr: 0x80000, file: '*.bin', 8 | permissions: r-x, size: 0x800000, is_entry: True} 9 | -------------------------------------------------------------------------------- /examples/configs/hw/boards/STM32F103RB.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../cortexm_memory.yml 3 | 4 | memory_map: 5 | rom: {base_addr: 0x00000000, file: '*.bin', 6 | permissions: r-x, size: 0x800000} 7 | ivt: {base_addr: 0x08000000, file: '*.bin', 8 | permissions: r-x, size: 0x800000, is_entry: True} 9 | bss: {base_addr: 0x1fff0000, permissions: rW-, size: 0x10000} -------------------------------------------------------------------------------- /examples/configs/hw/boards/STM32F429ZI.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../cortexm_memory.yml 3 | 4 | memory_map: 5 | ivt: {base_addr: 0x0, 6 | permissions: rwx, size: 0x800000} 7 | # file: '*.bin', 8 | flash: {base_addr: 0x08000000, file: '*.bin', 9 | permissions: r-x, size: 0x800000, is_entry: True} 10 | mmio_FMC: {base_addr: 0xA0000000, permissions: rw-, size: 0x4000} -------------------------------------------------------------------------------- /examples/configs/hw/boards/STM32f746zg.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../cortexm_memory.yml 3 | 4 | memory_map: 5 | #ivt: {base_addr: 0x0, file: '*.bin', 6 | # permissions: r-x, size: 0x800000} 7 | text: {base_addr: 0x08000000, file: '*.bin', 8 | permissions: r-x, size: 0x800000, is_entry: True} -------------------------------------------------------------------------------- /examples/configs/hw/boards/atsamr21_xpro.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../cortexm_memory.yml 3 | 4 | memory_map: 5 | rom: {base_addr: 0x0, file: '*.bin', 6 | permissions: r-x, size: 0x40000, is_entry: True} 7 | mmio_OTPs: {base_addr: 0x00800000, permissions: r--, size: 0x7000} 8 | mmio_IOBUS: {base_addr: 0x60000000, permissions: rw-, size: 0x1000} -------------------------------------------------------------------------------- /examples/configs/hw/boards/disco_l475_iot1.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../cortexm_memory.yml 3 | 4 | memory_map: 5 | rom: {base_addr: 0x08000000, file: '*.bin', 6 | permissions: r-x, size: 0x40000, is_entry: True} -------------------------------------------------------------------------------- /examples/configs/hw/boards/nrf52840_pca10056.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./nrf52_pca10040.yml -------------------------------------------------------------------------------- /examples/configs/hw/boards/nrf52_pca10040.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../cortexm_memory.yml 3 | 4 | memory_map: 5 | rom: {base_addr: 0x00000000, file: '*.bin', 6 | permissions: r-x, size: 0x40000, is_entry: True} 7 | mmio_id_1: { 8 | base_addr: 0x10000000, permissions: rw-, size: 0x2000 9 | } 10 | mmio_id_2: { 11 | base_addr: 0xF0000000, permissions: rw-, size: 0x1000 12 | } -------------------------------------------------------------------------------- /examples/configs/hw/cortexm_memory.yml: -------------------------------------------------------------------------------- 1 | memory_map: 2 | ram: {base_addr: 0x20000000, size: 0x00100000, permissions: rw-} 3 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 4 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 5 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 6 | -------------------------------------------------------------------------------- /examples/pw-recovery/ARCH_PRO/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/ARCH_PRO/basic_exercises.bin -------------------------------------------------------------------------------- /examples/pw-recovery/ARCH_PRO/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/ARCH_PRO/basic_exercises.elf -------------------------------------------------------------------------------- /examples/pw-recovery/ARCH_PRO/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../../configs/hw/cortexm_memory.yml 3 | - ./syms.yml 4 | 5 | memory_map: 6 | sram: 7 | base_addr: 0x10000000 8 | permissions: rwx 9 | size: 0x8000 10 | text: 11 | base_addr: 0x0 12 | file: ./basic_exercises.bin 13 | permissions: r-x 14 | size: 0x800000 15 | is_entry: True 16 | 17 | use_timers: false 18 | use_nvic: false 19 | use_systick: false 20 | -------------------------------------------------------------------------------- /examples/pw-recovery/EFM32GG_STK3700/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/EFM32GG_STK3700/basic_exercises.bin -------------------------------------------------------------------------------- /examples/pw-recovery/EFM32GG_STK3700/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/EFM32GG_STK3700/basic_exercises.elf -------------------------------------------------------------------------------- /examples/pw-recovery/EFM32GG_STK3700/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../../configs/hw/cortexm_memory.yml 3 | - ./syms.yml 4 | 5 | memory_map: 6 | mmio_information: 7 | base_addr: 0xfe00000 8 | permissions: rw- 9 | size: 0x9000 10 | text: 11 | base_addr: 0x0 12 | file: ./basic_exercises.bin 13 | permissions: r-x 14 | size: 0x800000 15 | is_entry: True 16 | 17 | use_nvic: false 18 | use_timers: false 19 | use_systick: false 20 | -------------------------------------------------------------------------------- /examples/pw-recovery/EFM32LG_STK3600/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/EFM32LG_STK3600/basic_exercises.bin -------------------------------------------------------------------------------- /examples/pw-recovery/EFM32LG_STK3600/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/EFM32LG_STK3600/basic_exercises.elf -------------------------------------------------------------------------------- /examples/pw-recovery/EFM32LG_STK3600/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../../configs/hw/cortexm_memory.yml 3 | - ./syms.yml 4 | 5 | memory_map: 6 | mmio_information: 7 | base_addr: 0xfe00000 8 | permissions: rw- 9 | size: 0x9000 10 | text: 11 | base_addr: 0x0 12 | file: ./basic_exercises.bin 13 | permissions: r-x 14 | size: 0x800000 15 | is_entry: True 16 | 17 | use_nvic: false 18 | use_timers: false 19 | use_systick: false 20 | -------------------------------------------------------------------------------- /examples/pw-recovery/LPC1549/LPC15XX_datasheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/LPC1549/LPC15XX_datasheet.pdf -------------------------------------------------------------------------------- /examples/pw-recovery/LPC1549/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/LPC1549/basic_exercises.bin -------------------------------------------------------------------------------- /examples/pw-recovery/LPC1549/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/LPC1549/basic_exercises.elf -------------------------------------------------------------------------------- /examples/pw-recovery/LPC1549/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../../configs/hw/cortexm_memory.yml 3 | - ./syms.yml 4 | 5 | memory_map: 6 | mmio_GPIO_USB_CRC_SCTIMER_PWM: 7 | base_addr: 0x1c000000 8 | permissions: rw 9 | size: 0x28000 10 | sram: 11 | base_addr: 0x2000000 12 | permissions: rwx 13 | size: 0x8000 14 | text: 15 | base_addr: 0x0 16 | file: ./basic_exercises.bin 17 | permissions: r-x 18 | size: 0x800000 19 | is_entry: True 20 | 21 | use_nvic: false 22 | use_timers: false 23 | use_systick: false 24 | -------------------------------------------------------------------------------- /examples/pw-recovery/LPC1549/syms.yml: -------------------------------------------------------------------------------- 1 | symbols: 2 | 0x0: '_ZN4SinkD0Ev' 3 | 0xfc: '__do_global_dtors_aux' 4 | 0x120: 'frame_dummy' 5 | 0x168: '_start' 6 | 0x1dc: 'gpio_set' 7 | 0x220: 'gpio_init' 8 | 0x256: 'gpio_mode' 9 | 0x260: 'gpio_dir' 10 | 0x2a0: 'gpio_write' 11 | 0x2d0: 'mbed_die' 12 | 0x32c: 'mbed_error_vfprintf' 13 | 0x380: 'mbed_error_printf' 14 | 0x39a: '_ZN4mbed10FileHandle4syncEv' 15 | 0x39e: '_ZN4mbed10FileHandle4tellEv' 16 | 0x3a8: '_ZN4mbed10FileHandle6rewindEv' 17 | 0x3b2: '_ZN4mbed10FileHandle5lseekEli' 18 | 0x3b8: '_ZN4mbed10FileHandle5fsyncEv' 19 | 0x3be: '_ZN4mbed10FileHandle4flenEv' 20 | 0x3c4: '_ZN4mbed10FileHandle12set_blockingEb' 21 | 0x3d0: '_ZNK4mbed10FileHandle11is_blockingEv' 22 | 0x3d4: '_ZN4mbed10FileHandle5sigioENS_8CallbackIFvvEEE' 23 | 0x3d6: '_ZN12DirectSerial4seekEli' 24 | 0x3dc: '_ZN12DirectSerial4sizeEv' 25 | 0x3e2: '_ZN12DirectSerial6isattyEv' 26 | 0x3e6: '_ZN12DirectSerial5closeEv' 27 | 0x3ea: '_ZN12DirectSerialD2Ev' 28 | 0x3ec: '_ZN12DirectSerial5writeEPKvj' 29 | 0x410: '_ZNK12DirectSerial4pollEs' 30 | 0x440: '_ZN12DirectSerialD0Ev' 31 | 0x44c: '_ZN12DirectSerial4readEPvj' 32 | 0x468: '_ZN12DirectSerialC2E7PinNameS0_i' 33 | 0x498: '_ZN4mbed28mbed_target_override_consoleEi' 34 | 0x49c: '_ZN4mbed21mbed_override_consoleEi' 35 | 0x4a0: '_sbrk' 36 | 0x4e4: '_exit' 37 | 0x4ee: '__aeabi_atexit' 38 | 0x4f2: '__wrap_exit' 39 | 0x4f8: '__wrap_atexit' 40 | 0x4fc: '__rtos_malloc_lock' 41 | 0x4fe: '__rtos_malloc_unlock' 42 | 0x500: '__malloc_lock' 43 | 0x508: '__malloc_unlock' 44 | 0x510: '__cxa_guard_acquire' 45 | 0x544: '__cxa_guard_release' 46 | 0x574: '_ZL7get_fhci' 47 | 0x5f4: 'close' 48 | 0x630: '_close' 49 | 0x634: 'write' 50 | 0x668: '_write' 51 | 0x68c: 'read' 52 | 0x6c0: '_read' 53 | 0x6dc: 'isatty' 54 | 0x708: '_isatty' 55 | 0x70c: 'lseek' 56 | 0x740: '_lseek' 57 | 0x744: 'fstat' 58 | 0x780: '_fstat' 59 | 0x784: 'us_ticker_get_info' 60 | 0x78c: 'mbed_main' 61 | 0x78e: 'mbed_sdk_init' 62 | 0x790: 'software_init_hook_rtos' 63 | 0x794: 'mbed_copy_nvic' 64 | 0x7c0: 'software_init_hook' 65 | 0x7d0: '__wrap_main' 66 | 0x7e0: 'pin_mode' 67 | 0x830: '__NVIC_DisableIRQ' 68 | 0x858: 'switch_pin' 69 | 0x8b4: 'serial_baud' 70 | 0x8f4: 'serial_format' 71 | 0x96c: 'serial_init' 72 | 0xab0: 'serial_getc' 73 | 0xabc: 'serial_putc' 74 | 0xac8: 'serial_readable' 75 | 0xad2: 'serial_writable' 76 | 0xadc: 'Reset_Handler' 77 | 0xb0c: 'NMI_Handler' 78 | 0xb0e: 'HardFault_Handler' 79 | 0xb10: 'MemManage_Handler' 80 | 0xb12: 'BusFault_Handler' 81 | 0xb14: 'UsageFault_Handler' 82 | 0xb16: 'SVC_Handler' 83 | 0xb18: 'DebugMon_Handler' 84 | 0xb1a: 'PendSV_Handler' 85 | 0xb1c: 'SysTick_Handler' 86 | 0xb1e: 'WDT_IRQHandler' 87 | 0xb20: 'SystemInit' 88 | 0xbec: 'us_ticker_init' 89 | 0xc84: 'us_ticker_read' 90 | 0xca0: 'us_ticker_set_interrupt' 91 | 0xcd0: 'us_ticker_fire_interrupt' 92 | 0xce0: 'us_ticker_disable_interrupt' 93 | 0xcf0: 'us_ticker_clear_interrupt' 94 | 0xd00: '_Z9evil_readv' 95 | 0xd40: 'main' 96 | 0xe18: '_GLOBAL__sub_I_led1' 97 | 0xe38: 'get_us_ticker_data' 98 | 0xe40: 'us_ticker_irq_handler' 99 | 0xe54: 'gpio_write_0' 100 | 0xe84: 'gpio_init_out_ex' 101 | 0xeb2: 'gpio_init_out' 102 | 0xeb8: 'mbed_assert_internal' 103 | 0xedc: 'update_present_time' 104 | 0xfd0: '_ticker_match_interval_passed' 105 | 0xff8: 'schedule_interrupt' 106 | 0x10c8: 'initialize' 107 | 0x11ac: 'ticker_irq_handler' 108 | 0x1208: 'ticker_read_us' 109 | 0x122e: 'ticker_read' 110 | 0x1238: 'handle_error' 111 | 0x12c4: 'print_error_report' 112 | 0x12f2: 'jpt_12EE' 113 | 0x1302: 'def_12EE' 114 | 0x139c: 'error' 115 | 0x13e0: 'core_util_critical_section_enter' 116 | 0x140c: 'core_util_critical_section_exit' 117 | 0x1428: 'wait_us' 118 | 0x1446: 'wait_ms' 119 | 0x1450: 'hal_critical_section_enter' 120 | 0x1474: 'hal_critical_section_exit' 121 | 0x14a8: '__errno' 122 | 0x14b4: '_cleanup_r' 123 | 0x14c0: 'std.isra.0' 124 | 0x1508: '__sfmoreglue' 125 | 0x1534: '__sinit' 126 | 0x1594: '__sfp' 127 | 0x160c: '_fwalk' 128 | 0x1644: '_fwalk_reent' 129 | 0x1680: 'getc' 130 | 0x16e0: '__libc_init_array' 131 | 0x1728: '__swhatbuf_r' 132 | 0x1770: '__smakebuf_r' 133 | 0x17f0: 'free' 134 | 0x1800: 'memchr' 135 | 0x181c: 'memcpy' 136 | 0x1832: 'memset' 137 | 0x1844: '_putc_r' 138 | 0x18b0: 'putc' 139 | 0x18c0: '_puts_r' 140 | 0x1978: 'puts' 141 | 0x1988: 'lflush' 142 | 0x199c: '__srefill_r' 143 | 0x1ab4: '__srget_r' 144 | 0x1b0c: '__sread' 145 | 0x1b2e: '__swrite' 146 | 0x1b66: '__sseek' 147 | 0x1b8a: '__sclose' 148 | 0x1b92: '_vsnprintf_r' 149 | 0x1bec: 'vsnprintf' 150 | 0x1c08: '__swbuf_r' 151 | 0x1cac: '_write_r' 152 | 0x1cd0: '__swsetup_r' 153 | 0x1dac: '_close_r' 154 | 0x1dcc: '__sflush_r' 155 | 0x1edc: '_fflush_r' 156 | 0x1f30: 'fflush' 157 | 0x1f54: '_fstat_r' 158 | 0x1f78: '_isatty_r' 159 | 0x1f98: '_lseek_r' 160 | 0x1fbc: '__ssputs_r' 161 | 0x2074: '_svfprintf_r' 162 | 0x225c: '_printf_common' 163 | 0x234c: '_printf_i' 164 | 0x258c: '_read_r' 165 | 0x25b0: 'memmove' 166 | 0x25e4: '__lshrdi3' 167 | 0x25fc: '__ashldi3' 168 | 0x2614: '__aeabi_uldivmod' 169 | 0x2644: '__udivmoddi4' 170 | 0x2920: '__aeabi_ldiv0' 171 | 0x2924: '__wrap__malloc_r' 172 | 0x2928: '__wrap__realloc_r' 173 | 0x292c: '__wrap__free_r' 174 | 0x2930: '_free_r' 175 | 0x29c8: '_malloc_r' 176 | 0x2a84: '_realloc_r' 177 | 0x2ad0: '_sbrk_r' 178 | 0x2af0: '_malloc_usable_size_r' 179 | 0x2b04: '_init' 180 | 0x2b10: '_fini' 181 | 0x2b7a: 'aEtNxpTargetLpc' 182 | 0x2bfe: 'aEtLpc15xxGpioO' 183 | 0x2c18: '_ZTV12DirectSerial' 184 | 0x2c68: '_ZZ18us_ticker_get_infoE4info' 185 | 0x2d00: 'aGressGuardObje' 186 | 0x2d84: 'aXPinmapC' 187 | 0x2d8f: 'SWM_UART_RX' 188 | 0x2d95: 'SWM_UART_TX' 189 | 0x2dec: 'aEtLpc15xxSeria' 190 | 0x2e24: 'a2' 191 | 0x2e34: 'a6DataBits10' 192 | 0x2e78: 'aEvenParityPari' 193 | 0x2e9c: 'aAilableUart' 194 | 0x2ea9: 'aPleaseEnterThe' 195 | 0x2ec7: 'aCodeAccepted' 196 | 0x2efc: 'aEtNxpTargetLpc_0' 197 | 0x2f20: 'aWelcome' 198 | 0x2f2c: 'us_data' 199 | 0x2f34: 'us_interface' 200 | 0x2f70: 'aESLineD' 201 | 0x2f81: 'aHomeJenkinsMbe' 202 | 0x2fd1: 'a0_0' 203 | 0x2fd3: 'aFatalRunTimeEr' 204 | 0x2fe8: 'aMbedosErrorInf' 205 | 0x3040: 'aError0xX' 206 | 0x304e: 'aThread0xX' 207 | 0x3064: 'a0xX' 208 | 0x3080: 'aOrypool0xX' 209 | 0x3090: 'aEventflags0xX' 210 | 0x30b4: 'aSagequeue0xX' 211 | 0x30c6: 'aLocation0xX' 212 | 0x30d6: 'aErrorValue0xX' 213 | 0x30f4: 'aReadId0xXEntry' 214 | 0x3138: 'aMbedosErrorInf_0' 215 | 0x3188: 'aOsPlatformMbed' 216 | 0x31d0: 'a2Max' 217 | 0x31d6: 'aHomeJenkinsMbe_0' 218 | 0x3230: 'aAreInterruptsE' 219 | 0x324c: '__sf_fake_stderr' 220 | 0x326c: '__sf_fake_stdin' 221 | 0x328c: '__sf_fake_stdout' 222 | 0x32ac: '_global_impure_ptr' 223 | 0x32b0: 'a0' 224 | 0x32c4: 'a3456789abcdef' 225 | 0x32d3: 'a123456789abcde' 226 | 0x32e4: '__FRAME_END__' 227 | 0x32e8: '__exidx_start' 228 | 0x2000100: 'Image$$RW_IRAM1$$Base' 229 | 0x2000104: '_ZL11filehandles' 230 | 0x2000204: '_ZZ5_sbrkE4heap' 231 | 0x2000208: 'SystemCoreClock' 232 | 0x200020c: 'irq_handler' 233 | 0x2000210: '_impure_ptr' 234 | 0x2000214: 'impure_data' 235 | 0x2000274: '__preinit_array_start' 236 | 0x200027c: '__init_array_end' 237 | 0x2000280: '__data_end__' 238 | 0x2000284: 'object.8672' 239 | 0x200029c: 'gpio_enabled' 240 | 0x20002a0: '_ZGVZL15default_consolevE7console' 241 | 0x20002a4: '_ZZL15default_consolevE7console' 242 | 0x20002a8: 'mbed_heap_size' 243 | 0x20002ac: 'mbed_heap_start' 244 | 0x20002b0: 'UARTSysClk' 245 | 0x20002b4: 'stdio_uart_inited' 246 | 0x20002b8: 'uart_used' 247 | 0x20002bc: 'us_ticker_inited' 248 | 0x20002c0: 'led1' 249 | 0x20002d8: 'events' 250 | 0x2000318: 'error_count' 251 | 0x200031c: 'error_hook' 252 | 0x2000320: 'error_in_progress' 253 | 0x2000324: 'first_error_ctx' 254 | 0x2000358: 'last_error_ctx' 255 | 0x200038c: 'critical_section_reentrancy_counter' 256 | 0x2000390: 'critical_interrupts_enabled' 257 | 0x2000391: 'state_saved' 258 | 0x2000394: '__malloc_free_list' 259 | 0x2000398: '__malloc_sbrk_start' 260 | 0x200039c: 'stdio_uart' 261 | 0x20003a4: 'errno' 262 | 0x20003a8: '_end' 263 | 0x20003ac: 'Stack_Size' 264 | 0x20003b0: 'Heap_Size' 265 | 0x20003b4: '__stack' 266 | 0x20003b8: '__StackLimit' 267 | -------------------------------------------------------------------------------- /examples/pw-recovery/LPC1768/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/LPC1768/basic_exercises.bin -------------------------------------------------------------------------------- /examples/pw-recovery/LPC1768/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/LPC1768/basic_exercises.elf -------------------------------------------------------------------------------- /examples/pw-recovery/LPC1768/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../../configs/hw/cortexm_memory.yml 3 | - ./syms.yml 4 | 5 | memory_map: 6 | sram: 7 | base_addr: 0x10000000 8 | permissions: rwx 9 | size: 0x8000 10 | text: 11 | base_addr: 0x0 12 | file: ./basic_exercises.bin 13 | permissions: r-x 14 | size: 0x800000 15 | is_entry: True 16 | 17 | use_systick: false 18 | use_nvic: false 19 | use_timers: false 20 | -------------------------------------------------------------------------------- /examples/pw-recovery/MOTE_L152RC/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/MOTE_L152RC/basic_exercises.bin -------------------------------------------------------------------------------- /examples/pw-recovery/MOTE_L152RC/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/MOTE_L152RC/basic_exercises.elf -------------------------------------------------------------------------------- /examples/pw-recovery/MOTE_L152RC/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../../configs/hw/cortexm_memory.yml 3 | - ./syms.yml 4 | 5 | memory_map: 6 | text: 7 | base_addr: 0x8000000 8 | file: ./basic_exercises.bin 9 | permissions: r-x 10 | size: 0x800000 11 | is_entry: True 12 | 13 | use_nvic: false 14 | use_timers: false 15 | use_systick: false 16 | -------------------------------------------------------------------------------- /examples/pw-recovery/MOTE_L152RC/syms.yml: -------------------------------------------------------------------------------- 1 | symbols: 2 | 0x8000000: 'g_pfnVectors' 3 | 0x800013c: '__do_global_dtors_aux' 4 | 0x8000160: 'frame_dummy' 5 | 0x80001a8: '_start' 6 | 0x800021c: 'LL_GPIO_SetPinMode' 7 | 0x8000248: 'Set_GPIO_Clock' 8 | 0x8000252: 'jpt_800024E' 9 | 0x80002ee: 'def_800024E' 10 | 0x8000318: 'gpio_set' 11 | 0x8000344: 'gpio_init' 12 | 0x8000384: 'gpio_mode' 13 | 0x800038c: 'gpio_dir' 14 | 0x800039c: 'HAL_InitTick' 15 | 0x80003a8: 'HAL_GetTick' 16 | 0x80003d8: 'mbed_die' 17 | 0x8000430: 'mbed_error_vfprintf' 18 | 0x8000484: 'mbed_error_printf' 19 | 0x80004a0: 'mbed_sdk_init' 20 | 0x80004c0: '_ZN4mbed10FileHandle4syncEv' 21 | 0x80004c4: '_ZN4mbed10FileHandle4tellEv' 22 | 0x80004ce: '_ZN4mbed10FileHandle6rewindEv' 23 | 0x80004d8: '_ZN4mbed10FileHandle5lseekEli' 24 | 0x80004de: '_ZN4mbed10FileHandle5fsyncEv' 25 | 0x80004e4: '_ZN4mbed10FileHandle4flenEv' 26 | 0x80004ea: '_ZN4mbed10FileHandle12set_blockingEb' 27 | 0x80004f6: '_ZNK4mbed10FileHandle11is_blockingEv' 28 | 0x80004fa: '_ZN4mbed10FileHandle5sigioENS_8CallbackIFvvEEE' 29 | 0x80004fc: '_ZN12DirectSerial4seekEli' 30 | 0x8000502: '_ZN12DirectSerial4sizeEv' 31 | 0x8000508: '_ZN12DirectSerial6isattyEv' 32 | 0x800050c: '_ZN12DirectSerial5closeEv' 33 | 0x8000510: '_ZN12DirectSerialD2Ev' 34 | 0x8000514: '_ZN12DirectSerial5writeEPKvj' 35 | 0x8000538: '_ZNK12DirectSerial4pollEs' 36 | 0x8000568: '_ZN12DirectSerialD0Ev' 37 | 0x8000574: '_ZN12DirectSerial4readEPvj' 38 | 0x8000590: '_ZN12DirectSerialC2E7PinNameS0_i' 39 | 0x80005c0: '_ZN4mbed28mbed_target_override_consoleEi' 40 | 0x80005c4: '_ZN4mbed21mbed_override_consoleEi' 41 | 0x80005c8: '_sbrk' 42 | 0x800060c: '_exit' 43 | 0x8000630: '__aeabi_atexit' 44 | 0x8000634: '__wrap_exit' 45 | 0x800063a: '__wrap_atexit' 46 | 0x800063e: '__rtos_malloc_lock' 47 | 0x8000640: '__rtos_malloc_unlock' 48 | 0x8000642: '__malloc_lock' 49 | 0x800064a: '__malloc_unlock' 50 | 0x8000654: '__cxa_guard_acquire' 51 | 0x8000688: '__cxa_guard_release' 52 | 0x80006b8: '_ZL7get_fhci' 53 | 0x8000738: 'close' 54 | 0x8000774: '_close' 55 | 0x8000778: 'write' 56 | 0x80007ac: '_write' 57 | 0x80007d0: 'read' 58 | 0x8000804: '_read' 59 | 0x8000820: 'isatty' 60 | 0x800084c: '_isatty' 61 | 0x8000850: 'lseek' 62 | 0x8000884: '_lseek' 63 | 0x8000888: 'fstat' 64 | 0x80008c4: '_fstat' 65 | 0x80008c8: 'mbed_main' 66 | 0x80008ca: 'software_init_hook_rtos' 67 | 0x80008cc: 'mbed_copy_nvic' 68 | 0x80008f8: 'software_init_hook' 69 | 0x8000908: '__wrap_main' 70 | 0x8000916: 'LL_GPIO_SetPinPull' 71 | 0x8000942: 'stm_pin_PullConfig' 72 | 0x8000950: 'pin_function' 73 | 0x80009b0: 'jpt_80009AC' 74 | 0x8000a1a: 'def_80009AC' 75 | 0x8000a80: 'pin_mode' 76 | 0x8000b14: 'debug' 77 | 0x8000b3c: 'serial_readable' 78 | 0x8000b64: 'serial_writable' 79 | 0x8000b78: 'init_uart' 80 | 0x8000bcc: 'serial_baud' 81 | 0x8000bec: 'get_uart_index' 82 | 0x8000c18: 'serial_init' 83 | 0x8000d5c: 'serial_getc' 84 | 0x8000d88: 'serial_putc' 85 | 0x8000db4: 'Reset_Handler' 86 | 0x8000db8: 'CopyDataInit' 87 | 0x8000dc0: 'LoopCopyDataInit' 88 | 0x8000de0: 'WWDG_IRQHandler' 89 | 0x8000de2: 'HAL_MspInit' 90 | 0x8000de4: 'HAL_Init' 91 | 0x8000e10: 'HAL_NVIC_SetPriorityGrouping' 92 | 0x8000e34: 'RCC_SetFlashLatencyFromMSIRange' 93 | 0x8000eb4: 'HAL_RCC_OscConfig' 94 | 0x8001584: 'HAL_RCC_GetSysClockFreq' 95 | 0x8001610: 'HAL_RCC_ClockConfig' 96 | 0x80017cc: 'HAL_RCC_GetPCLK1Freq' 97 | 0x80017fc: 'HAL_RCC_GetPCLK2Freq' 98 | 0x800182c: 'HAL_RCC_GetClockConfig' 99 | 0x8001868: 'TIM_Base_SetConfig' 100 | 0x80018ec: 'TIM_CCxChannelCmd' 101 | 0x8001904: 'HAL_TIM_OC_MspInit' 102 | 0x8001906: 'HAL_TIM_OC_Init' 103 | 0x800193a: 'HAL_TIM_IC_Start' 104 | 0x8001954: 'HAL_TIM_OC_Start' 105 | 0x8001958: 'UART_SetConfig' 106 | 0x8001b9c: 'HAL_UART_MspInit' 107 | 0x8001b9e: 'HAL_UART_Init' 108 | 0x8001bf8: 'SystemInit' 109 | 0x8001c40: 'SetSysClock_PLL_HSE' 110 | 0x8001cec: 'SetSysClock_PLL_HSI' 111 | 0x8001d6c: 'SetSysClock' 112 | 0x8001d80: 'SystemCoreClockUpdate' 113 | 0x8001d94: 'jpt_8001D90' 114 | 0x8001de4: 'def_8001D90' 115 | 0x8001e10: 'timer_irq_handler' 116 | 0x8001e38: 'us_ticker_get_info' 117 | 0x8001e40: 'init_32bit_timer' 118 | 0x8001ee4: 'us_ticker_read' 119 | 0x8001ef0: 'us_ticker_set_interrupt' 120 | 0x8001f0c: 'us_ticker_fire_interrupt' 121 | 0x8001f2c: 'us_ticker_disable_interrupt' 122 | 0x8001f40: 'us_ticker_init' 123 | 0x8001f44: 'us_ticker_clear_interrupt' 124 | 0x8001f54: '_Z9evil_readv' 125 | 0x8001f94: 'main' 126 | 0x8002034: '_GLOBAL__sub_I_led1' 127 | 0x8002054: '_gpio_init_out' 128 | 0x800207c: 'gpio_init_out_ex' 129 | 0x800209c: 'gpio_init_out' 130 | 0x80020a4: 'pinmap_pinout' 131 | 0x80020ec: 'pinmap_merge' 132 | 0x8002120: 'pinmap_find_peripheral' 133 | 0x8002138: 'pinmap_peripheral' 134 | 0x8002168: 'get_us_ticker_data' 135 | 0x8002170: 'us_ticker_irq_handler' 136 | 0x8002184: 'update_present_time' 137 | 0x8002278: '_ticker_match_interval_passed' 138 | 0x80022a0: 'schedule_interrupt' 139 | 0x8002370: 'initialize' 140 | 0x8002454: 'ticker_irq_handler' 141 | 0x80024b0: 'ticker_read_us' 142 | 0x80024d6: 'ticker_read' 143 | 0x80024de: 'core_util_are_interrupts_enabled' 144 | 0x80024ea: 'core_util_is_isr_active' 145 | 0x80024f8: 'core_util_critical_section_enter' 146 | 0x8002524: 'core_util_critical_section_exit' 147 | 0x8002540: 'mbed_assert_internal' 148 | 0x8002564: 'wait_us' 149 | 0x8002582: 'wait_ms' 150 | 0x800258c: 'handle_error' 151 | 0x8002618: 'print_error_report' 152 | 0x8002646: 'jpt_8002642' 153 | 0x8002656: 'def_8002642' 154 | 0x80026f0: 'error' 155 | 0x8002734: 'mbed_error' 156 | 0x8002768: 'hal_critical_section_enter' 157 | 0x800278c: 'hal_critical_section_exit' 158 | 0x80027c0: '__errno' 159 | 0x80027cc: '__sflush_r' 160 | 0x80028dc: '_fflush_r' 161 | 0x8002930: 'fflush' 162 | 0x8002954: '_cleanup_r' 163 | 0x8002960: 'std.isra.0' 164 | 0x80029a8: '__sfmoreglue' 165 | 0x80029d4: '__sinit' 166 | 0x8002a34: '__sfp' 167 | 0x8002aac: '_fwalk' 168 | 0x8002ae4: '_fwalk_reent' 169 | 0x8002b20: 'getc' 170 | 0x8002b80: '__libc_init_array' 171 | 0x8002bc8: '__swhatbuf_r' 172 | 0x8002c10: '__smakebuf_r' 173 | 0x8002c90: 'free' 174 | 0x8002ca0: 'memchr' 175 | 0x8002cbc: 'memcpy' 176 | 0x8002cd2: 'memset' 177 | 0x8002ce2: '__sfputc_r' 178 | 0x8002d0e: '__sfputs_r' 179 | 0x8002d34: '_vfprintf_r' 180 | 0x8002f60: 'vfprintf' 181 | 0x8002f74: '_printf_common' 182 | 0x8003064: '_printf_i' 183 | 0x80032a4: '_putc_r' 184 | 0x8003310: 'putc' 185 | 0x8003320: '_puts_r' 186 | 0x80033d8: 'puts' 187 | 0x80033e8: 'lflush' 188 | 0x80033fc: '__srefill_r' 189 | 0x8003514: '__srget_r' 190 | 0x800356c: '__sread' 191 | 0x800358e: '__swrite' 192 | 0x80035c6: '__sseek' 193 | 0x80035ea: '__sclose' 194 | 0x80035f2: '_vsnprintf_r' 195 | 0x800364c: 'vsnprintf' 196 | 0x8003668: '__swbuf_r' 197 | 0x800370c: '_write_r' 198 | 0x8003730: '__swsetup_r' 199 | 0x800380c: '_close_r' 200 | 0x800382c: '_fstat_r' 201 | 0x8003850: '_isatty_r' 202 | 0x8003870: '_lseek_r' 203 | 0x8003894: 'memmove' 204 | 0x80038c8: '__ssputs_r' 205 | 0x8003980: '_svfprintf_r' 206 | 0x8003b68: '_read_r' 207 | 0x8003b8c: '__lshrdi3' 208 | 0x8003ba4: '__ashldi3' 209 | 0x8003bbc: '__aeabi_uldivmod' 210 | 0x8003bec: '__udivmoddi4' 211 | 0x8003ec8: '__aeabi_ldiv0' 212 | 0x8003ecc: '__wrap__malloc_r' 213 | 0x8003ed0: '__wrap__realloc_r' 214 | 0x8003ed4: '__wrap__free_r' 215 | 0x8003ed8: '_free_r' 216 | 0x8003f70: '_malloc_r' 217 | 0x800402c: '_realloc_r' 218 | 0x8004078: '_sbrk_r' 219 | 0x8004098: '_malloc_usable_size_r' 220 | 0x80040ac: '_init' 221 | 0x80040b8: '_fini' 222 | 0x80040c4: 'PinMap_UART_RX' 223 | 0x8004100: 'PinMap_UART_TX' 224 | 0x800413c: 'aPinmapErrorWro' 225 | 0x800415d: 'aHomeJenkinsBui' 226 | 0x80041b7: 'aPinPinnameNc' 227 | 0x80041cc: '_ZTV12DirectSerial' 228 | 0x800429e: 'aUardInitInProg' 229 | 0x80042d8: 'll_pin_defines' 230 | 0x8004360: 'aEtStmPinmapC' 231 | 0x8004370: 'aCannotInitiali' 232 | 0x80043e4: 'aStmSerialApiC' 233 | 0x8004428: 'aCtIsUsingSameU' 234 | 0x8004447: 'aObjSIndex0' 235 | 0x8004459: 'AHBPrescTable' 236 | 0x8004469: 'APBPrescTable' 237 | 0x8004471: 'PLLMulTable' 238 | 0x800447c: 'info.9646' 239 | 0x8004484: 'aPleaseEnterThe' 240 | 0x80044a2: 'aCodeAccepted' 241 | 0x80044bc: 'aMapMisMatch' 242 | 0x80044ca: 'aPinmapNotFound' 243 | 0x80044ea: 'aCouldNotPinout' 244 | 0x80044fc: 'us_data' 245 | 0x8004504: 'us_interface' 246 | 0x8004574: 'aOmeJenkinsBuil' 247 | 0x80045c7: 'aCriticalSectio' 248 | 0x80045f8: 'aMbedAssertatio' 249 | 0x8004629: 'aFatalRunTimeEr' 250 | 0x800463e: 'aMbedosErrorInf' 251 | 0x8004694: 'aLError0xX' 252 | 0x80046a4: 'aThread0xX' 253 | 0x80046b8: 'a0xX' 254 | 0x80046c8: 'aRe0xX' 255 | 0x80046d8: 'aYpool0xX' 256 | 0x80046e6: 'aEventflags0xX' 257 | 0x80046f9: 'aTimer0xX' 258 | 0x800472c: 'aErrorValue0xX' 259 | 0x800474c: 'aAdId0xXEntry0x' 260 | 0x800478e: 'aMbedosErrorInf_0' 261 | 0x80047dc: 'aMbedOsHalMbedC' 262 | 0x8004804: 'aAreInterruptsE' 263 | 0x8004820: '__sf_fake_stderr' 264 | 0x8004840: '__sf_fake_stdin' 265 | 0x8004860: '__sf_fake_stdout' 266 | 0x8004880: '_global_impure_ptr' 267 | 0x8004884: 'a0' 268 | 0x8004896: 'a123456789abcde' 269 | 0x80048a7: 'a123456789abcde_0' 270 | 0x80048b8: '__FRAME_END__' 271 | 0x80048bc: '__exidx_start' 272 | 0x2000013c: '_sdata' 273 | 0x20000140: '_ZL11filehandles' 274 | 0x20000240: '_ZZ5_sbrkE4heap' 275 | 0x20000244: 'SystemCoreClock' 276 | 0x20000248: 'irq_handler' 277 | 0x2000024c: '_impure_ptr' 278 | 0x20000250: 'impure_data' 279 | 0x200002b0: '__frame_dummy_init_array_entry' 280 | 0x200002b8: '__do_global_dtors_aux_fini_array_entry' 281 | 0x200002bc: '__JCR_LIST__' 282 | 0x200002c0: '_edata' 283 | 0x200002c4: 'object.8672' 284 | 0x200002dc: 'mbed_sdk_inited' 285 | 0x200002e0: '_ZGVZL15default_consolevE7console' 286 | 0x200002e4: '_ZZL15default_consolevE7console' 287 | 0x200002e8: 'mbed_heap_size' 288 | 0x200002ec: 'mbed_heap_start' 289 | 0x200002f0: 'stdio_uart_inited' 290 | 0x200002f4: 'led1' 291 | 0x20000310: 'events' 292 | 0x20000350: 'critical_section_reentrancy_counter' 293 | 0x20000354: 'error_count' 294 | 0x20000358: 'error_hook' 295 | 0x2000035c: 'error_in_progress' 296 | 0x20000360: 'first_error_ctx' 297 | 0x20000394: 'last_error_ctx' 298 | 0x200003c8: 'critical_interrupts_enabled' 299 | 0x200003c9: 'state_saved' 300 | 0x200003cc: '__malloc_free_list' 301 | 0x200003d0: '__malloc_sbrk_start' 302 | 0x200003d4: 'stdio_uart' 303 | 0x200003f0: 'uart_handlers' 304 | 0x20000530: 'timer_dier_reg' 305 | 0x20000534: 'TimMasterHandle' 306 | 0x2000056c: 'timer_ccr1_reg' 307 | 0x20000570: 'timer_cnt_reg' 308 | 0x20000574: 'errno' 309 | 0x20000578: '_end' 310 | 0x2000057c: 'BootRAM' 311 | 0x20000580: '_estack' 312 | 0x20000584: '__stack' 313 | 0x20000588: '__StackLimit' 314 | -------------------------------------------------------------------------------- /examples/pw-recovery/NUCLEO_F103RB/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/NUCLEO_F103RB/basic_exercises.bin -------------------------------------------------------------------------------- /examples/pw-recovery/NUCLEO_F103RB/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/NUCLEO_F103RB/basic_exercises.elf -------------------------------------------------------------------------------- /examples/pw-recovery/NUCLEO_F103RB/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../../configs/hw/cortexm_memory.yml 3 | - ./syms.yml 4 | 5 | memory_map: 6 | text: 7 | base_addr: 0x8000000 8 | file: ./basic_exercises.bin 9 | permissions: r-x 10 | size: 0x800000 11 | is_entry: True 12 | 13 | use_nvic: false 14 | use_timers: false 15 | use_systick: false 16 | -------------------------------------------------------------------------------- /examples/pw-recovery/NUCLEO_F207ZG/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/NUCLEO_F207ZG/basic_exercises.bin -------------------------------------------------------------------------------- /examples/pw-recovery/NUCLEO_F207ZG/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/NUCLEO_F207ZG/basic_exercises.elf -------------------------------------------------------------------------------- /examples/pw-recovery/NUCLEO_F207ZG/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../../configs/hw/cortexm_memory.yml 3 | - ./syms.yml 4 | 5 | memory_map: 6 | text: 7 | base_addr: 0x8000000 8 | file: ./basic_exercises.bin 9 | permissions: r-x 10 | size: 0x800000 11 | is_entry: True 12 | 13 | use_nvic: false 14 | use_timers: false 15 | use_systick: false 16 | -------------------------------------------------------------------------------- /examples/pw-recovery/NUCLEO_L152RE/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/NUCLEO_L152RE/basic_exercises.bin -------------------------------------------------------------------------------- /examples/pw-recovery/NUCLEO_L152RE/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/NUCLEO_L152RE/basic_exercises.elf -------------------------------------------------------------------------------- /examples/pw-recovery/NUCLEO_L152RE/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../../configs/hw/cortexm_memory.yml 3 | - ./syms.yml 4 | 5 | memory_map: 6 | text: 7 | base_addr: 0x8000000 8 | file: ./basic_exercises.bin 9 | permissions: r-x 10 | size: 0x800000 11 | is_entry: True 12 | 13 | use_timers: false 14 | use_nvic: false 15 | use_systick: false 16 | -------------------------------------------------------------------------------- /examples/pw-recovery/UBLOX_C027/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/UBLOX_C027/basic_exercises.bin -------------------------------------------------------------------------------- /examples/pw-recovery/UBLOX_C027/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/examples/pw-recovery/UBLOX_C027/basic_exercises.elf -------------------------------------------------------------------------------- /examples/pw-recovery/UBLOX_C027/config.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./../../configs/hw/cortexm_memory.yml 3 | - ./syms.yml 4 | 5 | memory_map: 6 | sram: 7 | base_addr: 0x10000000 8 | permissions: rwx 9 | size: 0x8000 10 | text: 11 | base_addr: 0x0 12 | file: ./basic_exercises.bin 13 | permissions: r-x 14 | size: 0x800000 15 | is_entry: True 16 | 17 | use_timers: false 18 | use_nvic: false 19 | use_systick: false 20 | -------------------------------------------------------------------------------- /install_local.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | VENV_NAME=fuzzware 3 | 4 | for i in python3 automake redis-server tmux virtualenvwrapper.sh cmake clang clang++ git unzip arm-none-eabi-objcopy; do 5 | 6 | T=$(which "$i" 2>/dev/null) 7 | 8 | if [ "$T" = "" ]; then 9 | 10 | echo "[-] Error: '$i' not found. It requires an install." 11 | exit 1 12 | 13 | fi 14 | 15 | done 16 | 17 | if [[ ! -e emulator/setup.sh || ! -e pipeline/setup.sh ]]; then 18 | ./update.sh 19 | fi 20 | 21 | if [[ ! -e emulator/setup.sh || ! -e pipeline/setup.sh ]]; then 22 | echo "[ERROR] Could not pull emulator and pipeline repos, exiting."; exit 1 23 | fi 24 | 25 | VIRTUALENVWRAPPER_PYTHON="${VIRTUALENVWRAPPER_PYTHON:=$(which python3)}" 26 | export VIRTUALENVWRAPPER_PYTHON 27 | source "$(which virtualenvwrapper.sh)" 28 | "$VIRTUALENVWRAPPER_PYTHON" -c "import virtualenvwrapper" &> /dev/null || { 29 | echo "Module virtualenvwrapper not installed, installing now" 30 | "$VIRTUALENVWRAPPER_PYTHON" -m pip install virtualenvwrapper || { 31 | echo "Could not install virtualenvwrapper, exiting"; exit 1 32 | } 33 | } 34 | 35 | # First run modeling install as this may cause python compatibility issues 36 | pushd modeling; ./setup.sh || { echo "Could not install modeling, exiting."; popd; exit 4; }; popd 37 | 38 | workon $VENV_NAME 2>/dev/null || echo "Creating virtualenv '$VENV_NAME'"; mkvirtualenv -p /usr/bin/python3 $VENV_NAME 1>/dev/null 2>&1 && workon $VENV_NAME 39 | pushd emulator; ./setup.sh || { echo "Could not install emulator, exiting. In case python / setuptools seems problematic, consider nuking the '$VENV_NAME' and '$VENV_NAME-modeling' virtualenvs and try again."; popd; exit 2; }; popd 40 | pushd pipeline; ./setup.sh || { echo "Could not install pipeline, exiting."; popd; exit 3; }; popd 41 | -------------------------------------------------------------------------------- /modeling/fuzzware_model.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import fuzzware_modeling 4 | 5 | if __name__ == '__main__': 6 | fuzzware_modeling.main() -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/__init__.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import yaml 3 | 4 | from .fuzzware_utils.config import load_config_deep, update_config_file 5 | 6 | # Hard timeout 7 | DEFAULT_TIMEOUT = 600 8 | # Part of time set aside for stepping 9 | EXPLORATION_TIMEOUT_FACTOR = 0.75 10 | 11 | def main(): 12 | # Do the parsing up front as importing angr takes time 13 | parser = argparse.ArgumentParser(description="State restauration and MMIO access model identification") 14 | parser.add_argument('statefiles', type=str, help="Path to the file containing the base state to start symbolic execution from", nargs='+') 15 | parser.add_argument('-r', '--result_file_path', default=None, help="Path to text file to append the analysis results to") 16 | parser.add_argument('-c', '--model_config_path', default=None, help="Path to yml config file to update") 17 | parser.add_argument('-C', '--fuzzware-config', default=None, help="Path to fuzzware yml config file to extract mmio region(s)") 18 | parser.add_argument('-t', '--timeout', type=int, default=DEFAULT_TIMEOUT, help=f"Timeout (in seconds)") 19 | 20 | # Debugging and logging 21 | parser.add_argument('-i', '--interactive', default=False, action='store_true', help="Drop into interactive shell in specific spots") 22 | parser.add_argument('-m', '--manual-stepping', default=False, action='store_true', help="Step interactively") 23 | parser.add_argument('-d', '--debug', default=False, action='store_true', help="Enable debug level output") 24 | 25 | args = parser.parse_args() 26 | 27 | if args.fuzzware_config: 28 | args.fuzzware_config = load_config_deep(args.fuzzware_config) 29 | 30 | # Delay import to delay 31 | from .analyze_mmio import perform_analyses 32 | result_lines, model_entries = perform_analyses(args.statefiles, args.fuzzware_config, is_debug=args.debug, timeout=args.timeout) 33 | 34 | if args.model_config_path is not None: 35 | update_config_file(args.model_config_path, model_entries) 36 | 37 | if args.result_file_path is not None: 38 | with open(args.result_file_path, "w") as f: 39 | f.write("\n".join(result_lines)) 40 | else: 41 | print("\n".join(result_lines)) 42 | 43 | if __name__ == '__main__': 44 | main() 45 | -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/angr_utils.py: -------------------------------------------------------------------------------- 1 | import itertools 2 | import pyvex 3 | import angr 4 | 5 | import logging 6 | l = logging.getLogger("utils") 7 | 8 | from .arch_specific.arm_thumb_regs import SCOPE_REG_NAMES, return_reg 9 | 10 | MAX_ACTIVE_STATES = 100 11 | 12 | MAX_DEAD_VARS = 3 13 | MAX_STATES = 20 14 | MAX_CALL_DEPTH = 2 15 | MAX_BB_VISITS = 5 16 | NON_FORKING_STATE_MAX_BB_VISITS = 50 17 | # In order to detect constant models we need to have enough dead variables to reason about 18 | assert(MAX_DEAD_VARS+2 <= MAX_BB_VISITS) 19 | NVIC_RET_START = 0xfffff000 20 | CUSTOM_STASH_NAMES = ['returning_val', 'deep_calls', 'loops', 'vars_dead_but_path_constrained', 'too_many_out_of_scope'] 21 | mmio_addr = None 22 | 23 | def all_states(simulation): 24 | return itertools.chain(*simulation.stashes.values()) 25 | 26 | def has_conditional_statements(state, unconditionals_cache=None): 27 | for bbl_addr in state.history.bbl_addrs: 28 | if unconditionals_cache is not None and bbl_addr in unconditionals_cache: 29 | continue 30 | 31 | block = state.project.factory.block(bbl_addr | 1).vex 32 | if list(block.exit_statements): 33 | return True 34 | 35 | for statement in block.statements: 36 | #statement.pp() 37 | for expr in statement.expressions: 38 | if isinstance(expr, pyvex.expr.ITE): 39 | return True 40 | 41 | unconditionals_cache.add(bbl_addr) 42 | return False 43 | 44 | def contains_var(ast, var): 45 | return var._encoded_name.decode() in ast.variables 46 | 47 | def in_scope_register_values(state): 48 | if state.liveness.returned: 49 | return [return_reg(state)] 50 | else: 51 | return [getattr(state.regs, name) for name in SCOPE_REG_NAMES] 52 | 53 | def is_mmio_address(state, addr): 54 | return state.liveness.base_snapshot.is_mmio_addr(addr) 55 | 56 | def is_ast_mmio_address(state, ast): 57 | try: 58 | addr = state.solver.eval_one(ast) 59 | except Exception as e: 60 | l.info(f"[is_ast_mmio_address] exception for ast={ast}: {e}") 61 | return False 62 | 63 | return is_mmio_address(state, addr) 64 | 65 | def state_returns_val(state): 66 | return (not state.globals['dead_write_to_env']) and any([contains_var(return_reg(state), var) for var in state.liveness.tracked_vars]) 67 | 68 | def state_vars_out_of_scope(state): 69 | # We wrote an mmio value to the environment. Definitely not dead 70 | if state.globals['dead_write_to_env']: 71 | return False 72 | 73 | # Straight up no alive variables are present 74 | if state.liveness.all_vars_dead or not state.liveness.alive_varname_counts: 75 | return True 76 | 77 | # We had a lot of variables go out of scope and only one is left 78 | if state.globals['dead_too_many_out_of_scope'] and len(state.liveness.alive_varname_counts) <= 1: 79 | return True 80 | 81 | # Unless shown otherwise, we assume vars exist in scope 82 | return False 83 | 84 | def state_contains_tracked_mmio_path_constraints(state): 85 | constraint_actions = [action for action in state.history.actions if isinstance(action, angr.state_plugins.sim_action.SimActionConstraint)] 86 | for var in state.liveness.tracked_vars: 87 | for action in constraint_actions: 88 | constraint = action.constraint 89 | if contains_var(constraint, var): 90 | # If the variable is in the constraints, make sure it is not an instruction signal handler 91 | block = state.project.factory.block(action.ins_addr, num_inst=1, thumb=True) 92 | if [ jk for jk in block.vex.constant_jump_targets_and_jumpkinds.values() if jk.startswith("Ijk_Sig") ]: 93 | l.info("Skipping signal related path constraint on mmio access") 94 | else: 95 | return True 96 | return False 97 | 98 | def state_variables_involved_in_loop(state): 99 | constraint_actions = [action for action in state.history.actions if isinstance(action, angr.state_plugins.sim_action.SimActionConstraint)] 100 | for var in state.liveness.tracked_vars: 101 | seen_pcs = set() 102 | for action in constraint_actions: 103 | constraint = action.constraint 104 | if contains_var(constraint, var): 105 | pc = action.ins_addr 106 | if (pc, constraint) in seen_pcs: 107 | return True 108 | seen_pcs.add((pc, constraint)) 109 | return False 110 | 111 | def insn_addr_from_SimIRSBNoDecodeError(e): 112 | # IR decoding error at 0x10006533. 113 | TOK = "IR decoding error at " 114 | msg = str(e) 115 | addr_str_start = msg.index(TOK) + len(TOK) 116 | addr_str_end = msg.index(".", addr_str_start) 117 | addr = int(msg[addr_str_start: addr_str_end], 16) 118 | return addr -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/arch_specific/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/modeling/fuzzware_modeling/arch_specific/__init__.py -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/arch_specific/arm_cortexm_mmio_ranges.py: -------------------------------------------------------------------------------- 1 | ARM_CORTEXM_MMIO_START = 0x40000000 2 | ARM_CORTEXM_MMIO_END = 0x60000000 3 | 4 | """ MMIO Ranges """ 5 | DEFAULT_MMIO_RANGES = ( 6 | # CortexM System register ranges 7 | (0xE000E000, 0xE000F004), 8 | ) 9 | -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/arch_specific/arm_thumb_quirks.py: -------------------------------------------------------------------------------- 1 | import logging 2 | import angr 3 | import archinfo 4 | from typing import Tuple 5 | 6 | l = logging.getLogger("QUIRKS") 7 | from fuzzware_modeling.angr_utils import all_states 8 | 9 | OPCODE_BYTE_BKPT = 0xbe 10 | OPCODE_INF_LOOP = 0xe7fe 11 | OPCODE_WFI = 0xbf30 12 | 13 | def try_handling_decode_error(simulation, stash_name, addr): 14 | sample_state = simulation.stashes[stash_name][0] 15 | if addr & 1 == 1 and sample_state.mem_concrete(addr, 1) == OPCODE_BYTE_BKPT: 16 | # Clear block translation cache 17 | sample_state.project.factory.default_engine._block_cache.clear() 18 | for state in all_states(simulation): 19 | assert(state.mem_concrete(addr, 1) == OPCODE_BYTE_BKPT) 20 | state.memory.store(addr-1, OPCODE_WFI, 2, disable_actions=True, inspect=False, endness=state.project.arch.memory_endness) 21 | return True 22 | else: 23 | return False 24 | 25 | def find_itstate_value(initial_state, regs): 26 | """ 27 | Derives the value of the ITSTATE register from a given memory dump and register assignments. 28 | 29 | This works by disassembling backwards from PC and looking for an IT instruction and then deriving 30 | the value from the current PC's offset to the IT instruction. 31 | """ 32 | 33 | # ITSTATE hacks 34 | # We try to recover the IT state in the vex-expected format 35 | # The format is described here: https://github.com/angr/vex/blob/master/pub/libvex_guest_arm.h#L161 36 | # From the current PC, we try to step backwards, each time looking for an IT instruction 37 | # If such an instruction is found, we recover the IT-state, knowing that our current instruction 38 | # is the one to be executed (the required condition is the one which was met in the emulator) 39 | # We can just find our position in the IT block, parse the IT mnemonic to find our condition and 40 | # apply the state based on the rest of the mnemonic 41 | 42 | # Constants derived from their documentation (lower nibble 1: is itblock instr, upper nibble: 0 for always, 1 for never) 43 | ITSTATE_BYTE_EXEC_NEVER = 0xf1 44 | ITSTATE_BYTE_EXEC_ALWAYS = 0x01 45 | 46 | it_state = 0 # normally: no state, just execute 47 | try: 48 | l.info("Looking for IT instruction before us") 49 | start_addr = regs['pc'] # XXX TODO: testing 50 | cs = archinfo.ArchARMCortexM().capstone 51 | look_back = 6 + 2 # 3*2 for 3 previous instructions plus the IT instruction 52 | size = look_back + 4 * 4 53 | 54 | mem = initial_state.solver.eval(initial_state.memory.load(start_addr - look_back, size), cast_to=bytes) 55 | 56 | cs_address, own_size, own_mnemonic, own_opstr = list(cs.disasm_lite(bytes(mem[look_back:]), 8))[0] 57 | # l.info("Own Instr (size: {}): {:#08x}:\t{}\t{}".format(own_size, start_addr, own_mnemonic, own_opstr)) 58 | if own_size == 2: 59 | # We might be in an IT block 60 | # Now look back for a maximum of 4 times, until 61 | # a) we find a 4-byte instruction -> cannot be in it block 62 | # b) we find an IT instruction 63 | for i in range(4): 64 | insns = list(cs.disasm_lite(bytes(mem[look_back - 2 * i - 2:]), 0x1000)) 65 | if not insns: 66 | # disassembling did not make sense at that offset, no need to look further 67 | break 68 | cs_address, cs_size, it_mnemonic, cs_opstr = insns[0] 69 | if cs_size != 2: 70 | break 71 | if it_mnemonic.lower().startswith("it"): 72 | it_block_len = len(it_mnemonic) - 1 73 | if i >= it_block_len: 74 | l.info("Outside it block") 75 | # we are already outside the block 76 | break 77 | 78 | it_state = ITSTATE_BYTE_EXEC_ALWAYS 79 | if it_block_len == 1: 80 | l.info("Single instruction IT block") 81 | # simple conditional execution, exit 82 | break 83 | 84 | l.info("Found ITSTATE instruction!") 85 | 86 | # the current instruction is instruction number 87 | own_position = i 88 | num_following_members = it_block_len - own_position - 1 89 | # l.info("num_following_members: {}".format(num_following_members)) 90 | own_modifier = it_mnemonic[1+own_position] 91 | for offset in range(1, num_following_members+1): 92 | if own_modifier == it_mnemonic[1 + offset]: 93 | # l.info("equal modifier, activate!") 94 | it_state |= (ITSTATE_BYTE_EXEC_ALWAYS << (8 * offset)) 95 | else: 96 | # l.info("other modifier, deactivate...") 97 | it_state |= (ITSTATE_BYTE_EXEC_NEVER << (8 * offset)) 98 | 99 | #it_block_insns = list(cs.disasm_lite(bytes(mem[look_back - 2 * i - 2:look_back - 2 * i - 2 + (it_block_len + 1) * 2]), (it_block_len + 1) * 2)) 100 | ## we need to skip the IT instruction and our own instruction 101 | #following_insns = it_block_insns[own_position+2:] 102 | #for (cs_address, cs_size, cs_mnemonic, cs_opstr) in following_insns: 103 | # l.info(" Instr: {:#08x}:\t{}\t{}".format(regs['pc'], cs_mnemonic, cs_opstr)) 104 | l.info("Generated itstate: 0x{:08x}".format(it_state)) 105 | break 106 | except: 107 | l.info("ERROR during ITSTATE recovery, resetting to 0") 108 | it_state = 0 109 | 110 | return it_state 111 | 112 | ARMG_CC_OP_COPY = 0 113 | def add_special_initstate_reg_vals(initial_state, regs): 114 | # In state restoration, restore condition flags. Execution may rely on condition flags set before. 115 | regs['cc_op'] = ARMG_CC_OP_COPY 116 | 117 | # Also try figuring out the current itstate value 118 | regs['itstate'] = find_itstate_value(initial_state, regs) 119 | 120 | def model_special_strex(initial_state, insn): 121 | """ 122 | STREX Instructions 123 | https://developer.arm.com/documentation/dht0008/a/ch01s02s01 124 | 125 | Model accesses performed by strex specifically. 126 | 127 | This is necessary as Unicorn performs an MMIO read access while angr just moves 128 | the value 0 into the destination register 129 | 130 | For example, the instruction STREX R2, R1, [R0] in 131 | - angr: just stores the value 0 in R2 132 | - unicorn/qemu: reads from address [R0] during the instruction 133 | 134 | The way we handle this is by assigning a passthrough model returning the last written 135 | value to let unicorn figure out whether the value has stayed the same and thus whether 136 | the store operation has succeeded. 137 | 138 | NOTE: This may be a failure case in nieche cases where the firmware requires the operation 139 | to fail (in something like a low-level hardware funtionality debug case). However, this 140 | should never really occur and can still be handled manually. 141 | 142 | To perform the modeling, extract the memory location from the instruction, evaluate it, 143 | and assign a model for the address. 144 | """ 145 | addr_operand = insn.operands[-1].mem 146 | 147 | reg_id = addr_operand.base 148 | offset = addr_operand.disp 149 | reg_name = insn.reg_name(reg_id) 150 | 151 | mmio_addr = initial_state.solver.eval(getattr(initial_state.regs, reg_name.lower()) + offset) 152 | access_pc = initial_state.liveness.base_snapshot.initial_pc 153 | 154 | # Handle sizes of strexb/h/d 155 | # TODO: how is strexd handled? it performs two MMIO accesses at the same time 156 | mmio_access_size = { 157 | 'b': 1, 158 | 'h': 2 159 | }.get(insn.mnemonic[-1:].lower(), 4) 160 | 161 | config_snippet = { 162 | "passthrough": { 163 | f"pc_{access_pc:08x}_mmio_{mmio_addr:08x}": { 164 | 'addr': mmio_addr, 165 | 'pc': access_pc, 166 | 'access_size': mmio_access_size, 167 | 'init_val': 0 168 | } 169 | } 170 | } 171 | descr_string = f"pc: 0x{access_pc:08x}, mmio: 0x{mmio_addr:08x}, special handling: STREX, passthrough model" 172 | 173 | return descr_string, config_snippet 174 | 175 | def model_arch_specific(project, initial_state, base_snapshot, simulation) -> Tuple[str, dict]: 176 | try: 177 | block = project.factory.block(initial_state.addr) 178 | insn = block.capstone.insns[0].insn 179 | 180 | if insn.mnemonic.lower().startswith("strex"): 181 | l.info(f"Got arm/thumb-specific instruction {insn.mnemonic} {insn.op_str}") 182 | insn = block.capstone.insns[0] 183 | return model_special_strex(initial_state, insn.insn) 184 | 185 | except Exception as e: 186 | l.info(f"Got error: {e}") 187 | return None, None 188 | 189 | return None, None -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/arch_specific/arm_thumb_regs.py: -------------------------------------------------------------------------------- 1 | """ WIP place for ARM Thumb specific constants. 2 | This is the result from scraping architecture-specific register name lists from the code. 3 | 4 | TODO: Unify and replace this with archinfo 5 | """ 6 | STATE_SNAPSHOT_REG_LIST = ['r0', 'r1', 'r2', 'r3', 'r4', 7 | 'r5', 'r6', 'r7', 'r8', 'r9', 8 | 'r10', 'r11', 'r12', 'lr', 'pc', 9 | 'sp', 'xpsr'] 10 | 11 | SCOPE_REG_NAMES = ('r0', 'r1', 'r2', 'r3', 'r4', 'r5', 'r6', 'r7', 'r10', 'r11', 'r12', 'lr', 'sp', 'pc') 12 | 13 | REGULAR_REGISTER_NAMES = ('r0', 'r1', 'r2', 'r3', 'r4', 'r5', 'r6', 'r7', 'r8', 'r9', 'r10', 'r11', 'r12', 'lr', 'sp') 14 | 15 | NEWLY_ADDED_CONSTRAINTS_REG_NAMES = ('r0', 'r1', 'r2', 'r3', 'r4', 'r5', 'r6', 'r7', 'r10', 'r11', 'r12', 'lr') 16 | 17 | REG_NAME_PC = 'pc' 18 | REG_NAME_SP = 'sp' 19 | 20 | def return_reg(state): 21 | return state.regs.r0 22 | 23 | def translate_reg_name_to_vex_internal_name(name): 24 | name = name.lower() 25 | 26 | if name == 'xpsr': 27 | name = 'cc_dep1' 28 | 29 | return name 30 | 31 | def leave_reg_untainted(name): 32 | return name in ['itstate', 'cc_op'] -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/base_state_snapshot.py: -------------------------------------------------------------------------------- 1 | from io import BytesIO 2 | import logging 3 | import re 4 | 5 | import angr, claripy 6 | 7 | from .arch_specific import arm_thumb_quirks 8 | from .arch_specific.arm_thumb_regs import STATE_SNAPSHOT_REG_LIST, translate_reg_name_to_vex_internal_name, leave_reg_untainted, REG_NAME_PC, REG_NAME_SP 9 | from .arch_specific.arm_cortexm_mmio_ranges import DEFAULT_MMIO_RANGES, ARM_CORTEXM_MMIO_START, ARM_CORTEXM_MMIO_END 10 | from .angr_utils import contains_var 11 | from .fuzzware_utils.config import load_traces_for_state, get_mmio_ranges 12 | 13 | l = logging.getLogger("BASESTATE") 14 | 15 | reg_regex = re.compile(r"^[^=]{2,4}=0x([0-9a-f]+)$") 16 | 17 | class BaseStateSnapshot: 18 | """ 19 | Information about the concrete restored initial state from which we start 20 | symbolically executing. 21 | """ 22 | 23 | def __init__(self, cfg): 24 | self.init_reg_constraints = [] 25 | self.init_reg_bitvecs = [] 26 | self.init_reg_bitvecvals = [] 27 | self.init_reg_bitvecs_unconstrained = [] 28 | self.init_mem_constraints = [] 29 | self.init_mem_bitvecs = [] 30 | self.init_mem_bitvecvals = [] 31 | self.init_mem_bitvecs_unconstrained = [] 32 | self.regvars_by_name = {} 33 | 34 | self.bb_trace = None 35 | self.ram_trace = None 36 | self.mmio_trace = None 37 | 38 | self.access_pc = None 39 | self.mmio_addr = None 40 | self.mmio_access_size = None 41 | 42 | self.mmio_ranges = list(DEFAULT_MMIO_RANGES) 43 | 44 | self.initial_pc = None 45 | 46 | configured_mmio_ranges = [] 47 | if cfg: 48 | configured_mmio_ranges = get_mmio_ranges(cfg) 49 | for start, end in configured_mmio_ranges: 50 | self.mmio_ranges.append((start, end)) 51 | 52 | if not configured_mmio_ranges: 53 | self.mmio_ranges.append((ARM_CORTEXM_MMIO_START, ARM_CORTEXM_MMIO_END)) 54 | 55 | @property 56 | def all_initial_bitvecs(self): 57 | return self.init_reg_bitvecs + self.init_mem_bitvecs 58 | 59 | @property 60 | def all_unconstrained_bitvecs(self): 61 | return self.init_reg_bitvecs_unconstrained + self.init_mem_bitvecs_unconstrained 62 | 63 | @property 64 | def all_initial_bitvecvals(self): 65 | return self.init_reg_bitvecvals + self.init_mem_bitvecvals 66 | 67 | def unconstrain(self, ast): 68 | """ 69 | In AST, replace variables from initial state with their unconstrained versions 70 | """ 71 | for reg_ast, reg_ast_unconstrained in zip(self.all_initial_bitvecs, self.all_unconstrained_bitvecs): 72 | if contains_var(ast, reg_ast): 73 | l.debug(f"ast to unconstrain contains initial register variable: '{ast}' -> {reg_ast}") 74 | ast = ast.replace(reg_ast, reg_ast_unconstrained) 75 | 76 | return ast 77 | 78 | def concretize(self, target_ast): 79 | """ 80 | In AST, replace variables with their actual value 81 | """ 82 | for ast, bvv in zip(self.all_initial_bitvecs, self.all_initial_bitvecvals): 83 | target_ast = target_ast.replace(ast, bvv) 84 | return target_ast 85 | 86 | def contained_base_vars(self, ast): 87 | """ 88 | Collect all base variables involved in ast 89 | """ 90 | res = [] 91 | 92 | for base_state_ast, base_state_bvv in zip(self.all_initial_bitvecs, self.all_initial_bitvecvals): 93 | if contains_var(ast, base_state_ast): 94 | res.append((base_state_ast, base_state_bvv)) 95 | 96 | return res 97 | 98 | def is_mmio_addr(self, addr): 99 | for start, end in self.mmio_ranges: 100 | if start <= addr <= end: 101 | return True 102 | return False 103 | 104 | def add_custom_mmio_range(self, start, end): 105 | assert not (self.is_mmio_addr(start) or self.is_mmio_addr(end)) 106 | self.mmio_ranges.append((start, end)) 107 | 108 | @classmethod 109 | def from_state_file(cls, statefile, cfg): 110 | base_snapshot = cls(cfg) 111 | base_snapshot.bb_trace, base_snapshot.ram_trace, base_snapshot.mmio_trace = load_traces_for_state(statefile) 112 | 113 | l.info("Loading state file: {}".format(statefile)) 114 | with open(statefile, "r") as state_file: 115 | regs = {} 116 | 117 | for name in STATE_SNAPSHOT_REG_LIST: 118 | line = state_file.readline() 119 | l.debug("Looking at line: '{}'".format(line.rstrip())) 120 | val = int(reg_regex.match(line).group(1), 16) 121 | l.info("Restoring reg val: 0x{:x}".format(val)) 122 | name = translate_reg_name_to_vex_internal_name(name) 123 | regs[name] = val 124 | 125 | line = "" 126 | while line == "": 127 | line = state_file.readline() 128 | 129 | sio = BytesIO(line.encode()+state_file.read().encode()) 130 | 131 | project = angr.Project(sio, arch="ARMCortexM", main_opts={'backend': 'hex', 'entry_point': regs[REG_NAME_PC]|1}) 132 | 133 | # We need the following option in order for CBZ to not screw us over 134 | project.factory.default_engine.default_strict_block_end = True 135 | 136 | initial_state = project.factory.blank_state(addr=regs[REG_NAME_PC]|1) 137 | 138 | arm_thumb_quirks.add_special_initstate_reg_vals(initial_state, regs) 139 | 140 | # apply registers to state 141 | initial_sp = None 142 | for name, val in regs.items(): 143 | if name == REG_NAME_PC: 144 | base_snapshot.initial_pc = val 145 | val |= 1 146 | continue 147 | 148 | if leave_reg_untainted(name): 149 | ast = claripy.BVV(val, 32) 150 | else: 151 | # For initial registers, we taint them by applying an AST with a fixed value via constraints 152 | ast, ast_unconstrained = claripy.BVS(f"initstate_{name}", 32), claripy.BVS("{name}_unconstrained", 32) 153 | bitvecval = claripy.BVV(val, 32) 154 | constraint = ast == bitvecval 155 | 156 | initial_state.add_constraints(constraint) 157 | base_snapshot.regvars_by_name['{}'.format(name)] = ast 158 | base_snapshot.init_reg_bitvecs.append(ast) 159 | base_snapshot.init_reg_bitvecvals.append(bitvecval) 160 | base_snapshot.init_reg_bitvecs_unconstrained.append(ast_unconstrained) 161 | base_snapshot.init_reg_constraints.append(constraint) 162 | 163 | if name == REG_NAME_SP: 164 | initial_sp = val 165 | 166 | setattr(initial_state.regs, name, ast) 167 | 168 | # Taint stack memory by setting constraints on it, as we do for initial registers 169 | stack_readsize = min(256, (2**32)-initial_sp) 170 | stack_mem = initial_state.memory.load(initial_sp, stack_readsize) 171 | stack_mem_ast, stack_mem_ast_unconstrained = ast = claripy.BVS(f"init_mem_sp", 8*stack_readsize), claripy.BVS(f"init_mem_sp_unconstrained", 8*stack_readsize) 172 | constraint = stack_mem_ast == stack_mem 173 | initial_state.add_constraints(constraint) 174 | initial_state.memory.store(initial_sp, stack_mem_ast) 175 | base_snapshot.init_mem_bitvecs.append(stack_mem_ast) 176 | base_snapshot.init_mem_bitvecvals.append(stack_mem) 177 | base_snapshot.init_mem_constraints.append(constraint) 178 | base_snapshot.init_mem_bitvecs_unconstrained.append(stack_mem_ast_unconstrained) 179 | 180 | return project, initial_state, base_snapshot 181 | -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/exploration_techniques.py: -------------------------------------------------------------------------------- 1 | import time 2 | import logging 3 | 4 | import angr, claripy 5 | 6 | from .angr_utils import contains_var, state_returns_val, MAX_CALL_DEPTH, MAX_BB_VISITS, NON_FORKING_STATE_MAX_BB_VISITS, MAX_ACTIVE_STATES 7 | from .arch_specific.arm_thumb_regs import return_reg 8 | 9 | l = logging.getLogger("EXPLORE") 10 | 11 | class MMIOVarScoper(angr.exploration_techniques.ExplorationTechnique): 12 | """ 13 | Exploration technique reacting to dynamic liveness tracking. 14 | """ 15 | def __init__(self): 16 | super(MMIOVarScoper, self).__init__() 17 | 18 | def filter(self, simgr, state, **kwargs): 19 | found = False 20 | if state.liveness.all_vars_dead: 21 | try: 22 | block = state.block(state.addr) 23 | except angr.errors.SimEngineError: 24 | # We can run in here in case we are returning from interrupt handlers 25 | block = None 26 | 27 | if block is not None and state.liveness.base_snapshot.access_pc in block.instruction_addrs: 28 | # We are back to the first block of our MMIO access instruction. Keep on stepping 29 | # The loop detector will prevent us from going overboard with executions 30 | state.liveness.all_vars_dead = False 31 | state.globals['path_constrained'] = False 32 | elif not state.globals['path_constrained']: 33 | found = True 34 | l.warning("State (pc={:x}) MMIO variables all went out of scope and no path constraint: {}".format(state.addr, state)) 35 | else: 36 | l.warning("State (pc={:x}) MMIO variables all went out of scope but path is constrained: {}".format(state.addr, state)) 37 | return 'vars_dead_but_path_constrained' 38 | 39 | if found: 40 | return 'found' 41 | return simgr.filter(state, **kwargs) 42 | 43 | class FunctionReturner(angr.exploration_techniques.ExplorationTechnique): 44 | """ 45 | Exploration technique catching returned states and too deep call stacks. 46 | """ 47 | def __init__(self): 48 | super(FunctionReturner, self).__init__() 49 | self.has_deep_call = False 50 | 51 | def filter(self, simgr, state, **kwargs): 52 | if state.liveness.returned: 53 | l.critical("State (pc={:x}) returned from initial function: {}. retval: {}".format(state.addr, state, return_reg(state))) 54 | if state_returns_val(state): 55 | l.warning("Function returns val, putting into 'returning_val' stash") 56 | return 'returning_val' 57 | else: 58 | return 'found' 59 | 60 | elif state.liveness.call_depth > MAX_CALL_DEPTH: 61 | l.warning("State {} got deep call stack ({}), shifting to alternative stash".format(state, state.liveness.call_depth)) 62 | self.has_deep_call = True 63 | return 'deep_calls' 64 | else: 65 | return simgr.filter(state, **kwargs) 66 | 67 | def successors(self, simgr, state, **kwargs): 68 | successors = simgr.successors(state, **kwargs) 69 | 70 | for successor_state in successors.successors: 71 | if (not successor_state.globals['path_constrained']): 72 | for var in successor_state.liveness.tracked_vars: 73 | # TODO: Convert this to successor_state.history.jump_guards instead as soon as a jump guard shows up for all (including CBZ) instructions 74 | if any([contains_var(guard, var) for guard in successor_state.solver.constraints]): 75 | l.warning("State is now constrained: {}".format(successor_state)) 76 | successor_state.globals['path_constrained'] = True 77 | break 78 | 79 | return successors 80 | 81 | def complete(self, simgr): 82 | if self.has_deep_call: 83 | self.has_deep_call = False 84 | l.warning("State is deep in call stack, completing simulation") 85 | return True 86 | return False 87 | 88 | class FirstStateSplitDetector(angr.exploration_techniques.ExplorationTechnique): 89 | """ 90 | Exploration technique collecting the state prior to the first split. 91 | This state can be used as backup in case we run into errors or explode. 92 | """ 93 | def __init__(self): 94 | super(FirstStateSplitDetector, self).__init__() 95 | self.pre_fork_state = None 96 | self.has_forked_state = False 97 | 98 | def step_state(self, simgr, state, **kwargs): 99 | self.pre_fork_state = state 100 | return simgr.step_state(state, **kwargs) 101 | 102 | def successors(self, simgr, state, **kwargs): 103 | successors = simgr.successors(state, **kwargs) 104 | 105 | if (not self.has_forked_state) and (len(successors.successors) > 1): 106 | self.has_forked_state = True 107 | 108 | msg = "\n=========== FirstStateSplitDetector ================\n" 109 | msg += str(successors) + "\n" 110 | for successor_state in successors.successors: 111 | msg += str(successor_state) + "\n" 112 | msg += "Parent state: {}\n".format(self.pre_fork_state) 113 | msg += "====================================================" 114 | l.warning(msg) 115 | 116 | return successors 117 | 118 | class TimeoutDetector(angr.exploration_techniques.ExplorationTechnique): 119 | """ 120 | Exploration technique stopping execution upon timeout. 121 | """ 122 | def __init__(self, timeout): 123 | self.start = time.time() 124 | self.end = self.start + timeout 125 | self.timeout = timeout 126 | self.timed_out = False 127 | 128 | super(TimeoutDetector, self).__init__() 129 | 130 | def complete(self, simgr): 131 | if time.time() > self.end: 132 | l.warning("[TimeoutDetector] time is up! Timeout of {} seconds expired".format(self.timeout)) 133 | self.timed_out = True 134 | return True 135 | return False 136 | 137 | class StateExplosionDetector(angr.exploration_techniques.ExplorationTechnique): 138 | """ 139 | Exploration technique stopping execution in case too many parallel states are encountered. 140 | """ 141 | def __init__(self): 142 | self.is_exploded = False 143 | super(StateExplosionDetector, self).__init__() 144 | 145 | def complete(self, simgr): 146 | if len(simgr.deferred) > MAX_ACTIVE_STATES: 147 | l.warn("[StateExplosionDetector] Too many parallel states in 'deferred'. Stop stepping") 148 | self.is_exploded = True 149 | return True 150 | return False 151 | 152 | class LoopEscaper(angr.exploration_techniques.ExplorationTechnique): 153 | """ 154 | Exploration technique to avoid taking loops too many times. 155 | """ 156 | def __init__(self, max_visits=MAX_BB_VISITS, debug=False): 157 | super(LoopEscaper, self).__init__() 158 | self.max_visits = max_visits 159 | self.debug = debug 160 | 161 | def filter(self, simgr, state, **kwargs): 162 | 163 | # TODO: maybe we want to keep a count manually if this is impeding performance 164 | num_visits = state.history.bbl_addrs.count(state.addr) 165 | if num_visits >= self.max_visits: 166 | # While we are at too many iterations, see whether there is no state explosion happening, then go on for longer 167 | # For states that exhibit meaningful behavior while being constrained, we cut down on the extended number of loop times 168 | if state.history.jump_guard is claripy.true and (num_visits < (NON_FORKING_STATE_MAX_BB_VISITS if (not state.globals['meaningful_actions_while_constrained']) and state.liveness.call_depth == 0 else NON_FORKING_STATE_MAX_BB_VISITS//5)): 169 | l.info("Stepping through loop at 0x{:08x} an additional time ({}) because no additional states are created".format(state.addr, num_visits)) 170 | else: 171 | l.critical("State (pc={:x}) exceeded max back edge visits: {}".format(state.addr, state)) 172 | 173 | # Put at least one state into the stash to let the analysis know about it 174 | if (not simgr.loops) or self.debug: 175 | return 'loops' 176 | else: 177 | return '_DROP' 178 | elif state.globals['dead_too_many_out_of_scope']: 179 | l.critical("State (pc={:x}) too many MMIO variables went out of scope: {}".format(state.addr, state)) 180 | 181 | # Put at least one state into the stash to let the analysis know about it 182 | if (not simgr.too_many_out_of_scope) or self.debug: 183 | return 'too_many_out_of_scope' 184 | else: 185 | return '_DROP' 186 | else: 187 | return simgr.filter(state, **kwargs) 188 | -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/fuzzware_utils/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware/28ce2dc3f888ecf1bf8d8da314a88b755d0ecc88/modeling/fuzzware_modeling/fuzzware_utils/__init__.py -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/fuzzware_utils/config.py: -------------------------------------------------------------------------------- 1 | import copy 2 | import logging 3 | import os 4 | import yaml 5 | from os.path import isfile, split, join 6 | 7 | """ Utils to deal with fuzzware config parsing and updating 8 | 9 | This duplicates some of the code which can be found in the 10 | emulator repo. 11 | """ 12 | 13 | from .trace_serialization import parse_bbl_trace, parse_mem_trace, parse_mmio_trace 14 | 15 | l = logging.getLogger("UTIL") 16 | 17 | STATE_NAME_TOKEN = "state" 18 | TRACE_NAME_TOKENS = [ 19 | "bbtrace", 20 | "ramtrace", 21 | "mmiotrace" 22 | ] 23 | def load_traces_for_state(statefile_path): 24 | # mmio_access_bbtrace_pc_ mmio_access_mmiotrace_pc_ mmio_access_ramtrace_pc_ mmio_access_state_pc_ 25 | statefile_dir, statefile_name = split(statefile_path) 26 | 27 | # Check whether we have names which 28 | if STATE_NAME_TOKEN not in statefile_name: 29 | l.warning(f"Non-standard naming convention for state file '{statefile_name}'. Not looking for traces.") 30 | return None, None, None 31 | 32 | bb_trace_path = join(statefile_dir, statefile_name.replace(STATE_NAME_TOKEN, TRACE_NAME_TOKENS[0])) 33 | ram_trace_path = join(statefile_dir, statefile_name.replace(STATE_NAME_TOKEN, TRACE_NAME_TOKENS[1])) 34 | mmio_trace_path = join(statefile_dir, statefile_name.replace(STATE_NAME_TOKEN, TRACE_NAME_TOKENS[2])) 35 | 36 | bb_trace = None if not os.path.exists(bb_trace_path) else parse_bbl_trace(bb_trace_path) 37 | ram_trace = None if not os.path.exists(ram_trace_path) else parse_mem_trace(ram_trace_path) 38 | mmio_trace = None if not os.path.exists(mmio_trace_path) else parse_mmio_trace(mmio_trace_path) 39 | 40 | return bb_trace, ram_trace, mmio_trace 41 | 42 | def get_mmio_ranges(cfg): 43 | res = [] 44 | if cfg['memory_map']: 45 | for key in cfg['memory_map']: 46 | if key.startswith('mmio'): 47 | try: 48 | start = cfg['memory_map'][key]['base_addr'] 49 | end = start + cfg['memory_map'][key]['size'] 50 | res.append((start, end)) 51 | except Exception as e: 52 | l.error(f"[-] Failed to parse {cfg['memory_map'][key]} as memory region") 53 | raise e 54 | else: 55 | raise Exception('[!] Memory map not found in fuzzware config') 56 | 57 | return res 58 | 59 | l = logging.getLogger("persist_results") 60 | 61 | def merge_model_conflict(model_type, existing_entry, new_entry): 62 | if model_type == "set": 63 | for val in new_entry['vals']: 64 | if val not in existing_entry['vals']: 65 | l.info("[Set Model Merging] Adding value {:x} to entry".format(val)) 66 | existing_entry['vals'].append(val) 67 | existing_entry['vals'].sort() 68 | return True 69 | elif model_type == "bitextract": 70 | existing_entry['mask'] |= new_entry['mask'] 71 | return True 72 | else: 73 | return False 74 | 75 | def add_config_entries(existing_models, new_models): 76 | """ 77 | Takes a list of newly created model entry maps and adds them to the existing modeling map 78 | new_models would look something like this: 79 | [ 80 | { 81 | 'passthrough': { 82 | pc_deadbeef_mmio_1234: 83 | addr: 0x40012345 84 | pc: 0x123 85 | val: 0x20 86 | }, 87 | 'linear' : { 88 | ... 89 | } 90 | }, 91 | { 92 | 'passthrough': { 93 | ... 94 | }, 95 | 'constant': { 96 | ... 97 | } 98 | } 99 | ] 100 | 101 | @return True, if all merges were completed successfully 102 | """ 103 | all_good = True 104 | for entry in new_models: 105 | for model_type, models in entry.items(): 106 | for model_name, param_map in models.items(): 107 | all_good = all_good and add_config_entry(existing_models, model_type, model_name, param_map) 108 | return all_good 109 | 110 | def add_config_entry(existing_models, model_type, entry_name, param_map): 111 | if model_type not in existing_models: 112 | existing_models[model_type] = {} 113 | 114 | # Check for conflicting model assignments 115 | if entry_name in existing_models[model_type] and existing_models[model_type][entry_name] != param_map: 116 | l.waring("[WARNING] got conflicting model assignments from different states") 117 | if 'conflicts' not in existing_models: 118 | existing_models['conflicts'] = {} 119 | if entry_name not in existing_models['conflicts']: 120 | existing_models['conflicts'][entry_name] = [] 121 | if param_map not in existing_models['conflicts'][entry_name]: 122 | existing_models['conflicts'][entry_name].append(param_map) 123 | 124 | existing_entry = existing_models[model_type][entry_name] 125 | if existing_entry not in existing_models['conflicts'][entry_name]: 126 | existing_models['conflicts'][entry_name].append(copy.deepcopy(existing_entry)) 127 | 128 | l.warning("Merging configs:\nExisting: {}\nConflicting: {}".format(existing_entry, param_map)) 129 | if merge_model_conflict(model_type, existing_entry, param_map): 130 | l.warning("Successfully merged into {}".format(existing_entry)) 131 | # existing_models[model_type][entry_name] = merged_model_entry 132 | else: 133 | l.warning("Merging failed, existing config kept.") 134 | return False 135 | else: 136 | existing_models[model_type][entry_name] = param_map 137 | 138 | return True 139 | 140 | def load_config_shallow(config_filename): 141 | if isfile(config_filename): 142 | with open(config_filename, "r") as config_file: 143 | config_dict = yaml.safe_load(config_file.read()) 144 | # print("loaded config: {}".format(config_dict)) 145 | else: 146 | config_dict = {} 147 | if config_dict is None: 148 | config_dict = {} 149 | 150 | if 'mmio_models' not in config_dict: 151 | config_dict['mmio_models'] = {} 152 | 153 | return config_dict 154 | 155 | def adjust_config_relative_paths(config, base_path): 156 | # "./"-prefixed paths to properly resolve relative to config snippet 157 | if 'memory_map' not in config: 158 | return 159 | 160 | for rname, region in config['memory_map'].items(): 161 | if 'file' in region and region['file'].startswith("./"): 162 | region['file'] = os.path.join(os.path.dirname(base_path), region['file']) 163 | l.debug("Fixed up file path to '{}'".format(region['file'])) 164 | 165 | def resolve_config_includes(config, base_path): 166 | """ 167 | Recursively resolves a config file, adjusting paths along 168 | the way 169 | """ 170 | if 'include' in config: 171 | # Merge config files listed in 'include' in listed order 172 | # Root file gets priority 173 | newconfig = {} 174 | for f in config['include']: 175 | if not f.startswith("/"): 176 | # Make configs relative to the including config file 177 | cur_dir = os.path.dirname(base_path) 178 | f = os.path.abspath(os.path.join(cur_dir, f)) 179 | 180 | l.info(f"\tIncluding configuration from {f}") 181 | with open(f, 'rb') as infile: 182 | other_config_snippet = yaml.load(infile, Loader=yaml.FullLoader) 183 | adjust_config_relative_paths(other_config_snippet, f) 184 | other_config_snippet = resolve_config_includes(other_config_snippet, f) 185 | _merge_dict(newconfig, other_config_snippet) 186 | _merge_dict(newconfig, config) 187 | config = newconfig 188 | return config 189 | 190 | def resolve_config_file_pattern(config_dir_path, f): 191 | """ 192 | Resolve the path pattern in a config to the actual file path 193 | """ 194 | if not f.startswith("/"): 195 | f = os.path.join(config_dir_path, f) 196 | 197 | if '*' in f: 198 | candidates = directory_glob(f) 199 | if len(candidates) != 1: 200 | raise ValueError("Could not unambiguously find pattern '{}' matching paths: {}".format(f, candidates)) 201 | 202 | f = candidates[0] 203 | 204 | return os.path.abspath(f) 205 | 206 | def resolve_region_file_paths(config_file_path, config): 207 | """ 208 | Updates the config map's 'memory_map' entry, resolving patterns 209 | and relative paths. 210 | """ 211 | 212 | for rname, region in config['memory_map'].items(): 213 | path = region.get('file') 214 | if path: 215 | region['file'] = resolve_config_file_pattern(os.path.dirname(config_file_path), path) 216 | l.info("Found path '{}' for pattern '{}'".format(region['file'], path)) 217 | 218 | def load_config_deep(path): 219 | if not os.path.isfile(path): 220 | return {} 221 | with open(path, 'rb') as infile: 222 | config = yaml.load(infile, Loader=yaml.FullLoader) 223 | if config is None: 224 | return {} 225 | return resolve_config_includes(config, path) 226 | 227 | def merge_config_file_into(target_config_path, other_config_path): 228 | additional_config = load_config_shallow(other_config_path) 229 | update_config_file(target_config_path, [additional_config['mmio_models']]) 230 | 231 | def update_config_file(config_filename, model_entries): 232 | """ 233 | Updates a config file in-place with a list of model config trees 234 | """ 235 | 236 | l.debug("Adding config entries: {}".format(model_entries)) 237 | 238 | config_dict = load_config_shallow(config_filename) 239 | 240 | success = add_config_entries(config_dict['mmio_models'], model_entries) 241 | 242 | write_yaml(config_filename, config_dict) 243 | 244 | return success 245 | 246 | def write_yaml(path, config_map): 247 | # Use hex representation of numbers in generated yml file 248 | def hexint_presenter(dumper, data): 249 | return dumper.represent_int(hex(data)) 250 | 251 | yaml.add_representer(int, hexint_presenter) 252 | with open(path, "w") as f: 253 | f.write(yaml.dump(config_map)) 254 | -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/fuzzware_utils/persist_results.py: -------------------------------------------------------------------------------- 1 | import copy 2 | import logging 3 | import os 4 | import yaml 5 | from os.path import isfile 6 | 7 | l = logging.getLogger("persist_results") 8 | 9 | def merge_model_conflict(model_type, existing_entry, new_entry): 10 | if model_type == "set": 11 | for val in new_entry['vals']: 12 | if val not in existing_entry['vals']: 13 | l.info("[Set Model Merging] Adding value {:x} to entry".format(val)) 14 | existing_entry['vals'].append(val) 15 | existing_entry['vals'].sort() 16 | return True 17 | elif model_type == "bitextract": 18 | existing_entry['mask'] |= new_entry['mask'] 19 | return True 20 | else: 21 | return False 22 | 23 | def add_config_entries(existing_models, new_models): 24 | """ 25 | Takes a list of newly created model entry maps and adds them to the existing modeling map 26 | new_models would look something like this: 27 | [ 28 | { 29 | 'passthrough': { 30 | pc_deadbeef_mmio_1234: 31 | addr: 0x40012345 32 | pc: 0x123 33 | val: 0x20 34 | }, 35 | 'linear' : { 36 | ... 37 | } 38 | }, 39 | { 40 | 'passthrough': { 41 | ... 42 | }, 43 | 'constant': { 44 | ... 45 | } 46 | } 47 | ] 48 | 49 | @return True, if all merges were completed successfully 50 | """ 51 | all_good = True 52 | for entry in new_models: 53 | for model_type, models in entry.items(): 54 | for model_name, param_map in models.items(): 55 | all_good = all_good and add_config_entry(existing_models, model_type, model_name, param_map) 56 | return all_good 57 | 58 | def add_config_entry(existing_models, model_type, entry_name, param_map): 59 | if model_type not in existing_models: 60 | existing_models[model_type] = {} 61 | 62 | # entry_name, param_map = list(model_entry.items())[0] 63 | # Check for conflicting model assignments 64 | if entry_name in existing_models[model_type] and existing_models[model_type][entry_name] != param_map: 65 | l.warning("[WARNING] got conflicting model assignments from different states") 66 | if 'conflicts' not in existing_models: 67 | existing_models['conflicts'] = {} 68 | if entry_name not in existing_models['conflicts']: 69 | existing_models['conflicts'][entry_name] = [] 70 | if param_map not in existing_models['conflicts'][entry_name]: 71 | existing_models['conflicts'][entry_name].append(param_map) 72 | 73 | existing_entry = existing_models[model_type][entry_name] 74 | if existing_entry not in existing_models['conflicts'][entry_name]: 75 | existing_models['conflicts'][entry_name].append(copy.deepcopy(existing_entry)) 76 | 77 | l.warning("Merging configs:\nExisting: {}\nConflicting: {}".format(existing_entry, param_map)) 78 | if merge_model_conflict(model_type, existing_entry, param_map): 79 | l.warning("Successfully merged into {}".format(existing_entry)) 80 | # existing_models[model_type][entry_name] = merged_model_entry 81 | else: 82 | l.warning("Merging failed, existing config kept.") 83 | return False 84 | else: 85 | existing_models[model_type][entry_name] = param_map 86 | 87 | return True 88 | 89 | def load_config_shallow(config_filename): 90 | if isfile(config_filename): 91 | with open(config_filename, "r") as config_file: 92 | config_dict = yaml.safe_load(config_file.read()) 93 | # print("loaded config: {}".format(config_dict)) 94 | else: 95 | config_dict = {} 96 | if config_dict is None: 97 | config_dict = {} 98 | 99 | if 'mmio_models' not in config_dict: 100 | config_dict['mmio_models'] = {} 101 | 102 | return config_dict 103 | 104 | def adjust_config_relative_paths(config, base_path): 105 | # "./"-prefixed paths to properly resolve relative to config snippet 106 | if 'memory_map' not in config: 107 | return 108 | 109 | for rname, region in config['memory_map'].items(): 110 | if 'file' in region and region['file'].startswith("./"): 111 | region['file'] = os.path.join(os.path.dirname(base_path), region['file']) 112 | l.debug("Fixed up file path to '{}'".format(region['file'])) 113 | 114 | def resolve_config_includes(config, base_path): 115 | """ 116 | Recursively resolves a config file, adjusting paths along 117 | the way 118 | """ 119 | if 'include' in config: 120 | # Merge config files listed in 'include' in listed order 121 | # Root file gets priority 122 | newconfig = {} 123 | for f in config['include']: 124 | if not f.startswith("/"): 125 | # Make configs relative to the including config file 126 | cur_dir = os.path.dirname(base_path) 127 | f = os.path.abspath(os.path.join(cur_dir, f)) 128 | 129 | l.info(f"\tIncluding configuration from {f}") 130 | with open(f, 'rb') as infile: 131 | other_config_snippet = yaml.load(infile, Loader=yaml.FullLoader) 132 | adjust_config_relative_paths(other_config_snippet, f) 133 | other_config_snippet = resolve_config_includes(other_config_snippet, f) 134 | _merge_dict(newconfig, other_config_snippet) 135 | _merge_dict(newconfig, config) 136 | config = newconfig 137 | return config 138 | 139 | def resolve_config_file_pattern(config_dir_path, f): 140 | """ 141 | Resolve the path pattern in a config to the actual file path 142 | """ 143 | if not f.startswith("/"): 144 | f = os.path.join(config_dir_path, f) 145 | 146 | if '*' in f: 147 | candidates = directory_glob(f) 148 | if len(candidates) != 1: 149 | raise ValueError("Could not unambiguously find pattern '{}' matching paths: {}".format(f, candidates)) 150 | 151 | f = candidates[0] 152 | 153 | return os.path.abspath(f) 154 | 155 | def resolve_region_file_paths(config_file_path, config): 156 | """ 157 | Updates the config map's 'memory_map' entry, resolving patterns 158 | and relative paths. 159 | """ 160 | 161 | for rname, region in config['memory_map'].items(): 162 | path = region.get('file') 163 | if path: 164 | region['file'] = resolve_config_file_pattern(os.path.dirname(config_file_path), path) 165 | l.info("Found path '{}' for pattern '{}'".format(region['file'], path)) 166 | 167 | def load_config_deep(path): 168 | if not os.path.isfile(path): 169 | return {} 170 | with open(path, 'rb') as infile: 171 | config = yaml.load(infile, Loader=yaml.FullLoader) 172 | if config is None: 173 | return {} 174 | return resolve_config_includes(config, path) 175 | 176 | def merge_config_file_into(target_config_path, other_config_path): 177 | additional_config = load_config_shallow(other_config_path) 178 | update_config_file(target_config_path, [additional_config['mmio_models']]) 179 | 180 | def update_config_file(config_filename, model_entries): 181 | """ 182 | Updates a config file in-place with a list of model config trees 183 | """ 184 | 185 | l.debug("Adding config entries: {}".format(model_entries)) 186 | 187 | config_dict = load_config_shallow(config_filename) 188 | 189 | success = add_config_entries(config_dict['mmio_models'], model_entries) 190 | 191 | write_yaml(config_filename, config_dict) 192 | 193 | return success 194 | 195 | def write_yaml(path, config_map): 196 | # Use hex representation of numbers in generated yml file 197 | def hexint_presenter(dumper, data): 198 | return dumper.represent_int(hex(data)) 199 | 200 | yaml.add_representer(int, hexint_presenter) 201 | with open(path, "w") as f: 202 | f.write(yaml.dump(config_map)) 203 | -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/fuzzware_utils/trace_serialization.py: -------------------------------------------------------------------------------- 1 | import re 2 | 3 | def parse_mem_value_text(val_text): 4 | return list(map(lambda x: int(x, 16), val_text.split(" "))) 5 | 6 | # 112f: 12b6 1617 r 4 0x40094008:7c6e5ef4 7c7c7c7c f45e5e7c 5e7f5e5e 5e115f 5e000400 687f7f5e 5e5e405e 5e5e5e5e 1002a2a ff2a2a2a 2a2a2a7f 2a2a2a2a 2a2a2a2a 2a2a2a2a 2b1b2a2a 20050e00 ffff1900 5e5f78ff 97979797 2a2a2a2a 2a2a2a2a 2a3a2a2a 7 | ram_regex = re.compile(r"([0-9a-f]+): ([0-9a-f]+) ([0-9a-f]+) ([rw]) ([\d]) (0x[0-9a-f]+)\:(.*)") 8 | def parse_ram_line(line): 9 | event_id, pc, lr, mode, size, address, val_text = ram_regex.match(line).groups() 10 | 11 | address = int(address, 16) 12 | event_id = int(event_id, 16) 13 | size = int(size) 14 | pc = int(pc, 16) 15 | lr = int(lr, 16) 16 | 17 | return event_id, pc, lr, mode, size, address, val_text 18 | 19 | # 112f: 12b6 1617 r 4 64 4 0x40094008:7c6e5ef4 7c7c7c7c f45e5e7c 5e7f5e5e 5e115f 5e000400 687f7f5e 5e5e405e 5e5e5e5e 1002a2a ff2a2a2a 2a2a2a7f 2a2a2a2a 2a2a2a2a 2a2a2a2a 2b1b2a2a 20050e00 ffff1900 5e5f78ff 97979797 2a2a2a2a 2a2a2a2a 2a3a2a2a 20 | mmio_regex = re.compile(r"([0-9a-f]+): ([0-9a-f]+) ([0-9a-f]+) ([rw]) ([\d]) (\d+) (\d+) (0x[0-9a-f]+)\:(.*)") 21 | def parse_mmio_line(line): 22 | event_id, pc, lr, mode, orig_access_size, access_fuzz_ind, num_consumed_fuzz_bytes, address, val_text = mmio_regex.match(line).groups() 23 | 24 | address = int(address, 16) 25 | event_id = int(event_id, 16) 26 | orig_access_size = int(orig_access_size) 27 | access_fuzz_ind = int(access_fuzz_ind) 28 | num_consumed_fuzz_bytes = int(num_consumed_fuzz_bytes) 29 | pc = int(pc, 16) 30 | lr = int(lr, 16) 31 | 32 | return event_id, pc, lr, mode, orig_access_size, access_fuzz_ind, num_consumed_fuzz_bytes, address, val_text 33 | 34 | # 0000 11c4 0 35 | bb_regex = re.compile(r"([0-9a-f]+) ([0-9a-f]+) ([0-9]+)") 36 | def parse_bb_line(line): 37 | event_id, pc, cnt = bb_regex.match(line).groups() 38 | 39 | event_id = int(event_id, 16) 40 | pc = int(pc, 16) 41 | cnt = int(cnt) 42 | 43 | return event_id, pc, cnt 44 | 45 | def parse_bbl_set_line(line): 46 | return int(line, 16) 47 | 48 | def parse_mmio_set_line(line): 49 | pc, addr, mode = line.split(" ") 50 | return (int(pc, 16), int(addr, 16), mode[0]) 51 | 52 | def _parse_file(filename, line_parser): 53 | try: 54 | with open(filename, "r") as f: 55 | return [line_parser(line) for line in f.readlines() if line] 56 | except FileNotFoundError: 57 | return [] 58 | 59 | def parse_mmio_trace(filename): 60 | return _parse_file(filename, parse_mmio_line) 61 | 62 | def parse_mem_trace(filename): 63 | return _parse_file(filename, parse_ram_line) 64 | 65 | def parse_bbl_trace(filename): 66 | return _parse_file(filename, parse_bb_line) 67 | 68 | def parse_bbl_set(filename): 69 | return _parse_file(filename, parse_bbl_set_line) 70 | 71 | def parse_mmio_set(filename): 72 | return _parse_file(filename, parse_mmio_set_line) 73 | 74 | def _dump_file(entries, filename, line_dumper): 75 | with open(filename, "w") as f: 76 | f.write("\n".join(map(lambda entries: line_dumper(*entries), entries))) 77 | f.flush() 78 | 79 | def dump_mmio_line(event_id, pc, lr, mode, orig_access_size, fuzz_offset, consumed_fuzz_size, address, value): 80 | pl = "{:04x}: {:x} {:x} {} {:d} {:d} {:d} 0x{:08x}:{:x}".format(event_id, pc, lr, mode, orig_access_size, fuzz_offset, consumed_fuzz_size, address, value) 81 | return pl 82 | 83 | def dump_mmio_access_context_set_line(pc, address, access_type): 84 | return "{:x} {:x} {}".format(pc, address, access_type) 85 | 86 | def dump_ram_line(event_id, pc, lr, mode, size, address, values): 87 | pl = "{:04x}: {:x} {:x} {} {:d} 0x{:08x}:{:x}".format(event_id, pc, lr, mode, size, address, values[0]) 88 | 89 | for value in values[1:]: 90 | pl += " {:x}".format(value) 91 | 92 | return pl 93 | 94 | def dump_bbl_set_line(bb_addr): 95 | return "{:x}".format(bb_addr) 96 | 97 | def dump_bbl_line(event_id, bb_addr, count): 98 | return "{:04x} {:x} {:d}".format(event_id, bb_addr, count) 99 | 100 | def dump_bbl_set_file(entries, filename): 101 | _dump_file(entries, filename, dump_bbl_set_line) 102 | 103 | def dump_bbl_trace_file(entries, filename): 104 | _dump_file(entries, filename, dump_bbl_line) 105 | 106 | def dump_ram_trace_file(entries, filename): 107 | _dump_file(entries, filename, dump_ram_line) 108 | 109 | def dump_mmio_trace_file(entries, filename): 110 | _dump_file(entries, filename, dump_mmio_line) 111 | 112 | def dump_mmio_set_file(entries, filename): 113 | _dump_file(entries, filename, dump_mmio_access_context_set_line) -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/inspect_breakpoints.py: -------------------------------------------------------------------------------- 1 | import angr, claripy 2 | 3 | from .angr_utils import contains_var, is_mmio_address, is_ast_mmio_address 4 | from .arch_specific.arm_thumb_regs import NEWLY_ADDED_CONSTRAINTS_REG_NAMES, REG_NAME_SP 5 | 6 | import logging 7 | l = logging.getLogger("MMIO") 8 | 9 | #def inspect_bp_intercept_newly_added_constraints(state): 10 | # for i in range(len(state.inspect.added_constraints)): 11 | # # l.warning(f"before added constraints: {state.inspect.added_constraints[i]}") 12 | # # state.inspect.added_constraints[i] = None 13 | # return 1 14 | 15 | #def inspect_bp_before_(state): 16 | # for i in range(len(state.inspect.added_constraints)): 17 | # l.warning(f"before added constraints: {state.inspect.added_constraints[i]}") 18 | # # state.inspect.added_constraints[i] = None 19 | # return 1 20 | 21 | def inspect_after_address_concretization(state): 22 | if state.inspect.address_concretization_result is None: 23 | try: 24 | concretized_expr = state.liveness.base_snapshot.concretize(state.inspect.address_concretization_expr) 25 | l.warn(f"[inspect_address_concretization AFTER] address expression '{state.inspect.address_concretization_expr}' concretized to None at pc: {state.addr:08x}, trying to intervene.\n Concretized to '{concretized_expr}'") 26 | state.inspect.address_concretization_result = [state.solver.eval_one(concretized_expr)] 27 | l.warn(f"[inspect_address_concretization AFTER] Successfully overwrote to {state.inspect.address_concretization_result[0]:08x}") 28 | except Exception as e: 29 | l.warn(f"[inspect_address_concretization AFTER] Failed to concretize address. Error: {e}.\n bailing out") 30 | state.inspect.address_concretization_result = None 31 | 32 | def inspect_bp_track_newly_added_constraints(state): 33 | """ 34 | Whenever a constraint is added, check whether this fixes a variable to a specific value. 35 | If a variable now has a specific value, replace the register contents with the value. 36 | This allows killing references as early as possible. 37 | """ 38 | symbolic_regs = [reg_name for reg_name in NEWLY_ADDED_CONSTRAINTS_REG_NAMES if getattr(state.regs, reg_name).symbolic] 39 | if not symbolic_regs: 40 | return 41 | 42 | for constraint in state.inspect.added_constraints: 43 | for var in state.liveness.tracked_vars: 44 | if contains_var(constraint, var): 45 | for reg_name, reg_contents in map(lambda name: (name, getattr(state.regs, name)), symbolic_regs): 46 | if contains_var(reg_contents, var): 47 | unconstrained_reg_contents = state.liveness.base_snapshot.unconstrain(reg_contents) 48 | simplified_reg_contents = state.solver.simplify(unconstrained_reg_contents) 49 | try: 50 | if state.solver.unique(simplified_reg_contents, extra_constraints=state.solver.constraints): 51 | concrete_val = state.solver.eval_one(simplified_reg_contents, extra_constraints=state.solver.constraints) 52 | 53 | l.info("Newly added constraint found in register {}: {}, constraint: {}. Only one value left: 0x{:x}. Overriding...".format(reg_name, reg_contents, constraint, concrete_val)) 54 | # Override register value with concrete value. This will trigger liveness counter updates via inspect bps 55 | setattr(state.regs, reg_name, claripy.BVV(concrete_val, 32)) 56 | except angr.errors.SimUnsatError: 57 | # If the solver can not handle one thing, do not bother anymore 58 | return 59 | 60 | def inspect_bp_trace_ret(state): 61 | # l.warning("At exit inspect breakpoint from {:x} to {}, jumpkind: {}, guard: {}".format(state.addr, state.inspect.exit_target, state.inspect.exit_jumpkind, state.inspect.exit_guard)) 62 | 63 | # ret: decrement call depths 64 | if state.inspect.exit_jumpkind == "Ijk_Ret": 65 | # We cannot seem to use a "return" bp here as these are not hit 66 | # when the returns errors (which happens for us for interrupt returns) 67 | state.liveness.leave_function(state) 68 | 69 | def inspect_bp_trace_call(state): 70 | # if state.inspect.exit_jumpkind == "Ijk_Call": 71 | l.debug("Calling into 0x{:08x}".format(state.addr)) 72 | if state.globals['path_constrained']: 73 | state.globals['meaningful_actions_while_constrained'] = True 74 | state.liveness.enter_function(state) 75 | 76 | def inspect_bp_trace_liveness_reg(state): 77 | # Resolve reg_write_offset because it might be a BV32 value 78 | reg_write_offset = state.solver.eval(state.inspect.reg_write_offset) 79 | if reg_write_offset not in state.globals['regular_reg_offsets']: 80 | return 81 | 82 | # If reg_write_length is not set use the expr length instead. 83 | # This has to be done because size MUST NOT be None if passed to load. 84 | reg_write_length = state.inspect.reg_write_length if state.inspect.reg_write_length else state.inspect.reg_write_expr.length // state.arch.byte_width 85 | 86 | state.liveness.on_before_reg_write(state.inspect.reg_write_expr, reg_write_offset, reg_write_length) 87 | 88 | def inspect_bp_trace_liveness_mem(state): 89 | addr = state.solver.eval(state.inspect.mem_write_address) 90 | if addr == state.liveness.base_snapshot.mmio_addr and len(state.liveness.tracked_vars) == 1 and contains_var(state.inspect.mem_write_expr, state.liveness.tracked_vars[0]): 91 | l.warning(f"config_write_performed set for state: {state}, written expression: {state.inspect.mem_write_expr}, first tracked variable: {state.liveness.tracked_vars[0]}") 92 | # We have a write to the mmio address which we originally read from: keep this as a note for config model detection 93 | state.globals['config_write_performed'] = True 94 | # The tracked address also is an MMIO address, not relevant for liveness tracking 95 | return 96 | elif is_mmio_address(state, addr): 97 | return 98 | elif state.globals['path_constrained']: 99 | state.globals['meaningful_actions_while_constrained'] = True 100 | 101 | if state.inspect.mem_write_address.symbolic and contains_var(state.inspect.mem_write_address, state.liveness.base_snapshot.regvars_by_name[REG_NAME_SP]): 102 | # Write to local variable 103 | l.debug("[{:x}] Write to local variable!".format(state.addr)) 104 | l.debug("Target: {}, val: {}".format(state.inspect.mem_write_address, state.inspect.mem_write_expr)) 105 | 106 | # If mem_write_length is not set use the expr length instead. 107 | # This has to be done because size MUST NOT be None if passed to load. 108 | mem_write_length = state.inspect.mem_write_length if state.inspect.mem_write_length else state.inspect.mem_write_expr.length // state.arch.byte_width 109 | 110 | state.liveness.on_before_stack_mem_write(addr, state.inspect.mem_write_expr, mem_write_length) 111 | else: 112 | value_variable_names = [e._encoded_name for e in state.inspect.mem_write_expr.leaf_asts() if e.symbolic] 113 | # We got a write to memory outside of stack/MMIO. Check whether we are writing something that depends on tracked MMIO inputs 114 | for ast in state.liveness.tracked_vars: 115 | if ast._encoded_name in value_variable_names: 116 | # We are writing an MMIO input to the environment. Bail out 117 | l.warning("[{:x}] MMIO value {} written out to the environment ([{:x}]={})".format(state.addr, ast, addr, state.inspect.mem_write_expr)) 118 | state.globals['dead_write_to_env'] = True 119 | 120 | def inspect_cond_is_mmio_read(state): 121 | return is_ast_mmio_address(state, state.inspect.mem_read_address) 122 | 123 | def inspect_bp_mmio_intercept_read_after(state): 124 | # Ignore symbolic MMIO addresses 125 | try: 126 | state.solver.eval_one(state.inspect.mem_read_address) 127 | except Exception as e: 128 | l.info(f"inspect_bp_mmio_intercept_read_after error for addr {state.inspect.mem_read_address}: {e}") 129 | return 130 | 131 | state.liveness.on_after_mmio_mem_read(state.inspect.mem_read_address, state.inspect.mem_read_expr, state.inspect.mem_read_length) 132 | 133 | def inspect_bp_singleton_ensure_mmio(state): 134 | read_addr = state.solver.eval(state.inspect.mem_read_address) 135 | read_pc = state.addr 136 | 137 | if read_pc | 1 != state.liveness.base_snapshot.initial_pc | 1: 138 | raise Exception("First MMIO access not performed on first instruction. This is likely due to an unsupported instruction.") 139 | 140 | if not is_mmio_address(state, read_addr): 141 | start = read_addr & (~0xfff) 142 | l.warning("Adding non-configured MMIO page at: 0x{:08x}".format(start)) 143 | state.liveness.base_snapshot.add_custom_mmio_range(start, start + 0x1000) 144 | 145 | state.liveness.base_snapshot.access_pc = state.addr 146 | state.liveness.base_snapshot.mmio_addr = read_addr 147 | state.liveness.base_snapshot.mmio_access_size = state.inspect.mem_read_length 148 | l.warning(f"Found first MMIO access from {state.liveness.base_snapshot.access_pc:08x} to address: {read_addr:08x}") 149 | 150 | state.inspect.remove_breakpoint("mem_read", state.globals['tmp_mmio_bp']) 151 | 152 | def inspect_bp_trace_reads(state): 153 | is_mmio_access = is_ast_mmio_address(state, state.inspect.mem_read_address) 154 | l.info(f'Read {state.inspect.mem_read_expr} at {state.inspect.mem_read_address} with condition {state.inspect.mem_read_condition} from {hex(state.addr)} is mmio read? -> {is_mmio_access}') 155 | 156 | def inspect_bp_trace_writes(state): 157 | is_mmio_access = is_ast_mmio_address(state, state.inspect.mem_write_address) 158 | l.info(f'Write {state.inspect.mem_write_expr} to {state.inspect.mem_write_address} with condition {state.inspect.mem_write_condition} from {hex(state.addr)} is mmio write? -> {is_mmio_access}') 159 | 160 | # concretize addresses before access 161 | def inspect_bp_mem_read(state): 162 | if state.satisfiable() and state.solver.unique(state.inspect.mem_read_address): 163 | l.debug("concretizeing memory read address: %s", state.inspect.mem_read_address) 164 | state.inspect.mem_read_address = state.solver.eval(state.inspect.mem_read_address) 165 | l.debug("concretized read address: %s", state.inspect.mem_read_address) 166 | 167 | def inspect_bp_mem_write(state): 168 | if state.satisfiable() and state.solver.unique(state.inspect.mem_write_address): 169 | l.debug("concretizeing memory write address: %s", state.inspect.mem_write_address) 170 | state.inspect.mem_write_address = state.solver.eval(state.inspect.mem_write_address) 171 | l.debug("concretized write address: %s", state.inspect.mem_write_address) 172 | -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/liveness_plugin.py: -------------------------------------------------------------------------------- 1 | import angr 2 | import claripy 3 | import archinfo 4 | import copy 5 | import logging 6 | from .base_state_snapshot import BaseStateSnapshot 7 | 8 | from .angr_utils import MAX_DEAD_VARS, NVIC_RET_START 9 | l = logging.getLogger("LIVENESS") 10 | 11 | class StackFrame: 12 | def __init__(self, base_sp=None, tracked_addrs=None): 13 | # We use a None base_sp as the catchall base_sp for the first frame as we do not know the real stack start 14 | self.base_sp = base_sp 15 | self.tracked_addrs = {} if tracked_addrs is None else tracked_addrs 16 | 17 | def holds_local_var(self, addr): 18 | return addr in self.tracked_addrs 19 | 20 | def add_local_var_addr(self, addr, size): 21 | self.tracked_addrs[addr] = size 22 | 23 | def remove_local_var_addr(self, addr): 24 | return self.tracked_addrs.pop(addr) 25 | 26 | def possibly_in_frame(self, addr): 27 | return self.base_sp is None or self.base_sp >= addr 28 | 29 | def copy(self): 30 | return StackFrame(self.base_sp, copy.deepcopy(self.tracked_addrs)) 31 | 32 | class LivenessPlugin(angr.SimStatePlugin): 33 | base_snapshot: BaseStateSnapshot 34 | 35 | alive_varname_counts: dict 36 | tracked_vars: list 37 | stackframes: list 38 | returned: bool 39 | all_vars_dead: bool 40 | 41 | def __init__(self, base_snapshot, alive_vars=None, tracked_vars=None, returned=False, stackframes=None, all_vars_dead=False): 42 | super(LivenessPlugin, self).__init__() 43 | # Type: {: [, ], : [, ]} 44 | self.alive_varname_counts = alive_vars if alive_vars is not None else {} 45 | self.tracked_vars = tracked_vars if tracked_vars is not None else [] 46 | 47 | # The base snapshot is a singleton for each restored state 48 | self.base_snapshot = base_snapshot 49 | self.returned = returned 50 | self.all_vars_dead = all_vars_dead 51 | 52 | if stackframes is None: 53 | # Create initial stackframe 54 | self.stackframes = [StackFrame()] 55 | else: 56 | self.stackframes = stackframes 57 | 58 | @angr.SimStatePlugin.memo 59 | def copy(self, memo): 60 | return LivenessPlugin(self.base_snapshot, copy.deepcopy(self.alive_varname_counts), copy.deepcopy(self.tracked_vars), returned=self.returned, stackframes=[f.copy() for f in self.stackframes], all_vars_dead=self.all_vars_dead) 61 | 62 | @property 63 | def call_depth(self): 64 | return len(self.stackframes) - 1 65 | 66 | def _remove_ref(self, varname): 67 | self.alive_varname_counts[varname] -= 1 68 | l.warning("[%x] Decreasing alive var ref: %r, #refs now: %d", self.state.addr, varname, self.alive_varname_counts[varname]) 69 | if self.alive_varname_counts[varname] == 0: 70 | l.warning("Removing %r from mmio alive list", varname) 71 | self.alive_varname_counts.pop(varname) 72 | 73 | if not self.alive_varname_counts: 74 | self.all_vars_dead = True 75 | elif len(self.tracked_vars) >= MAX_DEAD_VARS and not self.state.globals['dead_too_many_out_of_scope']: 76 | l.warning("################# GOT more than maximum number of tracked vars") 77 | kill = True 78 | for var in self.tracked_vars[:MAX_DEAD_VARS]: 79 | if var._encoded_name.decode() in self.alive_varname_counts: 80 | kill = False 81 | if kill: 82 | l.warning("Too many first variables went out of scope, setting flag") 83 | self.state.globals['dead_too_many_out_of_scope'] = True 84 | 85 | def _add_ref(self, varname): 86 | self.alive_varname_counts[varname] += 1 87 | l.warning("[%x] Increasing alive var ref: %r, #refs now: %d", self.state.addr, varname, self.alive_varname_counts[varname]) 88 | 89 | def _remove_scratch_reg_refs(self): 90 | for reg in [self.state.regs.r1, self.state.regs.r2, self.state.regs.r3, self.state.regs.lr]: 91 | for varname in reg.variables: 92 | if varname in self.alive_varname_counts: 93 | l.debug("Function return liveness updates; decreasing count for variable: %r", varname) 94 | self._remove_ref(varname) 95 | 96 | def enter_function(self, state): 97 | """ 98 | Called upon function calls. 99 | 100 | This sets up a stack frame to track local variable writes. 101 | """ 102 | # Do not add any frames after we already 103 | if not self.stackframes: 104 | return 105 | if not state.satisfiable(): 106 | l.warning("SimState not satisfiable during enter_function") 107 | return 108 | 109 | self.stackframes.append(StackFrame(state.solver.eval(state.regs.sp))) 110 | 111 | def leave_function(self, state): 112 | """ 113 | Called upon function return. 114 | 115 | This deals with the cleanup of stack frames and their references. 116 | """ 117 | if not state.satisfiable(): 118 | l.warning("SimState not satisfiable during leave_function") 119 | return 120 | 121 | l.warning("[%x] Returning from function", state.addr) 122 | 123 | # In case we already returned from the top level function, don't deal with stack writes anymore 124 | if not self.stackframes: 125 | return 126 | 127 | # Pop stack frame and remove all remaining references to 128 | curr_frame = self.stackframes.pop() 129 | for addr, size in curr_frame.tracked_addrs.items(): 130 | contents = state.memory.load(addr, size, disable_actions=True, inspect=False) 131 | for varname in contents.variables: 132 | if varname in self.alive_varname_counts: 133 | self._remove_ref(varname) 134 | 135 | # For top level function return, also remove scratch registers from scope 136 | if not self.stackframes: 137 | l.warning("[{:x}] Returned from top level function".format(state.addr)) 138 | self.returned = True 139 | self._remove_scratch_reg_refs() 140 | if NVIC_RET_START <= state.addr <= NVIC_RET_START | 0xfff: 141 | l.critical("returning from ISR") 142 | 143 | def on_before_reg_write(self, write_expr, reg_write_offset, write_len): 144 | """ 145 | Called before register is written to. 146 | 147 | This tracks variable references in registers. 148 | """ 149 | # Tick up written references 150 | if write_expr.symbolic: 151 | # angr may keep an ast expression around which contains a var which is meaningless 152 | write_expr = self.state.solver.simplify(write_expr) 153 | for varname in write_expr.variables: 154 | if varname in self.alive_varname_counts: 155 | self._add_ref(varname) 156 | 157 | # Kill overwritten references 158 | old_val = self.state.registers.load(reg_write_offset, write_len, disable_actions=True, inspect=False, endness=archinfo.Endness.LE) 159 | if old_val.symbolic: 160 | for varname in self.state.solver.simplify(old_val).variables: 161 | if varname in self.alive_varname_counts: 162 | self._remove_ref(varname) 163 | 164 | def on_before_stack_mem_write(self, write_addr, write_expr, write_len): 165 | """ 166 | Called before memory is written to the stack. 167 | 168 | This tracks variable references in stack frames. 169 | """ 170 | l.debug("Stack write. write_addr: %x, write_expr: %r, write_len: %r", write_addr, write_expr, write_len) 171 | 172 | # 0. We might write to the stack after we left the toplevel function 173 | if not self.stackframes: 174 | # Just track normally in this case 175 | for varname in write_expr.variables: 176 | if varname in self.alive_varname_counts: 177 | self._add_ref(varname) 178 | 179 | old_val = self.state.memory.load(write_addr, write_len, disable_actions=True, inspect=False, endness=archinfo.Endness.LE) 180 | for varname in old_val.variables: 181 | if varname in self.alive_varname_counts: 182 | self._remove_ref(varname) 183 | 184 | return 185 | 186 | # 1. First find the stack frame the value is written to 187 | frame = self.stackframes[0] 188 | for i in range(len(self.stackframes)-1, 0, -1): 189 | if self.stackframes[i].base_sp != self.stackframes[i - 1].base_sp and self.stackframes[i].possibly_in_frame(write_addr): 190 | frame = self.stackframes[i] 191 | l.debug("Using deep stack frame at index %d, base_sp: %x", i, frame.base_sp) 192 | break 193 | 194 | # 2. Tick the reference count up 195 | for varname in write_expr.variables: 196 | if varname in self.alive_varname_counts: 197 | self._add_ref(varname) 198 | 199 | l.debug("Stack variable write to %x [tracked addresses: %r]", write_addr, list(map(hex, frame.tracked_addrs))) 200 | 201 | # 3. Now do bookkeeping about the address. If the address is not yet tracked, don't look at old_val 202 | if write_addr in frame.tracked_addrs: 203 | old_val = self.state.memory.load(write_addr, write_len, disable_actions=True, inspect=False, endness=archinfo.Endness.LE) 204 | l.debug("Address already tracked, checking previous contents for override: %r", old_val) 205 | for varname in old_val.variables: 206 | if varname in self.alive_varname_counts: 207 | self._remove_ref(varname) 208 | else: 209 | l.debug("Not yet tracking stack variable, adding %x", write_addr) 210 | frame.tracked_addrs[write_addr] = write_len 211 | 212 | def on_after_mmio_mem_read(self, read_addr, read_expr, read_len): 213 | """ 214 | Called after memory is read. 215 | 216 | This adds MMIO variables and possibly tracks them 217 | """ 218 | addr = self.state.solver.eval(read_addr) 219 | 220 | new_var = claripy.BVS('mmio_{:08x}'.format(addr), 8* read_len) 221 | 222 | if not self.returned and addr == self.base_snapshot.mmio_addr and self.state.addr == self.base_snapshot.access_pc: 223 | l.warning(f"Adding mmio variable {new_var} {new_var._encoded_name}") 224 | self.alive_varname_counts[new_var._encoded_name.decode()] = 0 225 | self.tracked_vars.append(new_var) 226 | 227 | self.state.inspect.mem_read_expr = new_var 228 | -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/logging_utils.py: -------------------------------------------------------------------------------- 1 | import logging 2 | 3 | LOGGER_NAMES = ( 4 | "ANA", 5 | "utils", 6 | "BASESTATE", 7 | "DETECTION", 8 | "EXPLORE", 9 | "MMIO", 10 | "LIVENESS", 11 | "QUIRKS", 12 | "UTIL", 13 | "persist_results", 14 | ) 15 | 16 | def set_log_levels(level): 17 | for name in LOGGER_NAMES: 18 | logger = logging.getLogger(name) 19 | logger.setLevel(level) 20 | -------------------------------------------------------------------------------- /modeling/fuzzware_modeling/rq_worker.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from rq import Connection, Worker 3 | import redis 4 | import argparse 5 | 6 | # Import the libraries which we know the worker will need every time after its fork 7 | import angr 8 | import claripy 9 | import archinfo 10 | 11 | parser = argparse.ArgumentParser(description="Fuzzware modeling worker") 12 | parser.add_argument('queues', nargs="+") 13 | parser.add_argument('--burst', default=False, action='store_true', help="Run in burst mode?") 14 | parser.add_argument('--port', default=6379, help="Connect to redis on the specified port.") 15 | args = parser.parse_args() 16 | 17 | with Connection(redis.Redis(port=args.port)): 18 | qs = args.queues 19 | 20 | w = Worker(qs) 21 | 22 | w.work(burst=args.burst) 23 | -------------------------------------------------------------------------------- /modeling/requirements.txt: -------------------------------------------------------------------------------- 1 | click==7.1.2 2 | rq~=1.16 3 | PyYAML>=5.3 4 | intelhex 5 | capstone==5.0.3 6 | angr==9.2.61 7 | IPython 8 | -------------------------------------------------------------------------------- /modeling/setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | """ 3 | Python package for the fuzzware pipeline. 4 | """ 5 | import os 6 | from setuptools import setup 7 | 8 | def get_packages(rel_dir): 9 | packages = [rel_dir] 10 | for x in os.walk(rel_dir): 11 | # break into parts 12 | base = list(os.path.split(x[0])) 13 | if base[0] == "": 14 | del base[0] 15 | 16 | for mod_name in x[1]: 17 | packages.append(".".join(base + [mod_name])) 18 | 19 | return packages 20 | 21 | setup(name='fuzzware_modeling', 22 | version='1.0', 23 | description='Python package for the fuzzware modeling component.', 24 | author='Tobias Scharnowski', 25 | author_email='tobias.scharnowski@rub.de', 26 | url='https://www.syssec.ruhr-uni-bochum.de/chair', 27 | packages=get_packages('fuzzware_modeling'), 28 | entry_points = { 29 | 'console_scripts': [ 30 | 'fuzzware_model = fuzzware_modeling:main' 31 | ] 32 | } 33 | ) 34 | -------------------------------------------------------------------------------- /modeling/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [[ ! -z $WORKON_HOME ]] || { echo "[ERROR] WORKON_HOME not set..."; exit 1; } 4 | 5 | # install fuzzware with angr instead 6 | modeling_venv_name="fuzzware-modeling" 7 | echo "[*] Installing modeling component in venv '$modeling_venv_name'" 8 | 9 | MODELING_VENV_PYTHON3=${MODELING_VENV_PYTHON3:-/usr/bin/python3} 10 | 11 | # check whether installation is supported on local system due to python3 / angr compatibility 12 | $MODELING_VENV_PYTHON3 -c 'import sys; assert sys.version_info >= (3,8)' &>/dev/null || { 13 | echo "[ERROR] Your python3 version is too low for an installation on your local system." 14 | echo 15 | echo "The version of angr which is used requires Python 3.8+." 16 | echo "As a workaround, you may install a newer version of python3 (>=3.8 should work) and set the MODELING_VENV_PYTHON3 environment variable to its path (currently, '$MODELING_VENV_PYTHON3' is used)." 17 | exit 1 18 | } 19 | 20 | /usr/bin/python3 -m virtualenv --python=$MODELING_VENV_PYTHON3 "$WORKON_HOME/$modeling_venv_name" 21 | venv_pip="$WORKON_HOME/$modeling_venv_name/bin/pip" 22 | if [ ! -e "$venv_pip" ]; then 23 | echo "Creating virtualenv $modeling_venv_name" 24 | mkvirtualenv -p $MODELING_VENV_PYTHON3 $modeling_venv_name || exit 1 25 | fi 26 | 27 | $venv_pip install -U -r requirements.txt || exit 1 28 | $venv_pip install -U . || exit 1 29 | 30 | exit 0 31 | -------------------------------------------------------------------------------- /run_docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | IMAGE="" 4 | targets_dir="" 5 | cmd="" 6 | while [[ $# -gt 0 ]]; do 7 | case $1 in 8 | -d) 9 | shift 10 | targets_dir="$1" 11 | shift 12 | ;; 13 | -h) 14 | echo "Usage: []" 15 | echo "Alternative Usage if you want to specify a docker-image: -r -d -c []" 16 | exit;; 17 | -c) 18 | shift 19 | while [ "$1" ]; do 20 | if [ "$1" = "-d" ] || [ "$1" = "-r" ]; then 21 | break 22 | fi 23 | cmd="$cmd $1" 24 | shift 25 | done 26 | ;; 27 | -r) 28 | shift 29 | if [ "$1" = "-d" ] || [ "$1" = "-c" ]; then 30 | echo "Provide image-name when using -r!" 31 | exit 32 | fi 33 | IMAGE="$1" 34 | shift 35 | ;; 36 | *) 37 | targets_dir="$1" 38 | shift 39 | while [ "$1" ]; do 40 | cmd="$cmd $1" 41 | shift 42 | done 43 | ;; 44 | esac 45 | done 46 | 47 | if [ -z "$targets_dir" ]; then 48 | targets_dir="$DIR/examples" 49 | echo "[*] defaulting to targets_dir '$targets_dir'"; 50 | fi 51 | 52 | [[ -d "$targets_dir" ]] || { echo "directory $targets_dir does not exist" && exit 1; } 53 | 54 | if [ -z "$cmd" ]; then 55 | cmd="/bin/bash" 56 | echo "[*] defaulting to cmd '$cmd'" 57 | fi 58 | 59 | echo "[+] Mapping local dir '$targets_dir' into container" 60 | echo "[+] Executing command: '$cmd'" 61 | # Map targets directory into container 62 | if [ ! -t 0 ]; then 63 | docker_options="-i" 64 | echo "[+] Running with -i" 65 | else 66 | docker_options="-it" 67 | echo "[+] Running with -it" 68 | fi 69 | 70 | if [[ -z "$IMAGE" ]]; then 71 | docker run \ 72 | "$docker_options" \ 73 | --mount type=bind,source="$(realpath $targets_dir)",target=/home/user/fuzzware/targets \ 74 | "fuzzware:latest" $cmd 75 | else 76 | echo "Runing docker with image $IMAGE" 77 | docker run \ 78 | "$docker_options" \ 79 | --mount type=bind,source="$(realpath $targets_dir)",target=/home/user/fuzzware/targets \ 80 | "fuzzware:$IMAGE" $cmd 81 | fi 82 | -------------------------------------------------------------------------------- /scripts/cartographer_cov_conversion.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import sys 3 | if len(sys.argv) < 3: 4 | print("Usage: cartographer_cov_conversion.py ") 5 | exit(0) 6 | 7 | with open(sys.argv[1], "r") as f: 8 | addrs = [int(l, 16) for l in f.readlines()] 9 | 10 | out = "EZCOV VERSION: 1\n" 11 | for addr in addrs: 12 | out += f"{hex(addr)}, 1, [ MAIN ]\n" 13 | 14 | with open(sys.argv[2], "w") as f: 15 | f.write(out) 16 | -------------------------------------------------------------------------------- /scripts/idapython/idapy_detect_exitats.py: -------------------------------------------------------------------------------- 1 | import idaapi 2 | from idaapi import * 3 | 4 | inifinite_loops = [ 5 | b"\x00\xbf\xfd\xe7", # loop: nop; b loop 6 | b"\xfe\xe7", # loop: b loop 7 | ] 8 | 9 | whitelist = [ 10 | "Reset_Handler", 11 | "main" 12 | ] 13 | 14 | def detect_noret_funcs(): 15 | exit_locs_name_pairs = [] 16 | for func_addr in Functions(): 17 | if get_func_flags(func_addr) & idaapi.FUNC_NORET: 18 | name = get_func_name(func_addr) 19 | 20 | if name not in whitelist: 21 | print("noret function: '{}' at 0x{:x}".format(name, func_addr)) 22 | exit_locs_name_pairs.append((func_addr, name)) 23 | return exit_locs_name_pairs 24 | 25 | def detect_exit_ats(add_noret_functions=False): 26 | # 0. find BKPTs 27 | exit_locs = [] 28 | 29 | # 1. find noret functions if requested 30 | if add_noret_functions: 31 | exit_locs += detect_noret_funcs() 32 | 33 | cnt = 0 34 | # 2. find infinite loops and BKPT instructions 35 | for segea in Segments(): 36 | for funcea in Functions(segea, get_segm_end(segea)): 37 | functionName = get_func_name(funcea) 38 | for (startea, endea) in Chunks(funcea): 39 | for head in Heads(startea, endea): 40 | # print(functionName, ":", "0x%08x"%(head), ":", GetDisasm(head)) 41 | for loop_code in inifinite_loops: 42 | if get_bytes(head, len(loop_code)) == loop_code: 43 | print("Found endless loop: 0x{:x} (function {})".format(head, functionName)) 44 | exit_locs.append((head, "endless_loop_{:02d}_{}".format(cnt, functionName))) 45 | cnt += 1 46 | if print_insn_mnem(head) == 'BKPT': 47 | print("Found bkpt: 0x{:x} (function {})".format(head, functionName)) 48 | exit_locs.append((head, "bkpt_{:02d}_{}".format(cnt, functionName))) 49 | cnt += 1 50 | 51 | return exit_locs 52 | 53 | def print_exit_ats(add_noret_functions=False): 54 | exit_locs = detect_exit_ats(add_noret_functions=add_noret_functions) 55 | print("exit_at:") 56 | for addr, name in exit_locs: 57 | print(" {}: 0x{:08x}".format(name, addr)) 58 | 59 | def dump_exit_ats(filename="exit_ats.yml"): 60 | exit_locs = detect_exit_ats() 61 | with open(filename, "w") as f: 62 | f.write("exit_at:\n") 63 | for addr, name in exit_locs: 64 | f.write(" {}: 0x{:08x}\n".format(name, addr)) 65 | 66 | dump_exit_ats() 67 | -------------------------------------------------------------------------------- /scripts/idapython/idapy_dump_symbols_yml.py: -------------------------------------------------------------------------------- 1 | from idaapi import * 2 | 3 | def dump_syms(outfile_path="syms.yml"): 4 | with open(outfile_path, "w") as f: 5 | f.write("symbols:\n") 6 | for addr, name in Names(): 7 | f.write(" 0x{:x}: '{}'\n".format(addr, name)) 8 | 9 | dump_syms() 10 | -------------------------------------------------------------------------------- /scripts/idapython/idapy_dump_valid_basic_block_list.py: -------------------------------------------------------------------------------- 1 | import idaapi 2 | from idaapi import * 3 | 4 | # While opening in IDA, set processor options to ARMv7-M for P2IM / uEmu targets 5 | # Otherwise, some instructions will be interpreted as data rather than instructions 6 | 7 | SegEnd = get_segm_end 8 | GetFunctionName = get_func_name 9 | def collect_post_call_instruction_starts(): 10 | res = set() 11 | 12 | # collect all heads following calls within functions 13 | for segea in Segments(): 14 | for funcea in Functions(segea, SegEnd(segea)): 15 | functionName = GetFunctionName(funcea) 16 | for (startea, endea) in Chunks(funcea): 17 | for head in Heads(startea, endea): 18 | mnem = print_insn_mnem(prev_head(head, head-4)) 19 | if mnem and "bl" in mnem.lower(): 20 | res.add(head) 21 | 22 | return res 23 | 24 | def collect_bbs_from_flowchart(): 25 | result = set() 26 | 27 | for fn_addr in Functions(): 28 | f = idaapi.FlowChart(idaapi.get_func(fn_addr)) 29 | for block in f: 30 | result.add(block.start_ea) 31 | for succ_block in block.succs(): 32 | result.add(succ_block.start_ea) 33 | for pred_block in block.preds(): 34 | result.add(pred_block.start_ea) 35 | 36 | return result 37 | 38 | def dump_bbl_starts_txt(out_file_path="valid_basic_blocks.txt"): 39 | instruction_starts = collect_bbs_from_flowchart() | collect_post_call_instruction_starts() 40 | with open(out_file_path, "wb") as f: 41 | for instr in sorted(instruction_starts): 42 | f.write("{:x}\n".format(instr).encode()) 43 | 44 | dump_bbl_starts_txt() 45 | -------------------------------------------------------------------------------- /scripts/set_inotify_limits.sh: -------------------------------------------------------------------------------- 1 | [[ $(id -u) -ne 0 ]] || { echo "Please run as root"; exit 1; } 2 | 3 | echo 524288 > /proc/sys/fs/inotify/max_user_watches 4 | echo 512 > /proc/sys/fs/inotify/max_user_instances 5 | 6 | cat /proc/sys/fs/inotify/max_user_watches 7 | cat /proc/sys/fs/inotify/max_user_instances -------------------------------------------------------------------------------- /ubuntu_install_docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Install a recent version of Docker. 3 | # Convenience script following to https://docs.docker.com/engine/install/ubuntu/ 4 | 5 | OS_NAME="$(awk -F= '/^NAME/{print $2}' /etc/os-release)" 6 | if [ "$OS_NAME" == '"Ubuntu"' ]; then 7 | if [ "$(which docker 2>/dev/null)" = "" ]; then 8 | sudo apt-get update 9 | sudo apt-get -y install \ 10 | apt-transport-https \ 11 | ca-certificates \ 12 | curl \ 13 | gnupg-agent \ 14 | software-properties-common 15 | 16 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - 17 | 18 | sudo add-apt-repository \ 19 | "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ 20 | $(lsb_release -cs) \ 21 | stable" 22 | 23 | sudo apt-get install -y docker-ce docker-ce-cli containerd.io 24 | else 25 | echo "Docker already installed. Exiting..." 26 | exit 0 27 | fi 28 | else 29 | echo "Not running on Ubuntu. Exiting..." 30 | exit 1 31 | fi 32 | -------------------------------------------------------------------------------- /update.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | git submodule update --init --recursive 3 | git pull --recurse-submodules 4 | --------------------------------------------------------------------------------