├── 01-access-modeling-for-fuzzing ├── p2im-unittests │ ├── F103 │ │ ├── ARDUINO-F103-ADC │ │ │ ├── ARDUINO-F103-ADC.bin │ │ │ ├── ARDUINO-F103-ADC.elf │ │ │ └── config.yml │ │ ├── ARDUINO-F103-GPIO │ │ │ ├── ARDUINO-F103-GPIO.bin │ │ │ ├── ARDUINO-F103-GPIO.elf │ │ │ └── config.yml │ │ ├── ARDUINO-F103-GPIO_INT │ │ │ ├── ARDUINO-F103-GPIO_INT.bin │ │ │ ├── ARDUINO-F103-GPIO_INT.elf │ │ │ └── config.yml │ │ ├── ARDUINO-F103-I2C │ │ │ ├── ARDUINO-F103-I2C.bin │ │ │ ├── ARDUINO-F103-I2C.elf │ │ │ └── config.yml │ │ ├── ARDUINO-F103-PWM │ │ │ ├── ARDUINO-F103-PWM.bin │ │ │ ├── ARDUINO-F103-PWM.elf │ │ │ └── config.yml │ │ ├── ARDUINO-F103-SPI │ │ │ ├── ARDUINO-F103-SPI.bin │ │ │ ├── ARDUINO-F103-SPI.elf │ │ │ └── config.yml │ │ ├── ARDUINO-F103-Serial │ │ │ ├── ARDUINO-F103-Serial.bin │ │ │ ├── ARDUINO-F103-Serial.elf │ │ │ └── config.yml │ │ ├── F103-RIOT-GPIO │ │ │ ├── F103-RIOT-GPIO.bin │ │ │ ├── F103-RIOT-GPIO.elf │ │ │ └── config.yml │ │ ├── F103-RIOT-GPIO_INT │ │ │ ├── F103-RIOT-GPIO_INT.bin │ │ │ ├── F103-RIOT-GPIO_INT.elf │ │ │ └── config.yml │ │ ├── F103-RIOT-I2C │ │ │ ├── F103-RIOT-I2C.bin │ │ │ ├── F103-RIOT-I2C.elf │ │ │ └── config.yml │ │ ├── F103-RIOT-SPI │ │ │ ├── F103-RIOT-SPI.bin │ │ │ ├── F103-RIOT-SPI.elf │ │ │ └── config.yml │ │ ├── F103-RIOT-TIMER │ │ │ ├── F103-RIOT-TIMER.bin │ │ │ ├── F103-RIOT-TIMER.elf │ │ │ └── config.yml │ │ ├── F103-RIOT-USART-Read │ │ │ ├── F103-RIOT-USART-Read.bin │ │ │ ├── F103-RIOT-USART-Read.elf │ │ │ └── config.yml │ │ ├── F103-RIOT-USART │ │ │ ├── F103-RIOT-USART.bin │ │ │ ├── F103-RIOT-USART.elf │ │ │ └── config.yml │ │ ├── NUTTX-F103-ADC │ │ │ ├── NUTTX-F103-ADC.bin │ │ │ ├── NUTTX-F103-ADC.elf │ │ │ └── config.yml │ │ ├── NUTTX-F103-GPIO │ │ │ ├── NUTTX-F103-GPIO.bin │ │ │ ├── NUTTX-F103-GPIO.elf │ │ │ └── config.yml │ │ ├── NUTTX-F103-GPIO_INT │ │ │ ├── NUTTX-F103-GPIO_INT.bin │ │ │ ├── NUTTX-F103-GPIO_INT.elf │ │ │ └── config.yml │ │ ├── NUTTX-F103-I2C │ │ │ ├── NUTTX-F103-I2C.bin │ │ │ ├── NUTTX-F103-I2C.elf │ │ │ └── config.yml │ │ ├── NUTTX-PWM │ │ │ ├── NUTTX-PWM.bin │ │ │ ├── NUTTX-PWM.elf │ │ │ └── config.yml │ │ ├── NUTTX-SPI │ │ │ ├── NUTTX-SPI.bin │ │ │ ├── NUTTX-SPI.elf │ │ │ └── config.yml │ │ └── NUTTX-USART │ │ │ ├── NUTTX-USART.bin │ │ │ ├── NUTTX-USART.elf │ │ │ └── config.yml │ ├── K64F │ │ ├── K64F-RIOT-ADC │ │ │ ├── K64F-RIOT-ADC.bin │ │ │ ├── K64F-RIOT-ADC.elf │ │ │ └── config.yml │ │ ├── K64F-RIOT-GPIO │ │ │ ├── K64F-RIOT-GPIO.bin │ │ │ ├── K64F-RIOT-GPIO.elf │ │ │ └── config.yml │ │ ├── K64F-RIOT-GPIO_INT │ │ │ ├── K64F-RIOT-GPIO_INT.bin │ │ │ ├── K64F-RIOT-GPIO_INT.elf │ │ │ └── config.yml │ │ ├── K64F-RIOT-I2C │ │ │ ├── K64F-RIOT-I2C.bin │ │ │ ├── K64F-RIOT-I2C.elf │ │ │ └── config.yml │ │ ├── K64F-RIOT-PWM │ │ │ ├── K64F-RIOT-PWM.bin │ │ │ ├── K64F-RIOT-PWM.elf │ │ │ └── config.yml │ │ ├── K64F-RIOT-SPI │ │ │ ├── K64F-RIOT-SPI.bin │ │ │ ├── K64F-RIOT-SPI.elf │ │ │ └── config.yml │ │ ├── K64F-RIOT-TIMER │ │ │ ├── K64F-RIOT-TIMER.bin │ │ │ ├── K64F-RIOT-TIMER.elf │ │ │ └── config.yml │ │ ├── K64F-RIOT-USART-Read │ │ │ ├── K64F-RIOT-USART-Read.bin │ │ │ ├── K64F-RIOT-USART-Read.elf │ │ │ └── config.yml │ │ └── K64F-RIOT-USART │ │ │ ├── K64F-RIOT-USART.bin │ │ │ ├── K64F-RIOT-USART.elf │ │ │ └── config.yml │ ├── README.md │ ├── SAM3X │ │ ├── ARDUINO-SAM3-ADC │ │ │ ├── ARDUINO-SAM3-ADC.bin │ │ │ ├── ARDUINO-SAM3-ADC.elf │ │ │ └── config.yml │ │ ├── ARDUINO-SAM3-DAC │ │ │ ├── ARDUINO-SAM3-DAC.bin │ │ │ ├── ARDUINO-SAM3-DAC.elf │ │ │ └── config.yml │ │ ├── ARDUINO-SAM3-GPIO │ │ │ ├── ARDUINO-SAM3-GPIO.bin │ │ │ ├── ARDUINO-SAM3-GPIO.elf │ │ │ └── config.yml │ │ ├── ARDUINO-SAM3-GPIO_INT │ │ │ ├── ARDUINO-SAM3-GPIO_INT.bin │ │ │ ├── ARDUINO-SAM3-GPIO_INT.elf │ │ │ └── config.yml │ │ ├── ARDUINO-SAM3-I2C │ │ │ ├── ARDUINO-SAM3-I2C.bin │ │ │ ├── ARDUINO-SAM3-I2C.elf │ │ │ └── config.yml │ │ ├── ARDUINO-SAM3-PWM │ │ │ ├── ARDUINO-SAM3-PWM.bin │ │ │ ├── ARDUINO-SAM3-PWM.elf │ │ │ └── config.yml │ │ ├── ARDUINO-SAM3-SPI │ │ │ ├── ARDUINO-SAM3-SPI.bin │ │ │ ├── ARDUINO-SAM3-SPI.elf │ │ │ └── config.yml │ │ ├── ARDUINO-SAM3-Serial │ │ │ ├── ARDUINO-SAM3-Serial.bin │ │ │ ├── ARDUINO-SAM3-Serial.elf │ │ │ └── config.yml │ │ ├── SAM3-RIOT-ADC │ │ │ ├── SAM3-RIOT-ADC.bin │ │ │ ├── SAM3-RIOT-ADC.elf │ │ │ └── config.yml │ │ ├── SAM3-RIOT-DAC │ │ │ ├── SAM3-RIOT-DAC.bin │ │ │ ├── SAM3-RIOT-DAC.elf │ │ │ └── config.yml │ │ ├── SAM3-RIOT-GPIO │ │ │ ├── SAM3-RIOT-GPIO.bin │ │ │ ├── SAM3-RIOT-GPIO.elf │ │ │ └── config.yml │ │ ├── SAM3-RIOT-GPIO_INT │ │ │ ├── SAM3-RIOT-GPIO_INT.bin │ │ │ ├── SAM3-RIOT-GPIO_INT.elf │ │ │ └── config.yml │ │ ├── SAM3-RIOT-PWM │ │ │ ├── SAM3-RIOT-PWM.bin │ │ │ ├── SAM3-RIOT-PWM.elf │ │ │ └── config.yml │ │ ├── SAM3-RIOT-SPI │ │ │ ├── SAM3-RIOT-SPI.bin │ │ │ ├── SAM3-RIOT-SPI.elf │ │ │ └── config.yml │ │ ├── SAM3-RIOT-TIMER │ │ │ ├── SAM3-RIOT-TIMER.bin │ │ │ ├── SAM3-RIOT-TIMER.elf │ │ │ └── config.yml │ │ ├── SAM3-RIOT-USART-Read │ │ │ ├── SAM3-RIOT-USART-Read.bin │ │ │ ├── SAM3-RIOT-USART-Read.elf │ │ │ └── config.yml │ │ └── SAM3-RIOT-USART │ │ │ ├── SAM3-RIOT-USART.bin │ │ │ ├── SAM3-RIOT-USART.elf │ │ │ └── config.yml │ ├── check_results.py │ ├── groundtruth.csv │ ├── run_experiment.sh │ └── run_fuzzers.sh └── pw-discovery │ ├── ARCH_PRO │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── milestone_bbs.txt │ └── valid_basic_blocks.txt │ ├── EFM32GG_STK3700 │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── milestone_bbs.txt │ └── valid_basic_blocks.txt │ ├── EFM32LG_STK3600 │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── milestone_bbs.txt │ └── valid_basic_blocks.txt │ ├── LPC1549 │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── milestone_bbs.txt │ └── valid_basic_blocks.txt │ ├── LPC1768 │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── milestone_bbs.txt │ └── valid_basic_blocks.txt │ ├── MOTE_L152RC │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── milestone_bbs.txt │ └── valid_basic_blocks.txt │ ├── NUCLEO_F103RB │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── milestone_bbs.txt │ └── valid_basic_blocks.txt │ ├── NUCLEO_F207ZG │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── milestone_bbs.txt │ └── valid_basic_blocks.txt │ ├── NUCLEO_L152RE │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── milestone_bbs.txt │ └── valid_basic_blocks.txt │ ├── README.md │ ├── UBLOX_C027 │ ├── basic_exercises.bin │ ├── basic_exercises.elf │ ├── config.yml │ ├── milestone_bbs.txt │ └── valid_basic_blocks.txt │ ├── run_experiment.sh │ ├── run_metric_aggregation.py │ ├── run_targets.sh │ ├── ssh_based_collect_results.sh │ └── ssh_based_kickoff_experiments.sh ├── 02-comparison-with-state-of-the-art ├── P2IM │ ├── CNC │ │ ├── CNC.bin │ │ ├── CNC.elf │ │ ├── base_inputs │ │ │ └── random │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Console │ │ ├── Console.bin │ │ ├── Console.elf │ │ ├── base_inputs │ │ │ └── random │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Drone │ │ ├── Drone.bin │ │ ├── Drone.elf │ │ ├── base_inputs │ │ │ └── ex1 │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Gateway │ │ ├── Gateway.bin │ │ ├── Gateway.elf │ │ ├── base_inputs │ │ │ └── ex7_new │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Heat_Press │ │ ├── Heat_Press.bin │ │ ├── Heat_Press.elf │ │ ├── base_inputs │ │ │ └── random │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── PLC │ │ ├── PLC.bin │ │ ├── PLC.elf │ │ ├── base_inputs │ │ │ └── modbus_cmd3 │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Reflow_Oven │ │ ├── Reflow_Oven.bin │ │ ├── Reflow_Oven.elf │ │ ├── base_inputs │ │ │ └── random │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Robot │ │ ├── Robot.bin │ │ ├── Robot.elf │ │ ├── base_inputs │ │ │ └── ex7_new │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ ├── Soldering_Iron │ │ ├── Soldering_Iron.bin │ │ ├── Soldering_Iron.elf │ │ ├── base_inputs │ │ │ └── random │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt │ └── Steering_Control │ │ ├── Steering_Control.bin │ │ ├── Steering_Control.elf │ │ ├── base_inputs │ │ └── random │ │ ├── config.yml │ │ ├── syms.yml │ │ └── valid_basic_blocks.txt ├── README.md ├── run_experiment.sh ├── run_metric_aggregation.py ├── run_targets.sh ├── ssh_based_collect_results.sh ├── ssh_based_kickoff_experiments.sh └── uEmu │ ├── 6LoWPAN_Receiver │ ├── HAL.atmel_6lowpan_udp_rx.bin │ ├── HAL.atmel_6lowpan_udp_rx.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── 6LoWPAN_Sender │ ├── HAL.atmel_6lowpan_udp_tx.bin │ ├── HAL.atmel_6lowpan_udp_tx.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── LiteOS_IoT │ ├── config.yml │ ├── syms.yml │ ├── uEmu.LiteOS_IoT.bin │ ├── uEmu.LiteOS_IoT.elf │ └── valid_basic_blocks.txt │ ├── RF_Door_Lock │ ├── Pretender.max32_rf_door_lock.bin │ ├── Pretender.max32_rf_door_lock.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── Thermostat │ ├── Pretender.max32_thermostat.bin │ ├── Pretender.max32_thermostat.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── XML_Parser │ ├── XML_Parser.bin │ ├── XML_Parser.elf │ ├── config.yml │ ├── syms.yml │ └── valid_basic_blocks.txt │ ├── Zepyhr_SocketCan │ ├── config.yml │ ├── syms.yml │ ├── uEmu.zephyrsocketcan.bin │ ├── uEmu.zephyrsocketcan.elf │ └── valid_basic_blocks.txt │ ├── uEmu.3Dprinter │ ├── config.yml │ ├── syms.yml │ ├── uEmu.3Dprinter.bin │ ├── uEmu.3Dprinter.elf │ └── valid_basic_blocks.txt │ ├── uEmu.GPSTracker │ ├── config.yml │ ├── syms.yml │ ├── uEmu.GPSTracker.bin │ ├── uEmu.GPSTracker.elf │ └── valid_basic_blocks.txt │ ├── utasker_MODBUS │ ├── config.yml │ ├── syms.yml │ ├── uEmu.uTasker_MODBUS.bin │ ├── uEmu.uTasker_MODBUS.elf │ └── valid_basic_blocks.txt │ └── utasker_USB │ ├── config.yml │ ├── syms.yml │ ├── uEmu.uTaskerV1.4_USB_STM32429ZI.bin │ ├── uEmu.uTaskerV1.4_USB_STM32429ZI.elf │ └── valid_basic_blocks.txt ├── 03-fuzzing-new-targets ├── README.md ├── bug-details │ ├── CVE-2020-10064-Zephyr-802154-frame-size-underflow.md │ ├── CVE-2020-10065-Zephyr-bt-hci_over_spi-oflow.md │ ├── CVE-2020-10066-Zephyr-bt-hci_core-error-handling.md │ ├── CVE-2020-12140-Contiki-NG-l2cap-frame-size.md │ ├── CVE-2020-12141-Contiki-NG-SNMP-string-decode.md │ ├── CVE-2021-3319_Zephyr_802154_address_validation_DATA_frame.md │ ├── CVE-2021-3320_Zephyr_802154_ACK_frame_type_confusion.md │ ├── CVE-2021-3321_Zephyr_802154_header_size_integer_underflow.md │ ├── CVE-2021-3322_Zephyr_802154_fragment_reassembly_single_frag_crash.md │ ├── CVE-2021-3323_Zephyr_802154_uncompress_IPHC_header_integer_uflow_new_frag_decomp.md │ ├── CVE-2021-3329_Zephyr_BT_hostlayer_HCI_buflen_handshake.md │ ├── CVE-2021-3330_Zephyr_802154_fragment_reassembly_sorting.md │ └── README.md ├── contiki-ng │ ├── building │ │ ├── base_configs │ │ │ └── contiki_common.yml │ │ ├── build_sample_CVE-2020-12140.sh │ │ ├── build_sample_CVE-2020-12141.sh │ │ ├── build_sample_HALucinator_CVE-2019-9183.sh │ │ ├── gen_target_configs.sh │ │ ├── patches │ │ │ ├── 6lowpan_sample.patch │ │ │ ├── cc2538_norom.patch │ │ │ ├── cc2538_read.patch │ │ │ ├── fix-l2cap-issues.patch │ │ │ ├── l2cap_sample.patch │ │ │ ├── snmp_sample.patch │ │ │ └── transparent_mac.patch │ │ └── run_in_contiki_docker.sh │ ├── prebuilt_samples │ │ ├── CVE-2020-12140 │ │ │ ├── POC │ │ │ │ ├── README.md │ │ │ │ ├── config.yml │ │ │ │ ├── crashing_input │ │ │ │ └── run.sh │ │ │ ├── config.yml │ │ │ ├── hello-world.bin │ │ │ ├── hello-world.elf │ │ │ └── valid_basic_blocks.txt │ │ ├── CVE-2020-12141 │ │ │ ├── POC │ │ │ │ ├── README.md │ │ │ │ ├── config.yml │ │ │ │ ├── crashing_input │ │ │ │ └── run.sh │ │ │ ├── config.yml │ │ │ ├── snmp-server.bin │ │ │ ├── snmp-server.elf │ │ │ └── valid_basic_blocks.txt │ │ └── CVE-HALucinator-CVE-2019-9183 │ │ │ ├── POC-max-size-check │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ │ ├── POC-min-size-check │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ │ ├── config.yml │ │ │ ├── hello-world.bin │ │ │ ├── hello-world.elf │ │ │ └── valid_basic_blocks.txt │ └── rebuild_targets.sh ├── run_experiment.sh ├── run_targets.sh └── zephyr-os │ ├── building │ ├── base_configs │ │ ├── CVE-2021-3330.yml │ │ ├── zephyr_debug_snippets.yml │ │ ├── zephyr_default.yml │ │ ├── zephyr_exits.yml │ │ └── zephyr_skips.yml │ ├── build_sample_CVE-2020-10064.sh │ ├── build_sample_CVE-2020-10065.sh │ ├── build_sample_CVE-2020-10066.sh │ ├── build_sample_CVE-2021-3319.sh │ ├── build_sample_CVE-2021-3320.sh │ ├── build_sample_CVE-2021-3321.sh │ ├── build_sample_CVE-2021-3322.sh │ ├── build_sample_CVE-2021-3323.sh │ ├── build_sample_CVE-2021-3329.sh │ ├── build_sample_CVE-2021-3330.sh │ ├── build_sample_missing_rf_size_check_fix.sh │ ├── build_sample_missing_watchdog_fix.sh │ ├── docker_build_802154_sample.sh │ ├── docker_build_bt_sample.sh │ ├── docker_build_sample.sh │ ├── gen_target_configs.sh │ ├── patches │ │ ├── backport-CVE-2021-3321.patch │ │ ├── bt_hci_cmd_timeout.patch │ │ ├── bt_hostonly_build.patch │ │ ├── fix-CVE-2020-10065.patch │ │ ├── fix-CVE-2021-3323.patch │ │ ├── ieee802154_reass_timeout.patch │ │ ├── ieee802154_rf2xx_size_check.patch │ │ ├── spi_sam_flat_read.patch │ │ └── wdt_sam_watchdog_callback_check.patch │ └── run_in_zephyr_docker.sh │ ├── prebuilt_samples │ ├── CVE-2020-10064 │ │ ├── POC │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ ├── config.yml │ │ ├── valid_basic_blocks.txt │ │ ├── zephyr-CVE-2020-10064.bin │ │ └── zephyr-CVE-2020-10064.elf │ ├── CVE-2020-10065 │ │ ├── POC │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ ├── config.yml │ │ ├── valid_basic_blocks.txt │ │ ├── zephyr-CVE-2020-10065.bin │ │ └── zephyr-CVE-2020-10065.elf │ ├── CVE-2020-10066 │ │ ├── POC │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ ├── config.yml │ │ ├── valid_basic_blocks.txt │ │ ├── zephyr-CVE-2020-10066.bin │ │ └── zephyr-CVE-2020-10066.elf │ ├── CVE-2021-3319 │ │ ├── POC │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ ├── config.yml │ │ ├── valid_basic_blocks.txt │ │ ├── zephyr-CVE-2021-3319.bin │ │ └── zephyr-CVE-2021-3319.elf │ ├── CVE-2021-3320 │ │ ├── POC │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ ├── config.yml │ │ ├── valid_basic_blocks.txt │ │ ├── zephyr-CVE-2021-3320.bin │ │ └── zephyr-CVE-2021-3320.elf │ ├── CVE-2021-3321 │ │ ├── POC │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ ├── config.yml │ │ ├── valid_basic_blocks.txt │ │ ├── zephyr-CVE-2021-3321.bin │ │ └── zephyr-CVE-2021-3321.elf │ ├── CVE-2021-3322 │ │ ├── POC │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ ├── config.yml │ │ ├── valid_basic_blocks.txt │ │ ├── zephyr-CVE-2021-3322.bin │ │ └── zephyr-CVE-2021-3322.elf │ ├── CVE-2021-3323 │ │ ├── POC │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ ├── config.yml │ │ ├── valid_basic_blocks.txt │ │ ├── zephyr-CVE-2021-3323.bin │ │ └── zephyr-CVE-2021-3323.elf │ ├── CVE-2021-3329 │ │ ├── POC │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ ├── config.yml │ │ ├── valid_basic_blocks.txt │ │ ├── zephyr-CVE-2021-3329.bin │ │ └── zephyr-CVE-2021-3329.elf │ ├── CVE-2021-3330 │ │ ├── POC │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ ├── config.yml │ │ ├── valid_basic_blocks.txt │ │ ├── zephyr-CVE-2021-3330.bin │ │ └── zephyr-CVE-2021-3330.elf │ ├── CVE-no-CVE-false-positive-rf-size-check │ │ ├── POC │ │ │ ├── README.md │ │ │ ├── config.yml │ │ │ ├── crashing_input │ │ │ └── run.sh │ │ ├── config.yml │ │ ├── valid_basic_blocks.txt │ │ ├── zephyr-CVE-no-CVE-false-positive-rf-size-check.bin │ │ └── zephyr-CVE-no-CVE-false-positive-rf-size-check.elf │ └── CVE-no-CVE-false-positive-watchdog-callback │ │ ├── POC │ │ ├── README.md │ │ ├── config.yml │ │ ├── crashing_input │ │ └── run.sh │ │ ├── config.yml │ │ ├── valid_basic_blocks.txt │ │ ├── zephyr-CVE-no-CVE-false-positive-watchdog-callback.bin │ │ └── zephyr-CVE-no-CVE-false-positive-watchdog-callback.elf │ └── rebuild_targets.sh ├── 04-crash-analysis ├── 10 │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 11 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 12 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 13 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 14 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 15 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 16 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 17 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ ├── crashing_input_buggy_emu │ └── run.sh ├── 18 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 19 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 20 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 21 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 22 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 23 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 24 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 25 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 26 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 27 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 28 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 29 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 30 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 31 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 32 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 33 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 34 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 35 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 36 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 37 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 38 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 39 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 40 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 41 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 42 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 43 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 44 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 45 │ ├── README.md │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 46 │ └── run.sh ├── 47 │ └── run.sh ├── 48 │ └── run.sh ├── 49 │ └── run.sh ├── 50 │ └── run.sh ├── 51 │ └── run.sh ├── 52 │ └── run.sh ├── 53 │ └── run.sh ├── 54 │ └── run.sh ├── 55 │ └── run.sh ├── 56 │ └── run.sh ├── 57 │ └── run.sh ├── 58 │ └── run.sh ├── 59 │ └── run.sh ├── 60 │ └── run.sh ├── 61 │ └── run.sh ├── 01 │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 02 │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 03 │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 04 │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 05 │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 06 │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 07 │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 08 │ ├── config.yml │ ├── crashing_input │ └── run.sh ├── 09 │ ├── config.yml │ ├── crashing_input │ └── run.sh └── README.md ├── LICENSE ├── README.md ├── helper_scripts ├── set_limits_and_prepare_afl.sh ├── ssh_wrapper_collect_experiment_results.sh ├── ssh_wrapper_install_fuzzware.sh └── ssh_wrapper_run_experiment.sh ├── ssh_based_collect_results.sh ├── ssh_based_kickoff_experiments.sh └── ssh_hosts_install.py /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-ADC/ARDUINO-F103-ADC.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-ADC/ARDUINO-F103-ADC.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-ADC/ARDUINO-F103-ADC.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-ADC/ARDUINO-F103-ADC.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-GPIO/ARDUINO-F103-GPIO.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-GPIO/ARDUINO-F103-GPIO.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-GPIO/ARDUINO-F103-GPIO.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-GPIO/ARDUINO-F103-GPIO.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-GPIO_INT/ARDUINO-F103-GPIO_INT.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-GPIO_INT/ARDUINO-F103-GPIO_INT.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-GPIO_INT/ARDUINO-F103-GPIO_INT.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-GPIO_INT/ARDUINO-F103-GPIO_INT.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-I2C/ARDUINO-F103-I2C.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-I2C/ARDUINO-F103-I2C.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-I2C/ARDUINO-F103-I2C.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-I2C/ARDUINO-F103-I2C.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-PWM/ARDUINO-F103-PWM.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-PWM/ARDUINO-F103-PWM.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-PWM/ARDUINO-F103-PWM.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-PWM/ARDUINO-F103-PWM.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-SPI/ARDUINO-F103-SPI.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-SPI/ARDUINO-F103-SPI.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-SPI/ARDUINO-F103-SPI.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-SPI/ARDUINO-F103-SPI.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-Serial/ARDUINO-F103-Serial.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-Serial/ARDUINO-F103-Serial.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-Serial/ARDUINO-F103-Serial.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/ARDUINO-F103-Serial/ARDUINO-F103-Serial.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-GPIO/F103-RIOT-GPIO.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-GPIO/F103-RIOT-GPIO.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-GPIO/F103-RIOT-GPIO.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-GPIO/F103-RIOT-GPIO.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-GPIO_INT/F103-RIOT-GPIO_INT.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-GPIO_INT/F103-RIOT-GPIO_INT.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-GPIO_INT/F103-RIOT-GPIO_INT.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-GPIO_INT/F103-RIOT-GPIO_INT.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-I2C/F103-RIOT-I2C.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-I2C/F103-RIOT-I2C.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-I2C/F103-RIOT-I2C.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-I2C/F103-RIOT-I2C.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-SPI/F103-RIOT-SPI.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-SPI/F103-RIOT-SPI.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-SPI/F103-RIOT-SPI.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-SPI/F103-RIOT-SPI.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-TIMER/F103-RIOT-TIMER.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-TIMER/F103-RIOT-TIMER.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-TIMER/F103-RIOT-TIMER.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-TIMER/F103-RIOT-TIMER.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-USART-Read/F103-RIOT-USART-Read.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-USART-Read/F103-RIOT-USART-Read.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-USART-Read/F103-RIOT-USART-Read.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-USART-Read/F103-RIOT-USART-Read.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-USART/F103-RIOT-USART.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-USART/F103-RIOT-USART.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-USART/F103-RIOT-USART.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/F103-RIOT-USART/F103-RIOT-USART.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-ADC/NUTTX-F103-ADC.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-ADC/NUTTX-F103-ADC.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-ADC/NUTTX-F103-ADC.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-ADC/NUTTX-F103-ADC.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-GPIO/NUTTX-F103-GPIO.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-GPIO/NUTTX-F103-GPIO.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-GPIO/NUTTX-F103-GPIO.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-GPIO/NUTTX-F103-GPIO.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-GPIO_INT/NUTTX-F103-GPIO_INT.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-GPIO_INT/NUTTX-F103-GPIO_INT.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-GPIO_INT/NUTTX-F103-GPIO_INT.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-GPIO_INT/NUTTX-F103-GPIO_INT.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-I2C/NUTTX-F103-I2C.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-I2C/NUTTX-F103-I2C.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-I2C/NUTTX-F103-I2C.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-F103-I2C/NUTTX-F103-I2C.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-PWM/NUTTX-PWM.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-PWM/NUTTX-PWM.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-PWM/NUTTX-PWM.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-PWM/NUTTX-PWM.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-SPI/NUTTX-SPI.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-SPI/NUTTX-SPI.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-SPI/NUTTX-SPI.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-SPI/NUTTX-SPI.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-USART/NUTTX-USART.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-USART/NUTTX-USART.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-USART/NUTTX-USART.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/F103/NUTTX-USART/NUTTX-USART.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-ADC/K64F-RIOT-ADC.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-ADC/K64F-RIOT-ADC.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-ADC/K64F-RIOT-ADC.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-ADC/K64F-RIOT-ADC.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-GPIO/K64F-RIOT-GPIO.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-GPIO/K64F-RIOT-GPIO.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-GPIO/K64F-RIOT-GPIO.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-GPIO/K64F-RIOT-GPIO.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-GPIO_INT/K64F-RIOT-GPIO_INT.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-GPIO_INT/K64F-RIOT-GPIO_INT.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-GPIO_INT/K64F-RIOT-GPIO_INT.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-GPIO_INT/K64F-RIOT-GPIO_INT.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-I2C/K64F-RIOT-I2C.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-I2C/K64F-RIOT-I2C.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-I2C/K64F-RIOT-I2C.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-I2C/K64F-RIOT-I2C.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-PWM/K64F-RIOT-PWM.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-PWM/K64F-RIOT-PWM.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-PWM/K64F-RIOT-PWM.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-PWM/K64F-RIOT-PWM.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-SPI/K64F-RIOT-SPI.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-SPI/K64F-RIOT-SPI.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-SPI/K64F-RIOT-SPI.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-SPI/K64F-RIOT-SPI.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-TIMER/K64F-RIOT-TIMER.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-TIMER/K64F-RIOT-TIMER.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-TIMER/K64F-RIOT-TIMER.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-TIMER/K64F-RIOT-TIMER.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-USART-Read/K64F-RIOT-USART-Read.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-USART-Read/K64F-RIOT-USART-Read.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-USART-Read/K64F-RIOT-USART-Read.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-USART-Read/K64F-RIOT-USART-Read.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-USART/K64F-RIOT-USART.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-USART/K64F-RIOT-USART.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-USART/K64F-RIOT-USART.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/K64F/K64F-RIOT-USART/K64F-RIOT-USART.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-ADC/ARDUINO-SAM3-ADC.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-ADC/ARDUINO-SAM3-ADC.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-ADC/ARDUINO-SAM3-ADC.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-ADC/ARDUINO-SAM3-ADC.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-DAC/ARDUINO-SAM3-DAC.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-DAC/ARDUINO-SAM3-DAC.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-DAC/ARDUINO-SAM3-DAC.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-DAC/ARDUINO-SAM3-DAC.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-GPIO/ARDUINO-SAM3-GPIO.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-GPIO/ARDUINO-SAM3-GPIO.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-GPIO/ARDUINO-SAM3-GPIO.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-GPIO/ARDUINO-SAM3-GPIO.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-GPIO_INT/ARDUINO-SAM3-GPIO_INT.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-GPIO_INT/ARDUINO-SAM3-GPIO_INT.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-GPIO_INT/ARDUINO-SAM3-GPIO_INT.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-GPIO_INT/ARDUINO-SAM3-GPIO_INT.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-I2C/ARDUINO-SAM3-I2C.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-I2C/ARDUINO-SAM3-I2C.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-I2C/ARDUINO-SAM3-I2C.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-I2C/ARDUINO-SAM3-I2C.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-PWM/ARDUINO-SAM3-PWM.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-PWM/ARDUINO-SAM3-PWM.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-PWM/ARDUINO-SAM3-PWM.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-PWM/ARDUINO-SAM3-PWM.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-SPI/ARDUINO-SAM3-SPI.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-SPI/ARDUINO-SAM3-SPI.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-SPI/ARDUINO-SAM3-SPI.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-SPI/ARDUINO-SAM3-SPI.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-Serial/ARDUINO-SAM3-Serial.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-Serial/ARDUINO-SAM3-Serial.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-Serial/ARDUINO-SAM3-Serial.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/ARDUINO-SAM3-Serial/ARDUINO-SAM3-Serial.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-ADC/SAM3-RIOT-ADC.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-ADC/SAM3-RIOT-ADC.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-ADC/SAM3-RIOT-ADC.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-ADC/SAM3-RIOT-ADC.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-DAC/SAM3-RIOT-DAC.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-DAC/SAM3-RIOT-DAC.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-DAC/SAM3-RIOT-DAC.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-DAC/SAM3-RIOT-DAC.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-GPIO/SAM3-RIOT-GPIO.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-GPIO/SAM3-RIOT-GPIO.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-GPIO/SAM3-RIOT-GPIO.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-GPIO/SAM3-RIOT-GPIO.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-GPIO_INT/SAM3-RIOT-GPIO_INT.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-GPIO_INT/SAM3-RIOT-GPIO_INT.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-GPIO_INT/SAM3-RIOT-GPIO_INT.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-GPIO_INT/SAM3-RIOT-GPIO_INT.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-PWM/SAM3-RIOT-PWM.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-PWM/SAM3-RIOT-PWM.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-PWM/SAM3-RIOT-PWM.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-PWM/SAM3-RIOT-PWM.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-SPI/SAM3-RIOT-SPI.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-SPI/SAM3-RIOT-SPI.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-SPI/SAM3-RIOT-SPI.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-SPI/SAM3-RIOT-SPI.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-TIMER/SAM3-RIOT-TIMER.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-TIMER/SAM3-RIOT-TIMER.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-TIMER/SAM3-RIOT-TIMER.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-TIMER/SAM3-RIOT-TIMER.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-USART-Read/SAM3-RIOT-USART-Read.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-USART-Read/SAM3-RIOT-USART-Read.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-USART-Read/SAM3-RIOT-USART-Read.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-USART-Read/SAM3-RIOT-USART-Read.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-USART/SAM3-RIOT-USART.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-USART/SAM3-RIOT-USART.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-USART/SAM3-RIOT-USART.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/p2im-unittests/SAM3X/SAM3-RIOT-USART/SAM3-RIOT-USART.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/run_experiment.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | NUM_INSTANCES=1 5 | 6 | set -e 7 | fuzzware checkenv -n $NUM_INSTANCES || { echo "Error during initial sanity checks. Please fix according to debug output."; exit 1; } 8 | 9 | "$DIR"/run_fuzzers.sh $NUM_INSTANCES || { echo "[ERROR] run_fuzzers failed"; exit 1; } 10 | "$DIR"/check_results.py "$DIR/groundtruth.csv" || { echo "[ERROR] run_fuzzers failed"; exit 1; } 11 | -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/p2im-unittests/run_fuzzers.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | if [ -z $(which fuzzware 2>/dev/null) ]; then 5 | echo "[-] fuzzware not available -> \$workon fuzzware" 6 | exit 1 7 | fi 8 | 9 | if [ $# -gt 0 ]; then 10 | num_procs=$1 11 | echo "[*] Running $num_procs instance(s) in parallel" 12 | else 13 | num_procs=1 14 | echo "[*] Default: Running on a single instance" 15 | fi 16 | 17 | num_available_cores=$(getconf _NPROCESSORS_ONLN) 18 | if [ $num_available_cores -gt 1 ] && [ $num_procs -gt $(( $num_available_cores / 2 )) ]; then 19 | echo "too many parallel instances chosen (got $num_available_cores virtual cores)"; 20 | exit 1; 21 | fi 22 | 23 | if [ $(( 4 * $num_procs )) -gt $(cat /proc/sys/fs/inotify/max_user_instances) ]; then 24 | echo "[ERROR] inotify limits too low for requested number of fuzzing instances (did you set limits?)" 25 | exit 1 26 | fi 27 | 28 | FUZZING_RUNTIME="00:15:00" 29 | 30 | export AFL_SKIP_CPUFREQ=1 31 | ( for f in `find $DIR -iname '*.elf'`; do 32 | # Skip possible copies within already-existing project directories 33 | if [ "$(basename $(dirname $f))" != "data" ]; then 34 | echo "fuzzware pipeline --run-for=$FUZZING_RUNTIME $(dirname $f)"; 35 | fi 36 | done ) | xargs -I{} --max-procs $num_procs -- bash -c "{}" 37 | 38 | exit 0 -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/ARCH_PRO/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/ARCH_PRO/basic_exercises.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/ARCH_PRO/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/ARCH_PRO/basic_exercises.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/ARCH_PRO/config.yml: -------------------------------------------------------------------------------- 1 | memory_map: 2 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 3 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 4 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 5 | ram: {base_addr: 0x20000000, size: 0x00100000, permissions: rw-} 6 | 7 | sram: 8 | base_addr: 0x10000000 9 | permissions: rwx 10 | size: 0x8000 11 | text: 12 | base_addr: 0x0 13 | file: ./basic_exercises.bin 14 | permissions: r-x 15 | size: 0x800000 16 | is_entry: True 17 | 18 | use_timers: false 19 | use_nvic: false 20 | use_systick: false 21 | -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/ARCH_PRO/milestone_bbs.txt: -------------------------------------------------------------------------------- 1 | 00001402 2 | 0000140E 3 | 0000141A 4 | 00001426 5 | 00001432 6 | 0000143E 7 | 0000144A 8 | 00001456 -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/EFM32GG_STK3700/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/EFM32GG_STK3700/basic_exercises.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/EFM32GG_STK3700/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/EFM32GG_STK3700/basic_exercises.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/EFM32GG_STK3700/config.yml: -------------------------------------------------------------------------------- 1 | memory_map: 2 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 3 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 4 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 5 | ram: {base_addr: 0x20000000, size: 0x00100000, permissions: rw-} 6 | 7 | mmio_information: 8 | base_addr: 0xfe00000 9 | permissions: rw- 10 | size: 0x9000 11 | text: 12 | base_addr: 0x0 13 | file: ./basic_exercises.bin 14 | permissions: r-x 15 | size: 0x800000 16 | is_entry: True 17 | 18 | use_nvic: false 19 | use_timers: false 20 | use_systick: false 21 | -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/EFM32GG_STK3700/milestone_bbs.txt: -------------------------------------------------------------------------------- 1 | 000020D6 2 | 000020E2 3 | 000020EE 4 | 000020FA 5 | 00002106 6 | 00002112 7 | 0000211E 8 | 0000212A -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/EFM32LG_STK3600/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/EFM32LG_STK3600/basic_exercises.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/EFM32LG_STK3600/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/EFM32LG_STK3600/basic_exercises.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/EFM32LG_STK3600/config.yml: -------------------------------------------------------------------------------- 1 | memory_map: 2 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 3 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 4 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 5 | ram: {base_addr: 0x20000000, size: 0x00100000, permissions: rw-} 6 | 7 | mmio_information: 8 | base_addr: 0xfe00000 9 | permissions: rw- 10 | size: 0x9000 11 | text: 12 | base_addr: 0x0 13 | file: ./basic_exercises.bin 14 | permissions: r-x 15 | size: 0x800000 16 | is_entry: True 17 | 18 | use_nvic: false 19 | use_timers: false 20 | use_systick: false 21 | -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/EFM32LG_STK3600/milestone_bbs.txt: -------------------------------------------------------------------------------- 1 | 000020B6 2 | 000020C2 3 | 000020CE 4 | 000020DA 5 | 000020E6 6 | 000020F2 7 | 000020FE 8 | 0000210A -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/LPC1549/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/LPC1549/basic_exercises.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/LPC1549/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/LPC1549/basic_exercises.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/LPC1549/config.yml: -------------------------------------------------------------------------------- 1 | memory_map: 2 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 3 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 4 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 5 | ram: {base_addr: 0x20000000, size: 0x00100000, permissions: rw-} 6 | 7 | mmio_GPIO_USB_CRC_SCTIMER_PWM: 8 | base_addr: 0x1c000000 9 | permissions: rw 10 | size: 0x28000 11 | sram: 12 | base_addr: 0x2000000 13 | permissions: rwx 14 | size: 0x8000 15 | text: 16 | base_addr: 0x0 17 | file: ./basic_exercises.bin 18 | permissions: r-x 19 | size: 0x800000 20 | is_entry: True 21 | 22 | use_nvic: false 23 | use_timers: false 24 | use_systick: false 25 | -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/LPC1549/milestone_bbs.txt: -------------------------------------------------------------------------------- 1 | 00000DA2 2 | 00000DAE 3 | 00000DBA 4 | 00000DC6 5 | 00000DD2 6 | 00000DDE 7 | 00000DEA 8 | 00000DF6 -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/LPC1768/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/LPC1768/basic_exercises.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/LPC1768/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/LPC1768/basic_exercises.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/LPC1768/config.yml: -------------------------------------------------------------------------------- 1 | memory_map: 2 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 3 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 4 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 5 | ram: {base_addr: 0x20000000, size: 0x00100000, permissions: rw-} 6 | 7 | sram: 8 | base_addr: 0x10000000 9 | permissions: rwx 10 | size: 0x8000 11 | text: 12 | base_addr: 0x0 13 | file: ./basic_exercises.bin 14 | permissions: r-x 15 | size: 0x800000 16 | is_entry: True 17 | 18 | use_systick: false 19 | use_nvic: false 20 | use_timers: false 21 | -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/LPC1768/milestone_bbs.txt: -------------------------------------------------------------------------------- 1 | 0000140A 2 | 00001416 3 | 00001422 4 | 0000142E 5 | 0000143A 6 | 00001446 7 | 00001452 8 | 0000145E -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/MOTE_L152RC/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/MOTE_L152RC/basic_exercises.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/MOTE_L152RC/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/MOTE_L152RC/basic_exercises.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/MOTE_L152RC/config.yml: -------------------------------------------------------------------------------- 1 | memory_map: 2 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 3 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 4 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 5 | ram: {base_addr: 0x20000000, size: 0x00100000, permissions: rw-} 6 | 7 | text: 8 | base_addr: 0x8000000 9 | file: ./basic_exercises.bin 10 | permissions: r-x 11 | size: 0x800000 12 | is_entry: True 13 | 14 | use_nvic: false 15 | use_timers: false 16 | use_systick: false 17 | -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/MOTE_L152RC/milestone_bbs.txt: -------------------------------------------------------------------------------- 1 | 08001FCA 2 | 08001FD6 3 | 08001FE2 4 | 08001FEE 5 | 08001FFA 6 | 08002006 7 | 08002012 8 | 0800201E -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_F103RB/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_F103RB/basic_exercises.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_F103RB/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_F103RB/basic_exercises.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_F103RB/config.yml: -------------------------------------------------------------------------------- 1 | memory_map: 2 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 3 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 4 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 5 | ram: {base_addr: 0x20000000, size: 0x00100000, permissions: rw-} 6 | 7 | text: 8 | base_addr: 0x8000000 9 | file: ./basic_exercises.bin 10 | permissions: r-x 11 | size: 0x800000 12 | is_entry: True 13 | 14 | use_nvic: false 15 | use_timers: false 16 | use_systick: false 17 | -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_F103RB/milestone_bbs.txt: -------------------------------------------------------------------------------- 1 | 08001B70 2 | 08001B7C 3 | 08001B88 4 | 08001B94 5 | 08001BA0 6 | 08001BAC 7 | 08001BB8 8 | 08001BC4 -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_F207ZG/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_F207ZG/basic_exercises.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_F207ZG/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_F207ZG/basic_exercises.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_F207ZG/config.yml: -------------------------------------------------------------------------------- 1 | memory_map: 2 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 3 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 4 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 5 | ram: {base_addr: 0x20000000, size: 0x00100000, permissions: rw-} 6 | 7 | text: 8 | base_addr: 0x8000000 9 | file: ./basic_exercises.bin 10 | permissions: r-x 11 | size: 0x800000 12 | is_entry: True 13 | 14 | use_nvic: false 15 | use_timers: false 16 | use_systick: false 17 | -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_F207ZG/milestone_bbs.txt: -------------------------------------------------------------------------------- 1 | 08001D36 2 | 08001D42 3 | 08001D4E 4 | 08001D5A 5 | 08001D66 6 | 08001D72 7 | 08001D7E 8 | 08001D8A -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_L152RE/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_L152RE/basic_exercises.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_L152RE/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_L152RE/basic_exercises.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_L152RE/config.yml: -------------------------------------------------------------------------------- 1 | memory_map: 2 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 3 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 4 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 5 | ram: {base_addr: 0x20000000, size: 0x00100000, permissions: rw-} 6 | 7 | text: 8 | base_addr: 0x8000000 9 | file: ./basic_exercises.bin 10 | permissions: r-x 11 | size: 0x800000 12 | is_entry: True 13 | 14 | use_timers: false 15 | use_nvic: false 16 | use_systick: false 17 | -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/NUCLEO_L152RE/milestone_bbs.txt: -------------------------------------------------------------------------------- 1 | 0800206C 2 | 08002078 3 | 08002084 4 | 08002090 5 | 0800209C 6 | 080020A8 7 | 080020B4 8 | 080020C0 -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/UBLOX_C027/basic_exercises.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/UBLOX_C027/basic_exercises.bin -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/UBLOX_C027/basic_exercises.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/01-access-modeling-for-fuzzing/pw-discovery/UBLOX_C027/basic_exercises.elf -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/UBLOX_C027/config.yml: -------------------------------------------------------------------------------- 1 | memory_map: 2 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 3 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 4 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 5 | ram: {base_addr: 0x20000000, size: 0x00100000, permissions: rw-} 6 | 7 | sram: 8 | base_addr: 0x10000000 9 | permissions: rwx 10 | size: 0x8000 11 | text: 12 | base_addr: 0x0 13 | file: ./basic_exercises.bin 14 | permissions: r-x 15 | size: 0x800000 16 | is_entry: True 17 | 18 | use_timers: false 19 | use_nvic: false 20 | use_systick: false 21 | -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/UBLOX_C027/milestone_bbs.txt: -------------------------------------------------------------------------------- 1 | 000014AE 2 | 000014BA 3 | 000014C6 4 | 000014D2 5 | 000014DE 6 | 000014EA 7 | 000014F6 8 | 00001502 -------------------------------------------------------------------------------- /01-access-modeling-for-fuzzing/pw-discovery/ssh_based_collect_results.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | # This sample script starts fuzzing experiments on ssh-available machines. 4 | # Requirements: 5 | # - 20 separate ssh-reachable hosts 6 | # - host naming convention: 00, 01, 02, ... (example: fuzzware-duo-00, fuzzware-duo-01) 7 | # - working ssh configuration with pre-set username 8 | # - password-less sudo set up for user 9 | # - if password-less sudo is not available, set_limits_and_prepare_afl.sh can be run with root privileges manually on the targets) 10 | # - if no sudo is available, 11 | # - pre-installed fuzzware 12 | 13 | # Hosts. Example assumes: fuzzware-duo-01 fuzzware-duo-02 ... 14 | export HOST_BASE_NAME=fuzzware-duo- 15 | 16 | export EXPERIMENT_NAME="01-access-modeling-for-fuzzing/pw-discovery" 17 | # P2IM and uEmu targets 18 | TARGETS="ARCH_PRO EFM32LG_STK3600 LPC1768 NUCLEO_F103RB NUCLEO_L152RE EFM32GG_STK3700 LPC1549 MOTE_L152RC NUCLEO_F207ZG UBLOX_C027" 19 | export TARGETS 20 | 21 | # First collect the experiments with modeling (default host index start: 22, as 01-21 run P2IM / uEmu samples) 22 | export HOST_START_INDEX=${HOST_START_INDEX:-22} 23 | $DIR/../../helper_scripts/ssh_wrapper_collect_experiment_results.sh 24 | 25 | # First collect the experiments without modeling 26 | export HOST_START_INDEX=$(( $HOST_START_INDEX + 10 )) 27 | $DIR/../../helper_scripts/ssh_wrapper_collect_experiment_results.sh -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/CNC/CNC.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/CNC/CNC.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/CNC/CNC.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/CNC/CNC.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/CNC/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x20000000 16 | permissions: rw- 17 | size: 0x40000 18 | text: 19 | base_addr: 0x8000000 20 | file: CNC.bin 21 | permissions: r-x 22 | size: 0x0d000 23 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Console/Console.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Console/Console.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Console/Console.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Console/Console.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Console/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x1fff0000 16 | permissions: rw- 17 | size: 0x10000 18 | text: 19 | base_addr: 0x0 20 | file: Console.bin 21 | permissions: r-x 22 | size: 0x8000 23 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Drone/Drone.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Drone/Drone.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Drone/Drone.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Drone/Drone.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Drone/base_inputs/ex1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Drone/base_inputs/ex1 -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Drone/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | flash: 15 | base_addr: 0x00000000 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x100000 22 | text: 23 | base_addr: 0x8000000 24 | file: Drone.bin 25 | permissions: r-x 26 | size: 0xd000 27 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Gateway/Gateway.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Gateway/Gateway.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Gateway/Gateway.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Gateway/Gateway.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Gateway/base_inputs/ex7_new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Gateway/base_inputs/ex7_new -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Gateway/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x20000000 16 | permissions: rw- 17 | size: 0x40000 18 | text: 19 | base_addr: 0x8000000 20 | file: Gateway.bin 21 | permissions: r-x 22 | size: 0xB000 23 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Heat_Press/Heat_Press.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Heat_Press/Heat_Press.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Heat_Press/Heat_Press.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Heat_Press/Heat_Press.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Heat_Press/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x20070000 16 | permissions: rw- 17 | size: 0x40000 18 | text: 19 | base_addr: 0x00080000 20 | file: Heat_Press.bin 21 | permissions: r-x 22 | size: 0x7000 23 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/PLC/PLC.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/PLC/PLC.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/PLC/PLC.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/PLC/PLC.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/PLC/base_inputs/modbus_cmd3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/PLC/base_inputs/modbus_cmd3 -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/PLC/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | zero: 15 | base_addr: 0x00000000 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x08000000 24 | file: PLC.bin 25 | permissions: r-x 26 | size: 0x7000 27 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Reflow_Oven/Reflow_Oven.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Reflow_Oven/Reflow_Oven.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Reflow_Oven/Reflow_Oven.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Reflow_Oven/Reflow_Oven.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Reflow_Oven/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | zero: 15 | base_addr: 0x00000000 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x8000000 24 | file: Reflow_Oven.bin 25 | permissions: r-x 26 | size: 0xc000 27 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Robot/Robot.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Robot/Robot.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Robot/Robot.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Robot/Robot.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Robot/base_inputs/ex7_new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Robot/base_inputs/ex7_new -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Robot/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | zero: 15 | base_addr: 0x00000000 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x08000000 24 | file: Robot.bin 25 | permissions: r-x 26 | size: 0xb000 27 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Soldering_Iron/Soldering_Iron.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Soldering_Iron/Soldering_Iron.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Soldering_Iron/Soldering_Iron.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Soldering_Iron/Soldering_Iron.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Soldering_Iron/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | zero: 15 | base_addr: 0x00000000 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x8000000 24 | file: Soldering_Iron.bin 25 | permissions: r-x 26 | size: 0x11000 27 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Steering_Control/Steering_Control.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Steering_Control/Steering_Control.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Steering_Control/Steering_Control.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/P2IM/Steering_Control/Steering_Control.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/P2IM/Steering_Control/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x20070000 16 | permissions: rw- 17 | size: 0x40000 18 | text: 19 | base_addr: 0x00080000 20 | file: Steering_Control.bin 21 | permissions: r-x 22 | size: 0x7000 23 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/6LoWPAN_Receiver/HAL.atmel_6lowpan_udp_rx.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/6LoWPAN_Receiver/HAL.atmel_6lowpan_udp_rx.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/6LoWPAN_Receiver/HAL.atmel_6lowpan_udp_rx.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/6LoWPAN_Receiver/HAL.atmel_6lowpan_udp_rx.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/6LoWPAN_Receiver/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | mmio_MAC: 15 | base_addr: 0x805000 16 | permissions: rw- 17 | size: 0xa000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x0 24 | file: HAL.atmel_6lowpan_udp_rx.bin 25 | permissions: r-x 26 | size: 0x12000 27 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/6LoWPAN_Sender/HAL.atmel_6lowpan_udp_tx.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/6LoWPAN_Sender/HAL.atmel_6lowpan_udp_tx.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/6LoWPAN_Sender/HAL.atmel_6lowpan_udp_tx.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/6LoWPAN_Sender/HAL.atmel_6lowpan_udp_tx.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/6LoWPAN_Sender/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | mmio_MAC: 15 | base_addr: 0x805000 16 | permissions: rw- 17 | size: 0xa000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x0 24 | file: HAL.atmel_6lowpan_udp_tx.bin 25 | permissions: r-x 26 | size: 0x12000 27 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/LiteOS_IoT/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x20000000 16 | permissions: rw- 17 | size: 0x100000 18 | text: 19 | base_addr: 0x8000000 20 | file: uEmu.LiteOS_IoT.bin 21 | permissions: r-x 22 | size: 0x6000 23 | rodata: 24 | base_addr: 0x8006000 25 | file: uEmu.LiteOS_IoT.bin 26 | file_offset: 0x6000 27 | permissions: r-- 28 | size: 0x4000 29 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/LiteOS_IoT/uEmu.LiteOS_IoT.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/LiteOS_IoT/uEmu.LiteOS_IoT.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/LiteOS_IoT/uEmu.LiteOS_IoT.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/LiteOS_IoT/uEmu.LiteOS_IoT.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/RF_Door_Lock/Pretender.max32_rf_door_lock.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/RF_Door_Lock/Pretender.max32_rf_door_lock.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/RF_Door_Lock/Pretender.max32_rf_door_lock.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/RF_Door_Lock/Pretender.max32_rf_door_lock.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/RF_Door_Lock/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x20000000 16 | permissions: rw- 17 | size: 0x10000 18 | text: 19 | base_addr: 0x0 20 | file: Pretender.max32_rf_door_lock.bin 21 | permissions: r-x 22 | size: 0x9000 23 | rodata: 24 | base_addr: 0x9000 25 | file: Pretender.max32_rf_door_lock.bin 26 | file_offset: 0x9000 27 | permissions: r-- 28 | size: 0x2000 29 | 30 | # Disable irq 12 (see uEmu original config) 31 | nvic: 32 | disabled_irqs: 33 | - 12 -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/Thermostat/Pretender.max32_thermostat.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/Thermostat/Pretender.max32_thermostat.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/Thermostat/Pretender.max32_thermostat.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/Thermostat/Pretender.max32_thermostat.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/Thermostat/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x20000000 16 | permissions: rw- 17 | size: 0x10000 18 | text: 19 | base_addr: 0x0 20 | file: Pretender.max32_thermostat.bin 21 | permissions: r-x 22 | size: 0xc000 23 | rodata: 24 | base_addr: 0xc000 25 | file: Pretender.max32_thermostat.bin 26 | file_offset: 0xc000 27 | permissions: r-- 28 | size: 0x2000 29 | 30 | # Disable irq 12 (see uEmu original config) 31 | nvic: 32 | disabled_irqs: 33 | - 12 -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/XML_Parser/XML_Parser.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/XML_Parser/XML_Parser.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/XML_Parser/XML_Parser.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/XML_Parser/XML_Parser.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/XML_Parser/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | memory_map: 5 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 6 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 7 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 8 | 9 | ram: 10 | base_addr: 0x20000000 11 | permissions: rw- 12 | size: 0x60000 13 | text: 14 | base_addr: 0x8000000 15 | file: XML_Parser.bin 16 | permissions: r-x 17 | size: 0x15000 18 | rodata: 19 | base_addr: 0x8015000 20 | file: XML_Parser.bin 21 | file_offset: 0x15000 22 | permissions: r-- 23 | size: 0x10000 24 | 25 | # No interrupts used (in uEmu, interrupt is disabled explicitly) 26 | use_nvic: false 27 | use_systick: false 28 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/Zepyhr_SocketCan/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | ram: 15 | base_addr: 0x20000000 16 | permissions: rw- 17 | size: 0x10000 18 | text: 19 | base_addr: 0x8000000 20 | file: uEmu.zephyrsocketcan.bin 21 | permissions: r-x 22 | size: 0xf000 23 | rodata: 24 | base_addr: 0x800f000 25 | file: uEmu.zephyrsocketcan.bin 26 | file_offset: 0xf000 27 | permissions: r-- 28 | size: 0x13000 29 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/Zepyhr_SocketCan/uEmu.zephyrsocketcan.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/Zepyhr_SocketCan/uEmu.zephyrsocketcan.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/Zepyhr_SocketCan/uEmu.zephyrsocketcan.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/Zepyhr_SocketCan/uEmu.zephyrsocketcan.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/uEmu.3Dprinter/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | zero: 15 | base_addr: 0 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x20000 22 | text: 23 | base_addr: 0x8000000 24 | file: uEmu.3Dprinter.bin 25 | permissions: r-x 26 | size: 0x14000 27 | rodata: 28 | base_addr: 0x8014000 29 | file: uEmu.3Dprinter.bin 30 | file_offset: 0x14000 31 | permissions: r-- 32 | size: 0x3000 33 | 34 | # Disable irq 19 (see uEmu original config) 35 | nvic: 36 | disabled_irqs: 37 | - 19 38 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/uEmu.3Dprinter/uEmu.3Dprinter.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/uEmu.3Dprinter/uEmu.3Dprinter.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/uEmu.3Dprinter/uEmu.3Dprinter.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/uEmu.3Dprinter/uEmu.3Dprinter.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/uEmu.GPSTracker/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | mmio_UDD: 15 | base_addr: 0x20180000 16 | permissions: rw- 17 | size: 0x20000 18 | flash: 19 | base_addr: 0xa0000 20 | permissions: rw- 21 | size: 0x1000 22 | ram: 23 | base_addr: 0x20070000 24 | permissions: rw- 25 | size: 0x90000 26 | text: 27 | base_addr: 0x80000 28 | file: uEmu.GPSTracker.bin 29 | permissions: r-x 30 | size: 0xc000 31 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/uEmu.GPSTracker/uEmu.GPSTracker.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/uEmu.GPSTracker/uEmu.GPSTracker.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/uEmu.GPSTracker/uEmu.GPSTracker.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/uEmu.GPSTracker/uEmu.GPSTracker.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/utasker_MODBUS/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | zero: 15 | base_addr: 0x00000000 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x30000 22 | flash: 23 | base_addr: 0x8000000 24 | permissions: rw- 25 | size: 0xc000 26 | text: 27 | base_addr: 0x800c080 28 | file: uEmu.uTasker_MODBUS.bin 29 | permissions: r-x 30 | size: 0xB000 31 | 32 | # DMA Support Configs 33 | mmio_models: 34 | passthrough: 35 | # DMA pointer holder locations (in uEmu, this is encoded as a custom data register region) 36 | eth_dmabuf_1: 37 | addr: 0x4002900C 38 | pc: 0xffffffff 39 | eth_dmabuf_2: 40 | addr: 0x4002904C 41 | pc: 0xffffffff -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/utasker_MODBUS/uEmu.uTasker_MODBUS.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/utasker_MODBUS/uEmu.uTasker_MODBUS.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/utasker_MODBUS/uEmu.uTasker_MODBUS.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/utasker_MODBUS/uEmu.uTasker_MODBUS.elf -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/utasker_USB/config.yml: -------------------------------------------------------------------------------- 1 | #include: 2 | # - ./syms.yml 3 | 4 | interrupt_triggers: 5 | trigger: 6 | every_nth_tick: 0x3e8 7 | fuzz_mode: round_robin 8 | 9 | memory_map: 10 | mmio: {base_addr: 0x40000000, size: 0x20000000, permissions: rw-} 11 | nvic: {base_addr: 0xe0000000, size: 0x10000000, permissions: rw-} 12 | irq_ret: {base_addr: 0xfffff000, size: 0x1000, permissions: --x} 13 | 14 | zero: 15 | base_addr: 0 16 | permissions: rw- 17 | size: 0x1000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | rom: 23 | base_addr: 0x08000000 24 | permissions: rw- 25 | size: 0xc000 26 | text: 27 | base_addr: 0x0800C080 28 | file: uEmu.uTaskerV1.4_USB_STM32429ZI.bin 29 | permissions: r-x 30 | size: 0xA000 31 | -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/utasker_USB/uEmu.uTaskerV1.4_USB_STM32429ZI.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/utasker_USB/uEmu.uTaskerV1.4_USB_STM32429ZI.bin -------------------------------------------------------------------------------- /02-comparison-with-state-of-the-art/uEmu/utasker_USB/uEmu.uTaskerV1.4_USB_STM32429ZI.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/02-comparison-with-state-of-the-art/uEmu/utasker_USB/uEmu.uTaskerV1.4_USB_STM32429ZI.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/building/base_configs/contiki_common.yml: -------------------------------------------------------------------------------- 1 | # Performance increase: Make noisy and typical "anti-fuzzing" functions return 2 | # immediately to avoid consuming unnecessary computation resources. 3 | handlers: 4 | # fade actually takes of time (executed basic blocks) 5 | fade: 6 | lpm_enter: 7 | printf: 8 | 9 | # We let the fuzzer choose an interrupt to trigger whenever the firmware is idle 10 | # The default behavior would be to trigger an interrupt every 1000 basic blocks 11 | interrupt_triggers: 12 | idle_interrupt: 13 | # Radio interrupt 14 | irq: 157 15 | addr: platform_idle 16 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/building/build_sample_CVE-2020-12140.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | # This script is to be run within the contiki docker container 5 | 6 | CVENUM=2020-12140 7 | SAMPLE_DIR=/workdir/contiki-ng/examples/hello-world 8 | 9 | cd /workdir/contiki-ng 10 | # Restore git state 11 | git reset --hard 12 | git clean -df 13 | git checkout release/v4.4 14 | 15 | git apply $DIR/patches/cc2538_norom.patch 16 | 17 | # Replace DMA-based read 18 | git apply $DIR/patches/cc2538_read.patch 19 | 20 | # configure l2cap in hello-world sample 21 | git apply $DIR/patches/l2cap_sample.patch 22 | 23 | # bugs in target identified after paper release, patch 24 | git apply $DIR/patches/fix-l2cap-issues.patch 25 | 26 | make -C $SAMPLE_DIR TARGET=cc2538dk distclean all 27 | 28 | # Copy sample to outside-visible directory 29 | OUT_DIR=/workdir/rebuilt/CVE-$CVENUM 30 | rm -rf $OUT_DIR 31 | mkdir -p $OUT_DIR 32 | cp $SAMPLE_DIR/build/cc2538dk/hello-world.bin $SAMPLE_DIR/build/cc2538dk/hello-world.elf $OUT_DIR 33 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/building/build_sample_CVE-2020-12141.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | # This script is to be run within the contiki docker container 5 | 6 | CVENUM=2020-12141 7 | SAMPLE_DIR=/workdir/contiki-ng/examples/snmp-server 8 | 9 | cd /workdir/contiki-ng 10 | # Restore git state 11 | git reset --hard 12 | git clean -df 13 | git checkout release/v4.4 14 | 15 | git apply $DIR/patches/cc2538_norom.patch 16 | # Replace DMA-based read 17 | git apply $DIR/patches/cc2538_read.patch 18 | 19 | # Configure radio packet -> SNMP 20 | git apply $DIR/patches/transparent_mac.patch 21 | git apply $DIR/patches/snmp_sample.patch 22 | 23 | rm -rf $SAMPLE_DIR/build 24 | make -C $SAMPLE_DIR TARGET=cc2538dk clean all 25 | 26 | # Copy sample to outside-visible directory 27 | OUT_DIR=/workdir/rebuilt/CVE-$CVENUM 28 | rm -rf $OUT_DIR 29 | mkdir -p $OUT_DIR 30 | cp $SAMPLE_DIR/build/cc2538dk/snmp-server.bin $SAMPLE_DIR/build/cc2538dk/snmp-server.elf $OUT_DIR 31 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/building/build_sample_HALucinator_CVE-2019-9183.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | # This script is to be run within the contiki docker container 5 | 6 | CVENUM=HALucinator-CVE-2019-9183 7 | SAMPLE_DIR=/workdir/contiki-ng/examples/hello-world 8 | 9 | cd /workdir/contiki-ng 10 | # Restore git state 11 | git reset --hard 12 | git clean -df 13 | git checkout release/v4.4 14 | 15 | # Revert security fixes 16 | git revert 5884a12d7d71c5bce0d97b1a387aeb7928189b04 -n -m 1 17 | 18 | git apply $DIR/patches/cc2538_norom.patch 19 | # Replace DMA-based read 20 | git apply $DIR/patches/cc2538_read.patch 21 | 22 | # radio -> 6LoWPAN 23 | git apply $DIR/patches/transparent_mac.patch 24 | git apply $DIR/patches/6lowpan_sample.patch 25 | 26 | rm -rf $SAMPLE_DIR/build 27 | make -C $SAMPLE_DIR TARGET=cc2538dk clean all 28 | 29 | # Copy sample to outside-visible directory 30 | OUT_DIR=/workdir/rebuilt/CVE-$CVENUM 31 | rm -rf $OUT_DIR 32 | mkdir -p $OUT_DIR 33 | cp $SAMPLE_DIR/build/cc2538dk/hello-world.bin $SAMPLE_DIR/build/cc2538dk/hello-world.elf $OUT_DIR 34 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/building/gen_target_configs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "Could not find fuzzware. Please re-execute $0 within a fuzzware virtual env (after installation: $ workon fuzzware; $0) to generate configs." 6 | exit 1 7 | } 8 | 9 | # Configure samples 10 | NEWLY_BUILT_DIR="$DIR/../rebuilt" 11 | for t in $NEWLY_BUILT_DIR/CVE*/*.elf; do 12 | fuzzware genconfig --base-config $DIR/base_configs/contiki_common.yml $t 13 | done 14 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/building/patches/6lowpan_sample.patch: -------------------------------------------------------------------------------- 1 | diff --git a/examples/hello-world/Makefile b/examples/hello-world/Makefile 2 | index 0a79167ae..4a1d39a25 100644 3 | --- a/examples/hello-world/Makefile 4 | +++ b/examples/hello-world/Makefile 5 | @@ -1,5 +1,9 @@ 6 | CONTIKI_PROJECT = hello-world 7 | all: $(CONTIKI_PROJECT) 8 | 9 | +MAKE_MAC = MAKE_MAC_NULLMAC 10 | +MAKE_ROUTING = MAKE_ROUTING_NULLROUTING 11 | + 12 | +CFLAGS += -g 13 | CONTIKI = ../.. 14 | include $(CONTIKI)/Makefile.include 15 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/building/patches/cc2538_norom.patch: -------------------------------------------------------------------------------- 1 | diff --git a/arch/cpu/cc2538/startup-gcc.c b/arch/cpu/cc2538/startup-gcc.c 2 | index bde8d1488..36eedad21 100644 3 | --- a/arch/cpu/cc2538/startup-gcc.c 4 | +++ b/arch/cpu/cc2538/startup-gcc.c 5 | @@ -312,10 +312,10 @@ reset_handler(void) 6 | REG(SYS_CTRL_EMUOVR) = 0xFF; 7 | 8 | /* Copy the data segment initializers from flash to SRAM. */ 9 | - rom_util_memcpy(&_data, &_ldata, &_edata - &_data); 10 | + memcpy(&_data, &_ldata, &_edata - &_data); 11 | 12 | /* Zero-fill the bss segment. */ 13 | - rom_util_memset(&_bss, 0, &_ebss - &_bss); 14 | + memset(&_bss, 0, &_ebss - &_bss); 15 | 16 | /* call the application's entry point. */ 17 | main(); 18 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/building/patches/fix-l2cap-issues.patch: -------------------------------------------------------------------------------- 1 | diff --git a/os/net/mac/ble/ble-l2cap.c b/os/net/mac/ble/ble-l2cap.c 2 | index fb755cc85..36d8443bc 100644 3 | --- a/os/net/mac/ble/ble-l2cap.c 4 | +++ b/os/net/mac/ble/ble-l2cap.c 5 | @@ -107,7 +107,7 @@ get_channel_for_cid(uint16_t own_cid) 6 | { 7 | uint8_t i = own_cid - L2CAP_FLOW_CHANNEL; 8 | if(i >= 0 && i < l2cap_channel_count) { 9 | - return &l2cap_channels[own_cid - L2CAP_FLOW_CHANNEL]; 10 | + return &l2cap_channels[i]; 11 | } else { 12 | return NULL; 13 | } 14 | @@ -378,6 +378,11 @@ input_l2cap_credit(uint8_t *data) 15 | uint16_t credits; 16 | l2cap_channel_t *channel = get_channel_for_addr(packetbuf_addr(PACKETBUF_ADDR_SENDER)); 17 | 18 | + if(channel == NULL) { 19 | + LOG_WARN("process_l2cap_credit: no channel found for sender address\n"); 20 | + return; 21 | + } 22 | + 23 | /* uint8_t identifier = data[0]; */ 24 | memcpy(&len, &data[1], 2); 25 | 26 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/building/patches/l2cap_sample.patch: -------------------------------------------------------------------------------- 1 | diff --git a/examples/hello-world/Makefile b/examples/hello-world/Makefile 2 | index 0a79167ae..bfca2fb4d 100644 3 | --- a/examples/hello-world/Makefile 4 | +++ b/examples/hello-world/Makefile 5 | @@ -1,5 +1,9 @@ 6 | CONTIKI_PROJECT = hello-world 7 | all: $(CONTIKI_PROJECT) 8 | 9 | +# Fuzzware: use BLE / BLE's l2cap as MAC layer 10 | +MAKE_MAC = MAKE_MAC_BLE 11 | + 12 | +CFLAGS += -g 13 | CONTIKI = ../.. 14 | include $(CONTIKI)/Makefile.include 15 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/building/run_in_contiki_docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | # This build env is known to allow builds of contiki-ng version 4.4 samples 5 | CONTIKI_DOCKER_VERSION=f823e6a1 6 | 7 | base_dir="$(realpath $DIR/..)" 8 | 9 | # See if we have already cloned contiki-ng sources 10 | if [ ! -e "$base_dir/contiki-ng" ]; then 11 | git clone https://github.com/contiki-ng/contiki-ng "$base_dir/contiki-ng" 12 | git -C "$base_dir/contiki-ng" checkout release/v4.4 13 | fi 14 | 15 | # Map our base dir and run the actual command (which will be one of the build scripts normally) 16 | docker run -ti --user="$(id -u)" -v $base_dir:/workdir --workdir=/workdir contiker/contiki-ng:$CONTIKI_DOCKER_VERSION $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12140/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12140/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12140/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12140/hello-world.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12140/hello-world.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12140/hello-world.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12140/hello-world.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12141/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12141/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12141/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12141/snmp-server.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12141/snmp-server.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12141/snmp-server.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12141/snmp-server.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-HALucinator-CVE-2019-9183/POC-max-size-check/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-HALucinator-CVE-2019-9183/POC-max-size-check/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-HALucinator-CVE-2019-9183/POC-max-size-check/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-HALucinator-CVE-2019-9183/POC-min-size-check/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-HALucinator-CVE-2019-9183/POC-min-size-check/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-HALucinator-CVE-2019-9183/POC-min-size-check/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-HALucinator-CVE-2019-9183/hello-world.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-HALucinator-CVE-2019-9183/hello-world.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-HALucinator-CVE-2019-9183/hello-world.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-HALucinator-CVE-2019-9183/hello-world.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/contiki-ng/rebuild_targets.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | set -e 5 | 6 | # Compile targets in docker environment 7 | for build_file in "$DIR/building"/build_sample_*.sh; do 8 | $DIR/building/run_in_contiki_docker.sh /workdir/building/$(basename $build_file) 9 | done 10 | 11 | echo "Trying to configure targets in current environment" 12 | echo "In case you have no local fuzzware installation, run" 13 | echo "$DIR/building/gen_target_configs.sh manually." 14 | $DIR/building/gen_target_configs.sh 15 | 16 | NEWLY_BUILT_DIR=$DIR/rebuilt 17 | echo "rebuilt targets are located at $NEWLY_BUILT_DIR" -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/base_configs/CVE-2021-3330.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./zephyr_exits.yml 3 | - ./zephyr_skips.yml 4 | 5 | # We make the emulator trigger the radio interrupt whenever the firmware is idle 6 | interrupt_triggers: 7 | idle_interrupt: 8 | addr: arch_cpu_idle 9 | irq: 28 10 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/base_configs/zephyr_default.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - ./zephyr_exits.yml 3 | - ./zephyr_skips.yml 4 | # Disabled: Additional tracing (edit as needed) 5 | # - ./zephyr_debug.yml 6 | 7 | # We let the fuzzer choose an interrupt to trigger whenever the firmware is idle 8 | # The default behavior would be to trigger an interrupt every 1000 basic blocks 9 | interrupt_triggers: 10 | idle_interrupt: 11 | fuzz_mode: fuzzed 12 | addr: arch_cpu_idle 13 | 14 | ## More commented-out configuration parameters to play around with and focus fuzzing further 15 | 16 | # Performance increase: Deactivate watchdog timer to decrease noise (and make one of the patches unnecessary) 17 | #disabled_irqs: 18 | # # Watchdog timer interrupt (if this is disabled, the wdt patch is also no longer required) 19 | # - 20 20 | # # SAM GPIO interrupts 21 | # - 26 22 | # - 27 23 | # - 28 -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/base_configs/zephyr_exits.yml: -------------------------------------------------------------------------------- 1 | # Optional config: We exit immediately on shutdown functions to reduce 2 | # the amount of time the fuzzer will spend idling in panic loops. 3 | exit_at: 4 | z_fatal_error: 5 | arch_system_halt: 6 | z_do_kernel_oops: 7 | quit: 8 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/base_configs/zephyr_skips.yml: -------------------------------------------------------------------------------- 1 | # Optional config: Make noisy and typical "anti-fuzzing" functions return 2 | # immediately to avoid consuming unnecessary computation resources. 3 | handlers: 4 | z_tick_sleep: 5 | printk: 6 | shell_fprintf_fmt: 7 | z_vprintk: 8 | z_impl_k_busy_wait: 9 | z_impl_k_sleep: 10 | arch_system_halt: 11 | log_0: 12 | log_1: 13 | log_2: 14 | log_3: 15 | log_n: 16 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/build_sample_CVE-2020-10064.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export CVENUM=2020-10064 5 | export BASE_COMMIT=38970c07abfcddcfc6a5958189f096a55c49594a 6 | export FIX_COMMITS=38970c07abfcddcfc6a5958189f096a55c49594a 7 | 8 | # export EXTRA_DEFINES=" -DCONFIG_NET_L2_IEEE802154_SHELL=n -DCONFIG_SHELL=n -DCONFIG_NET_STATISTICS=n -DCONFIG_PRINTK=n -DCONFIG_LOG=n" 9 | # export BOARD=atsamr21_xpro 10 | export BOARD=sam4e_xpro 11 | export ZEPHYR_VERSION=2.2.0 12 | 13 | "$DIR/docker_build_802154_sample.sh" -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/build_sample_CVE-2020-10065.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export CVENUM=2020-10065 5 | export BASE_COMMIT=e1dddf7befa7309bd2afc567b2e00d2e7362f7c4 6 | export FIX_COMMITS= 7 | 8 | # SPI BT Host-only build 9 | # https://docs.zephyrproject.org/2.2.0/guides/bluetooth/bluetooth-arch.html#bluetooth-configs 10 | EXTRA_DEFINES="-DCONFIG_BT=y -DCONFIG_BT_HCI=y -DCONFIG_BT_CTLR=n -DCONFIG_BT_SPI=y " 11 | 12 | "$DIR/docker_build_bt_sample.sh" -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/build_sample_CVE-2020-10066.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export CVENUM=2020-10066 5 | export BASE_COMMIT=e1dddf7befa7309bd2afc567b2e00d2e7362f7c4 6 | export FIX_COMMITS=e1dddf7befa7309bd2afc567b2e00d2e7362f7c4 7 | 8 | export ZEPHYR_VERSION=2.2.0 9 | 10 | # Fix the buffer OOB issue 11 | export PATCHES=fix-CVE-2020-10065.patch 12 | 13 | "$DIR/docker_build_bt_sample.sh" -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/build_sample_CVE-2021-3319.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export CVENUM=2021-3319 5 | export BASE_COMMIT=a980762f70d7048825e6ce9e42ceb6b5f87a5e44 6 | export FIX_COMMITS=6f1ab93c66c59cf267bb2b974cf76a3b9b306e32 7 | 8 | export PATCHES="fix-CVE-2021-3323.patch" 9 | 10 | export BOARD=sam4s_xplained 11 | export SHIELD=atmel_rf2xx_xplained 12 | export ZEPHYR_VERSION=2.4.0 13 | 14 | "$DIR/docker_build_802154_sample.sh" 15 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/build_sample_CVE-2021-3320.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export CVENUM=2021-3320 5 | export BASE_COMMIT=a980762f70d7048825e6ce9e42ceb6b5f87a5e44 6 | export FIX_COMMITS=0ebd30000113f87a1f6090dd050974c1e540b42a 7 | 8 | export PATCHES="fix-CVE-2021-3323.patch" 9 | 10 | export BOARD=sam4s_xplained 11 | export SHIELD=atmel_rf2xx_xplained 12 | export ZEPHYR_VERSION=2.4.0 13 | 14 | "$DIR/docker_build_802154_sample.sh" -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/build_sample_CVE-2021-3321.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export CVENUM=2021-3321 5 | 6 | # We cannot revert the fix commit as it introduces "get_datagram_type" 7 | # Thus, we manually back port the bug via a patch 8 | #export BASE_COMMIT=a980762f70d7048825e6ce9e42ceb6b5f87a5e44 9 | #export FIX_COMMITS=606807940c7e71bae7f4e8a43e5171dbb2a7501e 10 | export BASE_COMMIT=a980762f70d7048825e6ce9e42ceb6b5f87a5e44 11 | 12 | export PATCHES="fix-CVE-2021-3323.patch backport-CVE-2021-3321.patch" 13 | 14 | export BOARD=sam4s_xplained 15 | export SHIELD=atmel_rf2xx_xplained 16 | export ZEPHYR_VERSION=2.4.0 17 | 18 | "$DIR/docker_build_802154_sample.sh" 19 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/build_sample_CVE-2021-3322.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export CVENUM=2021-3322 5 | export BASE_COMMIT=2a423bc6d37f916771bce65672efadf30e6ea74c 6 | export FIX_COMMITS="2a423bc6d37f916771bce65672efadf30e6ea74c 6917d268482afc2da617a57456e1cdf4dd9c75d4" 7 | 8 | export PATCHES="fix-CVE-2021-3323.patch" 9 | 10 | export BOARD=sam4s_xplained 11 | export SHIELD=atmel_rf2xx_xplained 12 | export ZEPHYR_VERSION=2.4.0 13 | 14 | "$DIR/docker_build_802154_sample.sh" 15 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/build_sample_CVE-2021-3323.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export CVENUM=2021-3323 5 | export BASE_COMMIT=a980762f70d7048825e6ce9e42ceb6b5f87a5e44 6 | export FIX_COMMITS= 7 | 8 | export BOARD=sam4s_xplained 9 | export SHIELD=atmel_rf2xx_xplained 10 | export ZEPHYR_VERSION=2.4.0 11 | 12 | "$DIR/docker_build_802154_sample.sh" 13 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/build_sample_CVE-2021-3329.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export CVENUM=2021-3329 5 | export BASE_COMMIT=e1dddf7befa7309bd2afc567b2e00d2e7362f7c4 6 | export FIX_COMMITS= 7 | 8 | export ZEPHYR_VERSION=2.2.0 9 | 10 | export BOARD="nrf52840dk_nrf52840" 11 | 12 | # Fix the buffer OOB issue and prepare bt hostonly build 13 | export PATCHES="fix-CVE-2020-10065.patch bt_hci_cmd_timeout.patch bt_hostonly_build.patch" 14 | 15 | "$DIR/docker_build_bt_sample.sh" -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/build_sample_CVE-2021-3330.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export CVENUM=2021-3330 5 | export BASE_COMMIT=a980762f70d7048825e6ce9e42ceb6b5f87a5e44 6 | export FIX_COMMITS=a980762f70d7048825e6ce9e42ceb6b5f87a5e44 7 | 8 | export PATCHES="fix-CVE-2021-3323.patch ieee802154_reass_timeout.patch spi_sam_flat_read.patch" 9 | 10 | export BOARD=sam4s_xplained 11 | export SHIELD=atmel_rf2xx_xplained 12 | export ZEPHYR_VERSION=2.4.0 13 | 14 | "$DIR/docker_build_802154_sample.sh" -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/build_sample_missing_rf_size_check_fix.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export CVENUM=no-CVE-false-positive-rf-size-check 5 | export BASE_COMMIT=a980762f70d7048825e6ce9e42ceb6b5f87a5e44 6 | export FIX_COMMITS= 7 | 8 | # Fully patched ieee802154 sample with missing rf size check to trigger false positive crash 9 | export PATCHES="fix-CVE-2021-3323.patch wdt_sam_watchdog_callback_check.patch" 10 | 11 | export BOARD=sam4s_xplained 12 | export SHIELD=atmel_rf2xx_xplained 13 | export ZEPHYR_VERSION=2.4.0 14 | 15 | # Set common options for our 16 | export SAMPLE_DIR=samples/net/sockets/echo_server 17 | 18 | export OVERLAYS=overlay-802154.conf 19 | 20 | export EXTRA_DEFINES="-DCONFIG_SHELL=n -DCONFIG_NET_SHELL=n -DCONFIG_NET_L2_IEEE802154_SHELL=n -DCONFIG_NET_SHELL_DYN_CMD_COMPLETION=n " 21 | 22 | $DIR/docker_build_sample.sh 23 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/build_sample_missing_watchdog_fix.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export CVENUM=no-CVE-false-positive-watchdog-callback 5 | export BASE_COMMIT=a980762f70d7048825e6ce9e42ceb6b5f87a5e44 6 | export FIX_COMMITS= 7 | 8 | # Fully patched ieee802154 sample with missing watchdog NULL check to trigger false positive crash 9 | export PATCHES="fix-CVE-2021-3323.patch ieee802154_rf2xx_size_check.patch" 10 | 11 | export BOARD=sam4s_xplained 12 | export SHIELD=atmel_rf2xx_xplained 13 | export ZEPHYR_VERSION=2.4.0 14 | 15 | # Set common options for our 16 | export SAMPLE_DIR=samples/net/sockets/echo_server 17 | export OVERLAYS=overlay-802154.conf 18 | 19 | export EXTRA_DEFINES="-DCONFIG_SHELL=n -DCONFIG_NET_SHELL=n -DCONFIG_NET_L2_IEEE802154_SHELL=n -DCONFIG_NET_SHELL_DYN_CMD_COMPLETION=n " 20 | 21 | $DIR/docker_build_sample.sh 22 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/docker_build_802154_sample.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | # Set common options for our 5 | export SAMPLE_DIR=samples/net/sockets/echo_server 6 | export PATCHES="${PATCHES:-} ieee802154_rf2xx_size_check.patch wdt_sam_watchdog_callback_check.patch" 7 | export OVERLAYS=overlay-802154.conf 8 | 9 | export EXTRA_DEFINES="-DCONFIG_SHELL=n -DCONFIG_NET_SHELL=n -DCONFIG_NET_L2_IEEE802154_SHELL=n -DCONFIG_NET_SHELL_DYN_CMD_COMPLETION=n " 10 | 11 | $DIR/docker_build_sample.sh -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/docker_build_bt_sample.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | export BOARD=${BOARD:-disco_l475_iot1} 5 | export SAMPLE_DIR=samples/bluetooth/peripheral_dis 6 | 7 | export ZEPHYR_VERSION=2.2.0 8 | 9 | $DIR/docker_build_sample.sh -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/gen_target_configs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "Could not find fuzzware. Please re-execute $0 within a fuzzware virtual env (after installation: $ workon fuzzware; $0) to generate configs." 6 | exit 1 7 | } 8 | 9 | # Configure samples 10 | NEWLY_BUILT_DIR="$DIR/../rebuilt" 11 | for t in $NEWLY_BUILT_DIR/CVE*/*.elf; do 12 | echo "== Generating config for $t" 13 | elf_name=$(basename $t .elf) 14 | cve=${elf_name#zephyr-} 15 | 16 | base_config="$DIR/base_configs/$cve.yml" 17 | if [ -e "$base_config" ]; then 18 | echo "Using CVE-specific base config: $base_config" 19 | else 20 | base_config="$DIR/base_configs/zephyr_default.yml" 21 | echo "Using fallback base config $base_config" 22 | fi 23 | 24 | fuzzware genconfig --base-config "$base_config" $t 25 | echo 26 | done 27 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/patches/backport-CVE-2021-3321.patch: -------------------------------------------------------------------------------- 1 | diff --git a/subsys/net/l2/ieee802154/ieee802154_fragment.c b/subsys/net/l2/ieee802154/ieee802154_fragment.c 2 | index 8d691bfede..60bbe3ad6b 100644 3 | --- a/subsys/net/l2/ieee802154/ieee802154_fragment.c 4 | +++ b/subsys/net/l2/ieee802154/ieee802154_fragment.c 5 | @@ -497,13 +497,6 @@ static inline enum net_verdict fragment_add_to_cache(struct net_pkt *pkt) 6 | frag = pkt->buffer; 7 | type = get_datagram_type(frag->data); 8 | 9 | - if ((type == NET_6LO_DISPATCH_FRAG1 && 10 | - frag->len < NET_6LO_FRAG1_HDR_LEN) || 11 | - (type == NET_6LO_DISPATCH_FRAGN && 12 | - frag->len < NET_6LO_FRAGN_HDR_LEN)) { 13 | - return NET_DROP; 14 | - } 15 | - 16 | /* Parse total size of packet */ 17 | size = get_datagram_size(frag->data); 18 | 19 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/patches/bt_hci_cmd_timeout.patch: -------------------------------------------------------------------------------- 1 | diff --git a/subsys/bluetooth/host/hci_core.c b/subsys/bluetooth/host/hci_core.c 2 | index b173de8e5b..63fb9a9641 100644 3 | --- a/subsys/bluetooth/host/hci_core.c 4 | +++ b/subsys/bluetooth/host/hci_core.c 5 | @@ -56,7 +56,7 @@ 6 | #define RPA_TIMEOUT_MS (CONFIG_BT_RPA_TIMEOUT * MSEC_PER_SEC) 7 | #define RPA_TIMEOUT K_MSEC(RPA_TIMEOUT_MS) 8 | 9 | -#define HCI_CMD_TIMEOUT K_SECONDS(10) 10 | +#define HCI_CMD_TIMEOUT K_FOREVER 11 | 12 | /* Stacks for the threads */ 13 | #if !defined(CONFIG_BT_RECV_IS_RX_THREAD) 14 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/patches/bt_hostonly_build.patch: -------------------------------------------------------------------------------- 1 | diff --git a/samples/bluetooth/peripheral_dis/prj.conf b/samples/bluetooth/peripheral_dis/prj.conf 2 | index 3b88987ce0..3093ab5e79 100644 3 | --- a/samples/bluetooth/peripheral_dis/prj.conf 4 | +++ b/samples/bluetooth/peripheral_dis/prj.conf 5 | @@ -24,3 +24,10 @@ CONFIG_SETTINGS_NONE=y 6 | 7 | CONFIG_BT_GATT_DIS_SETTINGS=y 8 | CONFIG_BT_GATT_DIS_STR_MAX=21 9 | + 10 | +# Fuzzware: Host-only build 11 | +CONFIG_BT_CTLR=n 12 | +CONFIG_BT_HCI=y 13 | +CONFIG_NET_CONFIG_INIT_TIMEOUT=-1 14 | + 15 | +CONFIG_BT_UART_ON_DEV_NAME="UART_0" 16 | \ No newline at end of file 17 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/patches/fix-CVE-2020-10065.patch: -------------------------------------------------------------------------------- 1 | diff --git a/drivers/bluetooth/hci/spi.c b/drivers/bluetooth/hci/spi.c 2 | index 600961462b..9d0614117e 100644 3 | --- a/drivers/bluetooth/hci/spi.c 4 | +++ b/drivers/bluetooth/hci/spi.c 5 | @@ -310,6 +310,8 @@ static void bt_spi_rx_thread(void) 6 | u8_t header_slave[5]; 7 | struct bt_hci_acl_hdr acl_hdr; 8 | u8_t size = 0U; 9 | + int size_available; 10 | + int size_requested; 11 | int ret; 12 | 13 | (void)memset(&txmsg, 0xFF, SPI_MAX_MSG_LEN); 14 | @@ -370,15 +372,20 @@ static void bt_spi_rx_thread(void) 15 | break; 16 | } 17 | 18 | + size_available = net_buf_tailroom(buf); 19 | + size_requested = rxmsg[EVT_HEADER_SIZE] + 2; 20 | net_buf_add_mem(buf, &rxmsg[1], 21 | - rxmsg[EVT_HEADER_SIZE] + 2); 22 | + MIN(size_available, size_requested)); 23 | break; 24 | case HCI_ACL: 25 | buf = bt_buf_get_rx(BT_BUF_ACL_IN, K_FOREVER); 26 | memcpy(&acl_hdr, &rxmsg[1], sizeof(acl_hdr)); 27 | net_buf_add_mem(buf, &acl_hdr, sizeof(acl_hdr)); 28 | + 29 | + size_available = net_buf_tailroom(buf); 30 | + size_requested = sys_le16_to_cpu(acl_hdr.len); 31 | net_buf_add_mem(buf, &rxmsg[5], 32 | - sys_le16_to_cpu(acl_hdr.len)); 33 | + MIN(size_available, size_requested)); 34 | break; 35 | default: 36 | BT_ERR("Unknown BT buf type %d", rxmsg[0]); 37 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/patches/fix-CVE-2021-3323.patch: -------------------------------------------------------------------------------- 1 | diff --git a/subsys/net/ip/6lo.c b/subsys/net/ip/6lo.c 2 | index 736cf05839..f870abf4fc 100644 3 | --- a/subsys/net/ip/6lo.c 4 | +++ b/subsys/net/ip/6lo.c 5 | @@ -1348,6 +1348,13 @@ static bool uncompress_IPHC_header(struct net_pkt *pkt) 6 | nhc_inline_size; 7 | } 8 | 9 | + // Note that this has also been patched here: https://github.com/zephyrproject-rtos/zephyr/pull/31971 10 | + /* Proposed fix: Make sure the buffer holds the full compressed header */ 11 | + if (compressed_hdr_size > pkt->buffer->len) { 12 | + NET_ERR("Too small packet to hold compressed IPHC header"); 13 | + return false; 14 | + } 15 | + 16 | if (net_buf_tailroom(pkt->buffer) >= diff) { 17 | NET_DBG("Enough tailroom. Uncompress inplace"); 18 | frag = pkt->buffer; 19 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/patches/ieee802154_reass_timeout.patch: -------------------------------------------------------------------------------- 1 | diff --git a/subsys/net/l2/ieee802154/ieee802154_fragment.c b/subsys/net/l2/ieee802154/ieee802154_fragment.c 2 | index 5a16f9b185..d811396369 100644 3 | --- a/subsys/net/l2/ieee802154/ieee802154_fragment.c 4 | +++ b/subsys/net/l2/ieee802154/ieee802154_fragment.c 5 | @@ -319,8 +319,9 @@ static inline struct frag_cache *set_reass_cache(struct net_pkt *pkt, 6 | cache[i].tag = tag; 7 | cache[i].used = true; 8 | 9 | - k_delayed_work_init(&cache[i].timer, reass_timeout); 10 | - k_delayed_work_submit(&cache[i].timer, FRAG_REASSEMBLY_TIMEOUT); 11 | + // Fuzzware: make reass cache not expire 12 | + // k_delayed_work_init(&cache[i].timer, reass_timeout); 13 | + // k_delayed_work_submit(&cache[i].timer, FRAG_REASSEMBLY_TIMEOUT); 14 | return &cache[i]; 15 | } 16 | 17 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/patches/ieee802154_rf2xx_size_check.patch: -------------------------------------------------------------------------------- 1 | diff --git a/drivers/ieee802154/ieee802154_rf2xx.c b/drivers/ieee802154/ieee802154_rf2xx.c 2 | index b697a1024d..f8058d4a3d 100644 3 | --- a/drivers/ieee802154/ieee802154_rf2xx.c 4 | +++ b/drivers/ieee802154/ieee802154_rf2xx.c 5 | @@ -203,6 +203,12 @@ static void rf2xx_trx_rx(const struct device *dev) 6 | return; 7 | } 8 | 9 | + // Fuzzware: introduce omitted length check to avoid BOF 10 | + if (pkt_len + RX2XX_FRAME_HEADER_SIZE + RX2XX_FRAME_FOOTER_SIZE > RX2XX_MAX_FRAME_SIZE) { 11 | + pkt_len = RX2XX_MAX_FRAME_SIZE - RX2XX_FRAME_HEADER_SIZE - 12 | + RX2XX_FRAME_FOOTER_SIZE; 13 | + } 14 | + 15 | frame_len = RX2XX_FRAME_HEADER_SIZE + pkt_len + 16 | RX2XX_FRAME_FOOTER_SIZE; 17 | 18 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/patches/spi_sam_flat_read.patch: -------------------------------------------------------------------------------- 1 | diff --git a/drivers/spi/spi_sam.c b/drivers/spi/spi_sam.c 2 | index 30c46ef77a..27ea8c2ff3 100644 3 | --- a/drivers/spi/spi_sam.c 4 | +++ b/drivers/spi/spi_sam.c 5 | @@ -373,25 +373,20 @@ static int spi_sam_transceive(const struct device *dev, 6 | goto done; 7 | } 8 | 9 | - spi_context_cs_control(&data->ctx, true); 10 | + for(int i = 0; i < rx_bufs->count; ++i) { 11 | + struct spi_buf *rx_buf = &rx_bufs->buffers[i]; 12 | 13 | - /* This driver special cases the common send only, receive 14 | - * only, and transmit then receive operations. This special 15 | - * casing is 4x faster than the spi_context() routines 16 | - * and allows the transmit and receive to be interleaved. 17 | - */ 18 | - if (spi_sam_is_regular(tx_bufs, rx_bufs)) { 19 | - spi_sam_fast_transceive(dev, config, tx_bufs, rx_bufs); 20 | - } else { 21 | - spi_context_buffers_setup(&data->ctx, tx_bufs, rx_bufs, 1); 22 | + // Need to skip bytes if rx_buf is null, ignoring 23 | + if(rx_buf == NULL) { 24 | + continue; 25 | + } 26 | 27 | - do { 28 | - spi_sam_shift_master(regs, data); 29 | - } while (spi_sam_transfer_ongoing(data)); 30 | + // Read full buffer length 31 | + for (int j = 0; j < rx_buf->len; ++j) { 32 | + ((uint8_t *)rx_buf->buf)[j] = regs->SPI_RDR; 33 | + } 34 | } 35 | 36 | - spi_context_cs_control(&data->ctx, false); 37 | - 38 | done: 39 | spi_context_release(&data->ctx, err); 40 | return err; 41 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/patches/wdt_sam_watchdog_callback_check.patch: -------------------------------------------------------------------------------- 1 | diff --git a/drivers/watchdog/wdt_sam.c b/drivers/watchdog/wdt_sam.c 2 | index 44866ee3f2..bb469a0b53 100644 3 | --- a/drivers/watchdog/wdt_sam.c 4 | +++ b/drivers/watchdog/wdt_sam.c 5 | @@ -55,7 +55,10 @@ static void wdt_sam_isr(const struct device *dev) 6 | /* Clear status bit to acknowledge interrupt by dummy read. */ 7 | wdt_sr = wdt->WDT_SR; 8 | 9 | - data->cb(dev, 0); 10 | + // Fuzzware: only invoke callback if it is set 11 | + if(data->cb) { 12 | + data->cb(dev, 0); 13 | + } 14 | } 15 | 16 | /** 17 | 18 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/building/run_in_zephyr_docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | # This build env is known to allow builds of zephyr version 2.2.0 and 2.4.0 samples 5 | ZEPHYR_DOCKER_VERSION=0.13.1 6 | 7 | docker run -ti --user="user" -v "$(realpath $DIR/..)":/workdir --workdir=/workdir docker.io/zephyrprojectrtos/zephyr-build:v$ZEPHYR_DOCKER_VERSION $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10064/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10064/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10064/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10064/zephyr-CVE-2020-10064.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10064/zephyr-CVE-2020-10064.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10064/zephyr-CVE-2020-10064.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10064/zephyr-CVE-2020-10064.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10065/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10065/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10065/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10065/zephyr-CVE-2020-10065.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10065/zephyr-CVE-2020-10065.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10065/zephyr-CVE-2020-10065.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10065/zephyr-CVE-2020-10065.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10066/POC/README.md: -------------------------------------------------------------------------------- 1 | # Analyzing the Crash 2 | The crash occurs in hci_cmd_done at pc=0x080025b8, after on an error case in `bt_send`, NULL is passed to `hci_cmd_done` within `hci_tx_thread`. 3 | 4 | > **Note** 5 | > To replay the inputs in this directory, you may need to use the initial version of `fuzzware-emulator` and rebuild fuzzware. For instructions, see [here](https://github.com/fuzzware-fuzzer/fuzzware-experiments/tree/main/04-crash-analysis). 6 | 7 | ## Interactive Bug Triaging with known Bug 8 | To interactively see this, set a breakpoint on function `hci_cmd_done` (address 0x80025B4) and observe the value of `buf`, which is passed to the function as the second argument (one argument is eliminated during inlining by the compiler), which means in register `r1`. 9 | 10 | ``` 11 | ./run.sh -b 0x80025B4 12 | ``` 13 | 14 | Here we are looking NULL value of `buf`. 15 | 16 | 17 | 18 | When hitting the function for the first time, we see: 19 | ``` 20 | ipdb> uc.regs.r1 21 | 0x0 22 | ``` 23 | 24 | As indicated in the more detailed bug report, this stems from a wrongly handled error case in bluetooth HCI. 25 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10066/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10066/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10066/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10066/zephyr-CVE-2020-10066.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10066/zephyr-CVE-2020-10066.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10066/zephyr-CVE-2020-10066.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10066/zephyr-CVE-2020-10066.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3319/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3319/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3319/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3319/zephyr-CVE-2021-3319.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3319/zephyr-CVE-2021-3319.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3319/zephyr-CVE-2021-3319.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3319/zephyr-CVE-2021-3319.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3320/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3320/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3320/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3320/zephyr-CVE-2021-3320.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3320/zephyr-CVE-2021-3320.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3320/zephyr-CVE-2021-3320.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3320/zephyr-CVE-2021-3320.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3321/POC/README.md: -------------------------------------------------------------------------------- 1 | # Analyzing the Crash 2 | The crash occurs in next_timeout at pc=0x0040aff4, while operating on a corrupted timer list in the global data section due to an out-of-bounds memmove that results from an integer underflow in header uncompression.. 3 | 4 | > **Note** 5 | > To replay the inputs in this directory, you may need to use the initial version of `fuzzware-emulator` and rebuild fuzzware. For instructions, see [here](https://github.com/fuzzware-fuzzer/fuzzware-experiments/tree/main/04-crash-analysis). 6 | 7 | ## Interactive Bug Triaging with known Bug 8 | To interactively see this, set a breakpoint on `memmove` and observe the value of the size argument (third argument, `r2`). 9 | 10 | ``` 11 | ./run.sh -b memmove 12 | ``` 13 | 14 | Here we are looking for an underflown large value in `r2`: 15 | 16 | ``` 17 | 18 | ipdb> uc.regs.r2 19 | 0x1 20 | ipdb> c 21 | ... 22 | ipdb> uc.regs.r2 23 | 0xfffffffd 24 | ``` 25 | 26 | As more deeply described in the bug report, this out-of-bounds memmove operation is caused by an underflow of a packet size due to a too small source buffer. 27 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3321/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3321/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3321/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3321/zephyr-CVE-2021-3321.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3321/zephyr-CVE-2021-3321.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3321/zephyr-CVE-2021-3321.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3321/zephyr-CVE-2021-3321.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3322/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3322/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3322/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3322/zephyr-CVE-2021-3322.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3322/zephyr-CVE-2021-3322.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3322/zephyr-CVE-2021-3322.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3322/zephyr-CVE-2021-3322.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3323/POC/README.md: -------------------------------------------------------------------------------- 1 | # Analyzing the Crash 2 | The crash occurs in calc_chksum at pc=0x0040dabe, while calculating a checksum with an assumed large size due to an underflown size field. 3 | 4 | > **Note** 5 | > To replay the inputs in this directory, you may need to use the initial version of `fuzzware-emulator` and rebuild fuzzware. For instructions, see [here](https://github.com/fuzzware-fuzzer/fuzzware-experiments/tree/main/04-crash-analysis). 6 | 7 | ## Interactive Bug Triaging with known Bug 8 | To interactively see this, set a breakpoint on function `calc_chksum` and observe the value of `len`, which is passed to the function as the third argument, which means in register `r2`. 9 | 10 | ``` 11 | fuzzware emu -b calc_chksum crashing_input 12 | ``` 13 | 14 | Here we are looking for a large `len` value > `0xff00`. 15 | 16 | After continuing a 43 times (the function is hit a large number of times), we see: 17 | ``` 18 | ipdb> c 19 | ... 20 | ipdb> uc.regs.r2 21 | 0xfff8 22 | ``` 23 | 24 | As indicated in the more detailed bug report, this integer underflow occurs during IPHC header compression, as the source size of the compressed header is not properly validated. 25 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3323/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3323/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3323/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3323/zephyr-CVE-2021-3323.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3323/zephyr-CVE-2021-3323.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3323/zephyr-CVE-2021-3323.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3323/zephyr-CVE-2021-3323.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3329/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3329/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3329/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3329/zephyr-CVE-2021-3329.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3329/zephyr-CVE-2021-3329.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3329/zephyr-CVE-2021-3329.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3329/zephyr-CVE-2021-3329.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3330/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3330/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3330/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3330/zephyr-CVE-2021-3330.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3330/zephyr-CVE-2021-3330.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3330/zephyr-CVE-2021-3330.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3330/zephyr-CVE-2021-3330.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-rf-size-check/POC/README.md: -------------------------------------------------------------------------------- 1 | # Crash Analysis 2 | The crash occurs due to an omitted size check while receiving rf frames. 3 | 4 | > **Note** 5 | > To replay the inputs in this directory, you may need to use the initial version of `fuzzware-emulator` and rebuild fuzzware. For instructions, see [here](https://github.com/fuzzware-fuzzer/fuzzware-experiments/tree/main/04-crash-analysis). 6 | 7 | This is a false positive, rather than a security issue. The reason for this is that firmware logic relies on the fact that the size of a radio frame which is received from hardware will never exceed a maximum of 127. Firmware will read a value from hardware input which it trusts to be in bounds. Thus, firmware omits checking the size itself. 8 | 9 | For fuzzing, we applied a [ieee802154_rf2xx_size_check.patch](../../../building/patches/ieee802154_rf2xx_size_check.patch) which introduces such a check and restricts the size of the received frame to the expected limit if necessary. 10 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-rf-size-check/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-rf-size-check/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-rf-size-check/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-rf-size-check/zephyr-CVE-no-CVE-false-positive-rf-size-check.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-rf-size-check/zephyr-CVE-no-CVE-false-positive-rf-size-check.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-rf-size-check/zephyr-CVE-no-CVE-false-positive-rf-size-check.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-rf-size-check/zephyr-CVE-no-CVE-false-positive-rf-size-check.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-watchdog-callback/POC/README.md: -------------------------------------------------------------------------------- 1 | # Crash Analysis 2 | The crash occurs due to a missing NULL pointer check on the watchdog callback. 3 | 4 | > **Note** 5 | > To replay the inputs in this directory, you may need to use the initial version of `fuzzware-emulator` and rebuild fuzzware. For instructions, see [here](https://github.com/fuzzware-fuzzer/fuzzware-experiments/tree/main/04-crash-analysis). 6 | 7 | This is a false positive, rather than a security issue. The reason for this is that firmware logic relies on the fact that a watchdog interrupt will never be raised if it is not configured via the peripheral itself, even though the interrupt is enabled in the NVIC. 8 | 9 | For fuzzing, we have multiple options to address this: 10 | 1. Disable the watchdog interrupt via configuration in `config.yml` 11 | 2. Patch the firmware to perform a NULL pointer check. This check has been implemented in the patch [wdt_sam_watchdog_callback_check.patch](../../../building/patches/wdt_sam_watchdog_callback_check.patch). 12 | -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-watchdog-callback/POC/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-watchdog-callback/POC/crashing_input -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-watchdog-callback/POC/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -c $DIR/config.yml -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-watchdog-callback/zephyr-CVE-no-CVE-false-positive-watchdog-callback.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-watchdog-callback/zephyr-CVE-no-CVE-false-positive-watchdog-callback.bin -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-watchdog-callback/zephyr-CVE-no-CVE-false-positive-watchdog-callback.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-watchdog-callback/zephyr-CVE-no-CVE-false-positive-watchdog-callback.elf -------------------------------------------------------------------------------- /03-fuzzing-new-targets/zephyr-os/rebuild_targets.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | set -e 5 | 6 | # Compile targets in docker environment 7 | for build_file in "$DIR/building"/build_sample_*.sh; do 8 | $DIR/building/run_in_zephyr_docker.sh /workdir/building/$(basename $build_file) 9 | done 10 | 11 | echo "Trying to configure targets in current environment" 12 | echo "In case you have no local fuzzware installation, run" 13 | echo "$DIR/building/gen_target_configs.sh manually." 14 | $DIR/building/gen_target_configs.sh 15 | 16 | echo "rebuilt targets are located at $NEWLY_BUILT_DIR" -------------------------------------------------------------------------------- /04-crash-analysis/01/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/01/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/01/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/02/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/02/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/02/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/03/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/03/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/03/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/04/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/04/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/04/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/05/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/05/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/05/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/06/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/06/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/06/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/07/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/07/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/07/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/08/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/08/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/08/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/09/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/09/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/09/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/10/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/10/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/10/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/11/README.md: -------------------------------------------------------------------------------- 1 | # CNC 2 | The crash occurs as `printFloat` considers, but does not bounds check the decimal precision (`settings.decimal_places`), leading to out-of-bounds writes on the stack. 3 | 4 | User input is used in function `settings_store_global_setting` (which is called from `protocol_execute_line`) to set `settings.decimal_places` without bounds checks. 5 | 6 | In the given POC, the following write causes `settings.decimal_places` to be set to a large value (`0x50 == 80`) 7 | ``` 8 | Basic Block: addr= 0x0000000008004f84 (lr=0x8004f85) 9 | >>> Read: addr= 0x0000000008005150 size=4 data=0x20000ebc (pc 0x08004f88) 10 | >>> Write: addr= 0x0000000020000ef9 size=1 data=0x00000050 (pc 0x08004f8a) 11 | ``` 12 | 13 | Later, the setting is used in `printFloat` and corrupts stack memory: 14 | ``` 15 | Basic Block: addr= 0x000000000800392c (lr=0x800392d) 16 | >>> Write: addr= 0x2001ff97[SP:-0018] size=4 data=0x00000000 (pc 0x0800392e) 17 | >>> Read: addr= 0x0000000008003a04 size=4 data=0x20000ebc (pc 0x08003930) 18 | >>> Read: addr= 0x0000000020000ef9 size=1 data=0x00000050 (pc 0x08003932) 19 | >>> Write: addr= 0x2001ffdb[SP:-005c] size=1 data=0x0000002e (pc 0x0800393e) 20 | ``` -------------------------------------------------------------------------------- /04-crash-analysis/11/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/11/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/11/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/12/README.md: -------------------------------------------------------------------------------- 1 | # P2IM Gateway 2 | In the method `setPinState` of `FirmataClass`, the range for the `pin` argument is not checked. 3 | This can lead to an out of bounds write in the data section. 4 | In the given input one of the elements in `uart_handlers` is overwirtten. 5 | Later this value is passed to the function `HAL_UART_GetState`, resulting in a crash. 6 | -------------------------------------------------------------------------------- /04-crash-analysis/12/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/12/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/12/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/13/README.md: -------------------------------------------------------------------------------- 1 | # P2IM Heat Press 2 | In the method `get_FC3` from `Modbus`, the bounds check is performed with user controlled data. 3 | This allows an attacker to overwrite data following the `au16regs`. 4 | ```C 5 | void Modbus::get_FC3() 6 | { 7 | uint8_t u8byte, i; 8 | u8byte = 3; 9 | 10 | for (i=0; i< au8Buffer[ 2 ] /2; i++) 11 | { 12 | au16regs[ i ] = word( 13 | au8Buffer[ u8byte ], 14 | au8Buffer[ u8byte +1 ]); 15 | u8byte += 2; 16 | } 17 | } 18 | ``` 19 | 20 | In the provided input the `port` field of the modbus struct is overwritten, resulting in a crash while loading the pointer. 21 | For an attacker it would be possible to set the pointer to a location with controlled data and thus allows arbitrary control over the instruction pointer. 22 | -------------------------------------------------------------------------------- /04-crash-analysis/13/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/13/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/13/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/14/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/14/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/14/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/15/README.md: -------------------------------------------------------------------------------- 1 | # P2IM PLC 2 | In the method `process_FC3` from `Modbus`, the bounds check is performed with user controlled data. 3 | This allows an attacker to overwrite data following the `au8Buffer`. 4 | ```C 5 | int8_t Modbus::process_FC3( uint16_t *regs, uint8_t u8size ) 6 | { 7 | 8 | uint8_t u8StartAdd = word( au8Buffer[ ADD_HI ], au8Buffer[ ADD_LO ] ); 9 | uint8_t u8regsno = word( au8Buffer[ NB_HI ], au8Buffer[ NB_LO ] ); 10 | uint8_t u8CopyBufferSize; 11 | uint8_t i; 12 | 13 | au8Buffer[ 2 ] = u8regsno * 2; 14 | u8BufferSize = 3; 15 | 16 | for (i = u8StartAdd; i < u8StartAdd + u8regsno; i++) 17 | { 18 | au8Buffer[ u8BufferSize ] = highByte(regs[i]); 19 | u8BufferSize++; 20 | au8Buffer[ u8BufferSize ] = lowByte(regs[i]); 21 | u8BufferSize++; 22 | } 23 | u8CopyBufferSize = u8BufferSize +2; 24 | sendTxBuffer(); 25 | 26 | return u8CopyBufferSize; 27 | } 28 | ``` 29 | 30 | In the provided input the `rx_callback` array from the UART subsystem is overwritten, resulting in a crash while branching to the corrupted address. 31 | For an attacker it would be possible to set the pointer to any value and thus allows arbitrary control over the instruction pointer. 32 | -------------------------------------------------------------------------------- /04-crash-analysis/15/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/15/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/15/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/16/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/16/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/16/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/17/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/17/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/17/crashing_input_buggy_emu: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/17/crashing_input_buggy_emu -------------------------------------------------------------------------------- /04-crash-analysis/17/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/18/README.md: -------------------------------------------------------------------------------- 1 | While executing a CNC program, the firmware improperly validates the input program. 2 | 3 | In `planner_recalculate->planner_recalculate_trapezoids`, `calculate_trapezoid_for_block` is called multiple times in a loop, based on the input program. 4 | 5 | The situation is not checked where `block_buffer_tail == block_buffer_head`, where `block_buffer_head` is set in `mc_line->plan_buffer_line`. 6 | 7 | This leads to a NULL pointer deref while accessing `next->entry_speed`, causing a crash in the firmware. -------------------------------------------------------------------------------- /04-crash-analysis/18/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/18/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/18/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/19/README.md: -------------------------------------------------------------------------------- 1 | # P2IM Soldering Iron 2 | This bug takes several steps to occur: 3 | 1. The function `HAL_I2C_Mem_Read` assigns a stack based buffer, from a function higher on the call stack, to the member `pBuffPtr` of the global I2C object. This reference is invalid once the function containing the buffer returns. 4 | 2. In another interrupt the function `MMA8652FC::getAxisReadings` calls, which then calls `FRToSI2C::Mem_Read`. It passes a stack based temporary buffer and the length of this buffer. Because in total six arguments are passed, the last two are stored on the stack, one of which is buffer length. 5 | 3. Inside of `FRToSI2C::Mem_Read` the hardware timer interrupt must be triggered before `HAL_I2C_Mem_Read` is called. 6 | 4. During handling of the interrupt the function `I2C_MasterReceive_BTF` is called. This function writes to `pBuffPtr` of the I2C object, which still points to the address set in step 1. But this address now contains the buffer length argument from step 2. The function will thus corrupt the argument and allows a buffer overflow of the stack buffer from `MMA8652FC::getAxisReadings`. 7 | 5. The return address from `MMA8652FC::getAxisReadings` is corrupted by the buffer overflow, giving an attacker arbitrary control over the instruction pointer. In the input, which was found by the fuzzer, the return address is invalid resulting in a crash. 8 | -------------------------------------------------------------------------------- /04-crash-analysis/19/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/19/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/19/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/20/README.md: -------------------------------------------------------------------------------- 1 | # P2IM Robot 2 | The hardware time interrupt is enabled before the value of `I2C_Read_Reg` is initialized. 3 | If the interrupt is triggered before initialization the function `mpu6050_update` will branch to the function pointer. 4 | This results in a crash, as no memory is mapped at address zero. 5 | -------------------------------------------------------------------------------- /04-crash-analysis/20/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/20/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/20/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/21/README.md: -------------------------------------------------------------------------------- 1 | # P2IM Gateway 2 | The variable `tx_callback` can be uninitialized in the call to `HAL_UART_TxCpltCallback`. 3 | The vale is loaded and used as jump target without checking if it is null, resulting in a jump to address 0x0. 4 | -------------------------------------------------------------------------------- /04-crash-analysis/21/config.yml: -------------------------------------------------------------------------------- 1 | interrupt_triggers: 2 | trigger: 3 | every_nth_tick: 0x3e8 4 | fuzz_mode: round_robin 5 | memory_map: 6 | irq_ret: 7 | base_addr: 0xfffff000 8 | permissions: --x 9 | size: 0x1000 10 | mmio: 11 | base_addr: 0x40000000 12 | permissions: rw- 13 | size: 0x20000000 14 | nvic: 15 | base_addr: 0xe0000000 16 | permissions: rw- 17 | size: 0x10000000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x8000000 24 | file: ../../02-comparison-with-state-of-the-art/P2IM/Gateway/Gateway.bin 25 | permissions: r-x 26 | size: 0xb000 27 | -------------------------------------------------------------------------------- /04-crash-analysis/21/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/21/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/21/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/22/README.md: -------------------------------------------------------------------------------- 1 | # P2IM Gateway 2 | The variable `hi2c->pBuffPtrc` can be uninitialized in the call to `I2C_ITError`. 3 | This member is guarded by `hi2c->XferCount`, but the value is not checked before accessing the buffer pointer. 4 | -------------------------------------------------------------------------------- /04-crash-analysis/22/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/22/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/22/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/23/README.md: -------------------------------------------------------------------------------- 1 | # P2IM Gateway 2 | The function `pwm_start` uses stack-based timer object and registers it with `HAL_TIM_PWM_Init`, which saves it in the `timer_handles` array. 3 | Once `pwm_start` returns, the reference becomes invalid, but will still be called by the timer subsystem. 4 | For the given input, the value of `irqHandle` will be overwritten with 0x12. 5 | This results in a crash, once the corrupted address is called. 6 | -------------------------------------------------------------------------------- /04-crash-analysis/23/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/23/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/23/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/24/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/24/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/24/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/25/README.md: -------------------------------------------------------------------------------- 1 | # P2IM PLC 2 | The cause of this crash is Uninitialized memory after `Reset_Handler` has been called. 3 | Function pointer `tx_callback` in `HAL_UART_TxCpltCallback` is 0 and will crash the device. 4 | The callback will be set in `uart_attach_tx_callback` which is called by `HardwareSerial::write` if a check calling `serial_tx_active` returns false. 5 | Thus the _read_ callback is only set if the serial has already been written before. 6 | However an interrupt handler for receiving from UART can be triggered before the firmware had the chance to write to the uart, triggering the invalid callback. 7 | 8 | -------------------------------------------------------------------------------- /04-crash-analysis/25/config.yml: -------------------------------------------------------------------------------- 1 | interrupt_triggers: 2 | trigger: 3 | every_nth_tick: 0x3e8 4 | fuzz_mode: round_robin 5 | memory_map: 6 | irq_ret: 7 | base_addr: 0xfffff000 8 | permissions: --x 9 | size: 0x1000 10 | mmio: 11 | base_addr: 0x40000000 12 | permissions: rw- 13 | size: 0x20000000 14 | nvic: 15 | base_addr: 0xe0000000 16 | permissions: rw- 17 | size: 0x10000000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x8000000 24 | file: ../../02-comparison-with-state-of-the-art/P2IM/PLC/PLC.bin 25 | permissions: r-x 26 | size: 0x7000 27 | zero: 28 | base_addr: 0x0 29 | permissions: rw- 30 | size: 0x1000 31 | -------------------------------------------------------------------------------- /04-crash-analysis/25/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/25/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/25/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/26/README.md: -------------------------------------------------------------------------------- 1 | # P2IM Reflow Oven 2 | In the function `HAL_UART_TxCpltCallback` the pointer `tx_callback` can be uninitialized, resulting in a branch to address 0. 3 | The callback will be set in `uart_attach_tx_callback` which is called by `HardwareSerial::write` if a check calling `serial_tx_active` returns false. 4 | Thus the _read_ callback is only set if the serial has already been written before. 5 | However an interrupt handler for receiving from UART can be triggered before the firmware had the chance to write to the UART, triggering the invalid callback. 6 | 7 | -------------------------------------------------------------------------------- /04-crash-analysis/26/config.yml: -------------------------------------------------------------------------------- 1 | interrupt_triggers: 2 | trigger: 3 | every_nth_tick: 0x3e8 4 | fuzz_mode: round_robin 5 | memory_map: 6 | irq_ret: 7 | base_addr: 0xfffff000 8 | permissions: --x 9 | size: 0x1000 10 | mmio: 11 | base_addr: 0x40000000 12 | permissions: rw- 13 | size: 0x20000000 14 | nvic: 15 | base_addr: 0xe0000000 16 | permissions: rw- 17 | size: 0x10000000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | text: 23 | base_addr: 0x8000000 24 | file: ../../02-comparison-with-state-of-the-art/P2IM/Reflow_Oven/Reflow_Oven.bin 25 | permissions: r-x 26 | size: 0xc000 27 | zero: 28 | base_addr: 0x0 29 | permissions: rw- 30 | size: 0x1000 31 | -------------------------------------------------------------------------------- /04-crash-analysis/26/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/26/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/26/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/27/README.md: -------------------------------------------------------------------------------- 1 | # utasker_USB 2 | The crash occurs due to a buffer OOB write of USB-supplied data. 3 | 4 | Data read from the receive FIFO in `fnExtractFIFO` is written to a too small buffer. 5 | 6 | This leads to an out-of-bounds write in the data section, and a corruption of the `usb_endpoints` pointers. 7 | 8 | As a result, a crash occurs in `fnSendUSB_data` while accessing a corrupted endpoint pointer. 9 | -------------------------------------------------------------------------------- /04-crash-analysis/27/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/27/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/27/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/28/README.md: -------------------------------------------------------------------------------- 1 | # Thermostat 2 | The crash occurs due to a stack-based buffer overflow in `get_new_temp`. 3 | 4 | The crash itself is triggered `get_new_temp` itself, which corrupts its own stack frame and crashes during function return in the function epilogue. -------------------------------------------------------------------------------- /04-crash-analysis/28/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/28/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/28/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/29/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/29/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/29/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/30/README.md: -------------------------------------------------------------------------------- 1 | # uEmu.GPSTracker 2 | `USB_SendStringDescriptor` (mangled symbol `_ZL24USB_SendStringDescriptorPKhi`) takes a string as well as a length. To prepare a buffer with metadata, the function allocates a buffer on the stack (via `SUB.W SP, SP, R3` at pc `0x8425E`). However, no check is performed on the size of the string to be copied. 3 | 4 | When `USB_SendStringDescriptor` is called from `USB_ISR`, USB-provided data is interpreted as a length without bounds checks. For a large size value, `USB_SendStringDescriptor` will allocate more stack space than available. On the embedded system, this means that the stack grows into the global data section, and then corrupts global variables. This leads to crashes of different variations. 5 | 6 | The given crash occurs in `UARTClass::read` due to corrupted rx buffer metadata. 7 | 8 | There are different known crash contexts that are manifestations of the same bug. While not exhaustive, previously seen lr values are: 9 | 1. 0x00084415 10 | 2. 0x00083e07 11 | 3. 0x00080a35 12 | 4. 0x00083d87 13 | 5. 0x00083c11 -------------------------------------------------------------------------------- /04-crash-analysis/30/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/30/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/30/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/31/README.md: -------------------------------------------------------------------------------- 1 | # uEmu.GPSTracker 2 | The crash occurs while parsing an AT command to retrieve the `gsm_get_imei`. The parsing logic assumes the string `"AT+GSN\r\r\n"` to be present in the answer using `strstr`. However, parsing does not check whether the string is actually encountered. 3 | 4 | As no check is performed on the `strstr` result, a NULL pointer is used in further processing, and a crash occurs in `strtok` which is called from `gsm_get_imei`. 5 | 6 | Triggering this bug requires the fuzzer to pass the initial GSM setup stage, which includes AT command parsing. Most notably, `gsm_get_modem_status` expects a string `+CAP:` as an AT command. As this is based largely on string comparisons and AFL is not optimized for these comparisons, triggering this crash is highly non-deterministic. The crash triggered during our initial evaluation runs, but has not been reproduced by a fuzzer in our latest iteration. 7 | -------------------------------------------------------------------------------- /04-crash-analysis/31/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/31/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/31/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/32/README.md: -------------------------------------------------------------------------------- 1 | # XML_Parser 2 | WYCINWYC injected double free bug: 3 | ``` 4 | if ( len == 1221 ) 5 | { 6 | ((void (*)(void))parser->m_mem.free_fcn)(); 7 | parser->m_mem.free_fcn(v17); 8 | } 9 | ``` 10 | This corresponds to basic block `0x0800B55A` being hit in firmware code. 11 | 12 | Running the following will confirm the hit: 13 | ``` 14 | ./run.sh -b 0x0800B55A 15 | ``` -------------------------------------------------------------------------------- /04-crash-analysis/32/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/32/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/32/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/33/README.md: -------------------------------------------------------------------------------- 1 | # XML_Parser 2 | WYCINWYC injected stack-based BOF bug: 3 | ``` 4 | case 1222: 5 | memcpy(overflowable, s, 1222u); 6 | LOBYTE(v10) = puts(overflowable); 7 | return (char)v10; 8 | ``` 9 | This corresponds to basic block `0x0800B682` being hit in firmware code. 10 | 11 | Running the following will confirm the hit: 12 | ``` 13 | ./run.sh -b 0x0800B682 14 | ``` -------------------------------------------------------------------------------- /04-crash-analysis/33/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/33/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/33/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/34/README.md: -------------------------------------------------------------------------------- 1 | # XML_Parser 2 | WYCINWYC injected bug: 3 | ``` 4 | case 1223: 5 | buffer = 0; 6 | break; 7 | ``` 8 | This corresponds to basic block `0x0800B6BA` being hit in firmware code. 9 | 10 | Running the following will confirm the hit: 11 | ``` 12 | ./run.sh -b 0x0800B6BA 13 | ``` -------------------------------------------------------------------------------- /04-crash-analysis/34/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/34/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/34/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/35/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/35/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/35/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/36/README.md: -------------------------------------------------------------------------------- 1 | # 6LoWPAN_Receiver 2 | The crash occurs due to an improper handling of initialization errors: The firmware logic does not check the return value of `spi_init` (which can set `module->hw = 0`). 3 | 4 | This leads to a NULL pointer dereference, resulting in a crash. -------------------------------------------------------------------------------- /04-crash-analysis/36/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/36/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/36/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/37/README.md: -------------------------------------------------------------------------------- 1 | # 6LoWPAN_Sender 2 | The crash occurs due to an improper handling of initialization errors: The firmware logic does not check the return value of `spi_init` (which can set `module->hw = 0`). 3 | 4 | This leads to a NULL pointer dereference, resulting in a crash. -------------------------------------------------------------------------------- /04-crash-analysis/37/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/37/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/37/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/38/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/38/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/38/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/39/README.md: -------------------------------------------------------------------------------- 1 | # uEmu.3Dprinter 2 | The crash occurs as a USBLIB entry at `0x2000057C` is not properly initialized (NULL) in the interrupt handler `_irq_usb_lp_can_rx0`. 3 | 4 | Upon revisiting this, the type of this bug could be argued in different directions. An MMIO-derived index is used in the operation, and restricted via bitmask `0xf`. Depending on how we want to view this, the firmware does not initialize all possible entries, or relies on a specific hardware behavior, or exposes itself to risk via a misbehaving device. 5 | -------------------------------------------------------------------------------- /04-crash-analysis/39/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/39/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/39/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/40/README.md: -------------------------------------------------------------------------------- 1 | # utasker_MODBUS 2 | The crash occurs as it is not ensured that all `SerialHandle` entries are initialized before they are being used. 3 | 4 | The crash itself happens in `fnFlush`, where a serial handle is being flushed which has not yet been initialized. -------------------------------------------------------------------------------- /04-crash-analysis/40/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/40/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/40/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/41/README.md: -------------------------------------------------------------------------------- 1 | # utasker_MODBUS 2 | The crash occurs as it is not ensured that all `SerialHandle` entries are initialized before they are being used. 3 | 4 | The crash itself happens in `fnDriver`, where a NULL function pointer is dereferenced. -------------------------------------------------------------------------------- /04-crash-analysis/41/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/41/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/41/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/42/README.md: -------------------------------------------------------------------------------- 1 | # utasker_MODBUS 2 | The crash occurs as it is not ensured that all `SerialHandle` entries are initialized before they are being used. 3 | 4 | The crash itself happens in `fnRead`, where a NULL function pointer is dereferenced. -------------------------------------------------------------------------------- /04-crash-analysis/42/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/42/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/42/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/43/README.md: -------------------------------------------------------------------------------- 1 | # Zepyhr_SocketCan 2 | The crash occurs due to the fact that in case device initialization functions fail, the device's API pointer is set to NULL. At the same time, later code does not properly check the API pointer for being non-NULL. 3 | 4 | Here, the crash occurs in `z_impl_can_attach_msgq`, as `dev->driver_api` has not been initialized. 5 | 6 | The underlying issue has since been fixed by Zephyr, for example in commit: https://github.com/zephyrproject-rtos/zephyr/commit/aac9e2c5e33d1b9d17ca9a7a392e890f91475c38#diff-64740803f7fd17de4e55e4bfec0aea28c71bfd71762a5188df5deb479003641aL250 -------------------------------------------------------------------------------- /04-crash-analysis/43/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/43/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/43/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/44/README.md: -------------------------------------------------------------------------------- 1 | # Zepyhr_SocketCan 2 | The crash occurs as a lock is released in `log_backend_enable` before the global context variable is initialized in `shell_log_backend_enable`. This leads to small time period where global context is unitialized. 3 | 4 | The crash occurs in `shell_write` which is called from `shell_log_backend_output_func` (which in turn originates from `shell_uart_log_output` pointer table). -------------------------------------------------------------------------------- /04-crash-analysis/44/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/44/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/44/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/45/README.md: -------------------------------------------------------------------------------- 1 | # utasker_USB 2 | The crash occurs due to an invalidated hardware assumption about the bounds of the number of USB channel indices. 3 | 4 | An out-of-bounds access into an array of USB structs. 5 | 6 | A mmio variable read at MMIO 0x50000020 constrained to [0, 0xf] at 0x0800dab8 is used in a call to the function `fnProcessInput` as the first parameter. 7 | 8 | In `fnProcessInput`, the index is used as the third argument in the call to `fnUSB_handle_frame` 9 | - call to `fnProcessInput` function @ 0x0800dbde 10 | - call to `fnUSB_handle_frame` @ 0x0800d8de 11 | 12 | In `fnUSB_handle_frame` the index is further passed to `fnEndpointData` as the first paramter @ 0x08010086. 13 | Subsequently the index is used without a bounds check on a static ram array. -------------------------------------------------------------------------------- /04-crash-analysis/45/config.yml: -------------------------------------------------------------------------------- 1 | interrupt_triggers: 2 | trigger: 3 | every_nth_tick: 0x3e8 4 | fuzz_mode: round_robin 5 | memory_map: 6 | irq_ret: 7 | base_addr: 0xfffff000 8 | permissions: --x 9 | size: 0x1000 10 | mmio: 11 | base_addr: 0x40000000 12 | permissions: rw- 13 | size: 0x20000000 14 | nvic: 15 | base_addr: 0xe0000000 16 | permissions: rw- 17 | size: 0x10000000 18 | ram: 19 | base_addr: 0x20000000 20 | permissions: rw- 21 | size: 0x40000 22 | rom: 23 | base_addr: 0x8000000 24 | permissions: rw- 25 | size: 0xc000 26 | text: 27 | base_addr: 0x800c080 28 | file: ../../02-comparison-with-state-of-the-art/uEmu/utasker_USB/uEmu.uTaskerV1.4_USB_STM32429ZI.bin 29 | permissions: r-x 30 | size: 0xa000 31 | zero: 32 | base_addr: 0x0 33 | permissions: rw- 34 | size: 0x1000 35 | -------------------------------------------------------------------------------- /04-crash-analysis/45/crashing_input: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fuzzware-fuzzer/fuzzware-experiments/1b03b728ea660b777571bf2a6c1ecfa9072f0bf5/04-crash-analysis/45/crashing_input -------------------------------------------------------------------------------- /04-crash-analysis/45/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | fuzzware -h > /dev/null || { 5 | echo "fuzzware not found (workon fuzzware?)" 6 | exit 1 7 | } 8 | 9 | fuzzware emu -v -t -M $DIR/crashing_input $@ -------------------------------------------------------------------------------- /04-crash-analysis/46/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10064/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/47/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10065/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/48/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2020-10066/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/49/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3319/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/50/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3320/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/51/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3321/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/52/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3322/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/53/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3323/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/54/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3329/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/55/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-2021-3330/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/56/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-watchdog-callback/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/57/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/zephyr-os/prebuilt_samples/CVE-no-CVE-false-positive-rf-size-check/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/58/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12140/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/59/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-2020-12141/POC 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/60/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-HALucinator-CVE-2019-9183/POC-min-size-check 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /04-crash-analysis/61/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | DIR="$(dirname "$(readlink -f "$0")")" 3 | 4 | pushd $DIR/../../03-fuzzing-new-targets/contiki-ng/prebuilt_samples/CVE-HALucinator-CVE-2019-9183/POC-max-size-check 5 | ./run.sh $@ 6 | popd -------------------------------------------------------------------------------- /helper_scripts/set_limits_and_prepare_afl.sh: -------------------------------------------------------------------------------- 1 | if [ $(id -u) -ne 0 ]; then 2 | echo "Please run as root"; 3 | exit 1; 4 | fi 5 | 6 | # We don't always need that many watches, but increase these limits in case we have a lot of parallization on a single host 7 | echo 524288 > /proc/sys/fs/inotify/max_user_watches 8 | echo 512 > /proc/sys/fs/inotify/max_user_instances 9 | 10 | cat /proc/sys/fs/inotify/max_user_watches 11 | cat /proc/sys/fs/inotify/max_user_instances 12 | 13 | echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor 14 | echo >/proc/sys/kernel/core_pattern -------------------------------------------------------------------------------- /ssh_based_collect_results.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ./01-access-modeling-for-fuzzing/pw-discovery/ssh_based_collect_results.sh || { 3 | echo "Could not collect results from experiment 01. Please refer to the error output" 4 | exit 1 5 | } 6 | 7 | ./02-comparison-with-state-of-the-art/ssh_based_collect_results.sh || { 8 | echo "Could not collect results from experiment 02. Please refer to the error output" 9 | exit 1 10 | } 11 | 12 | echo "The results from both experiments have been collected successfully" 13 | echo 'You may find experiment 01 data at ./01-access-modeling-for-fuzzing/pw-discovery///fuzzware-project-run-*' 14 | echo 'You may find experiment 02 data at ./02-comparison-with-state-of-the-art///fuzzware-project-run-*' 15 | echo 'Also, for both experiments, please refer to the run_metric_aggregation.py scripts in ./01-access-modeling-for-fuzzing/pw-discovery and ./02-comparison-with-state-of-the-art to generate summary data' 16 | -------------------------------------------------------------------------------- /ssh_based_kickoff_experiments.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ./01-access-modeling-for-fuzzing/pw-discovery/ssh_based_kickoff_experiments.sh || { 3 | echo "Kicking off experiment 01 failed. Please refer to the error output" 4 | exit 1 5 | } 6 | 7 | ./02-comparison-with-state-of-the-art/ssh_based_kickoff_experiments.sh || { 8 | echo "Kicking off experiment 02 failed. Please refer to the error output" 9 | exit 1 10 | } 11 | 12 | echo "Both experiments have been kicked off successfully" 13 | echo "Experiment 01 is repeated 10 times, so it will take ~10 days to complete" 14 | echo "Experiment 02 is repeated 5 times, so it will take ~5 days to complete" 15 | echo "Note that some more time is taken to generate traces, so account for one day extra" 16 | --------------------------------------------------------------------------------