FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.

Overview

FIRM-AFL

FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it addresses compatibility issues by enabling fuzzing for POSIX-compatible firmware that can be emulated in a system emulator. Second, it addresses the performance bottleneck caused by system-mode emulation with a novel technique called "augmented process emulation". By combining system-mode emulation and user-mode emulation in a novel way, augmented process emulation provides high compatibility as system-mode emulation and high throughput as user-mode emulation.

Publication

Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, Limin Sun, “FIRM-AFL: High-throughput greybox fuzzing of IoT firmware via augmented process emulation,” in USENIX Security Symposium, 2019.

Introduction

FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it addresses compatibility issues by enabling fuzzing for POSIX-compatible firmware that can be emulated in a system emulator. Second, it addresses the performance bottleneck caused by system-mode emulation with a novel technique called "augmented process emulation". By combining system-mode emulation and user-mode emulation in a novel way, augmented process emulation provides high compatibility as system-mode emulation and high throughput as user-mode emulation. The overview is show in Figure 1.

Figure 1. Overview of Augmented Process Emulation

 

We design and implement FIRM-AFL, an enhancement of AFL for fuzzing IoT firmware. We keep the workflow of AFL intact and replace the user-mode QEMU with augmented process emulation, and the rest of the components remain unchanged. The new workflow is illustrated in Figure 2.

Figure 2. Overview of FIRM-AFL

Setup

Our system has two parts: system mode and user mode. We compile them separately for now.

User mode

cd user_mode/
./configure --target-list=mipsel-linux-user,mips-linux-user,arm-linux-user --static --disable-werror
make

System mode

cd qemu_mode/DECAF_qemu_2.10/
./configure --target-list=mipsel-softmmu,mips-softmmu,arm-softmmu --disable-werror
make

Usage

  1. Download the Firmdyne repo to the root directory of FirmAFL, then setup the firmadyne according to its instructions including importing its datasheet https://cmu.app.boxcn.net/s/hnpvf1n72uccnhyfe307rc2nb9rfxmjp into database.

  2. Replace the scripts/makeImage.sh with modified one in firmadyne_modify directory.

  3. follow the guidance from firmadyne to generate the system running scripts.

Take DIR-815 router firmware as a example,

cd firmadyne
./sources/extractor/extractor.py -b dlink -sql 127.0.0.1 -np -nk "../firmware/DIR-815_FIRMWARE_1.01.ZIP" images
./scripts/getArch.sh ./images/9050.tar.gz
./scripts/makeImage.sh 9050
./scripts/inferNetwork.sh 9050
cd ..
python FirmAFL_setup.py 9050 mipsel
  1. modify the run.sh in image_9050 directory as following, in order to emulate firmware with our modified QEMU and kernel, and running on the RAM file.

For mipsel,

ARCH=mipsel
QEMU="./qemu-system-${ARCH}"
KERNEL="./vmlinux.${ARCH}_3.2.1" 
IMAGE="./image.raw"
MEM_FILE="./mem_file"
${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} \ 

For mipseb,

ARCH=mips
QEMU="./qemu-system-${ARCH}"
KERNEL="./vmlinux.${ARCH}_3.2.1" 
IMAGE="./image.raw"
MEM_FILE="./mem_file"
${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} \
  1. run the fuzzing process

after running the start.py script, FirmAFL will start the firmware emulation, and after the system initialization(120s), the fuzzing process will start. (Maybe you should use root privilege to run it.)

cd image_9050
python start.py 9050

Related Work

Our system is built on top of TriforceAFL, DECAF, AFL, and Firmadyne.

TriforceAFL: AFL/QEMU fuzzing with full-system emulation, https://github.com/nccgroup/TriforceAFL.

DECAF: "Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform", Andrew Henderson, Aravind Prakash, Lok Kwong Yan, Xunchao Hu, Xujiewen Wang, Rundong Zhou, and Heng Yin, to appear in the International Symposium on Software Testing and Analysis (ISSTA'14), San Jose, CA, July 2014. https://github.com/sycurelab/DECAF.

AFL: american fuzzy lop (2.52b), http://lcamtuf.coredump.cx/afl/.

Firmadyne: Daming D. Chen, Maverick Woo, David Brumley, and Manuel Egele. “Towards automated dynamic analysis for Linux-based embedded firmware,” in Network and Distributed System Security Symposium (NDSS’16), 2016. https://github.com/firmadyne.

Troubleshooting

(1) error: static declaration of ‘memfd_create’ follows non-static declaration

Please see https://blog.csdn.net/newnewman80/article/details/90175033.

(2) failed to find romfile "efi-e1000.rom" when run the "run.sh"

Use the run.sh in FirmAFL_config/9050/ instead.

(3) Fork server crashed with signal 11

Run scripts in start.py sequentially. First run "run.sh", when the testing program starts, run "python test.py", and "user.sh".

(4) For the id "12978", "16116" firmware, since these firmware have more than 1 test case, so we use different image directory name to distinguish them.

Before FirmAFL_setup, 
first, change image directory name image_12978 to image_129780, 
then modify the firmadyne/scratch/12978 to firmadyne/scratch/129780
After that, run python FirmAFL_setup.py 129780 mips
(If you want to test another case for image_12978, you can use image_129781 instead image_129780)
Comments
  • error when i use

    error when i use "make" command in dir qemu_mode

    i try use "make" command in dir qemu_mode but there was an error

    GEN config-host.h make all-recursive Making all in pixman make[3]: Nothing to be done for 'all'. Making all in demos make[3]: Nothing to be done for 'all'. Making all in test make[3]: Nothing to be done for 'all'. CHK version_gen.h LEX convert-dtsv0-lexer.lex.c make[1]: flex: Command not found LEX dtc-lexer.lex.c make[1]: flex: Command not found make: *** No rule to make target 'trace/generated-tcg-tracers.h', needed by 'Makefile'. Stop.

    i search in google but still nothing, what should i do?

    opened by pureGavin 6
  • Unable to make FirmAFL work

    Unable to make FirmAFL work

    Hello,

    I am trying to make FirmAFL running, but I am having a hard time with these below issues:

    1. I have firmadyne inside the FirmAFL directory, and I am able to execute all the guidance from firmadyne correctly, but the image when extracted is named 1.tar.gz not 9050.tar.gz. Subsequently, the created image directory in FirmAFL directory is named image_1
    2. I mentioned the previous point because when running python FirmAFL_setup.py 9050 mipsel it does not work. Also when I tried to execute the command with 1 like this: python FirmAFL_setup.py 1 mipsel an error pop saying directory /1/ does not exist
    3. Ok, I tried to do a workaround and rename 1 to 9050, and I even created /1/ similar to the /9050/ directory inside FirmAFL_config directory and went into each file and replaced all 9050 values with 1.
    4. After doing this workaround it seems it is working even tho I do not find it correct to do it. Now, I go to /image_1/ and I execute sudo python start.py 1, it will display sending buffer size 3158 then an error pop saying socket.error: [Error 110] Connection timed out the execution, however, continues running and at the end, it is stuck on Spinning up the fork server...

    Can you please help me with the aforementioned concerns, or correct me in case I have a misunderstanding. Thank you

    opened by josephKhoury95 6
  • FirmAFL can only Emulate 10 FW?

    FirmAFL can only Emulate 10 FW?

    Hello Sir First of all, thank you for realizing this awesome tool.

    Would you mind if I give a few questions?

    1. Does FirmAFL emulate only 10 firmware that stored in FIRMWARE folder? How we can emulate other firmware that not included in FIRMWARE folder

    2. Is it possible to fuzz that emulated firmware binary out of the FirmAFL folder if I install AFL QEMU mode?

    Thank you very much for sharing your time!

    opened by Fayozbek 2
  • Error compile FirmAFL system mdde code

    Error compile FirmAFL system mdde code

    Makefile:226: recipe for target '/home/test/tools/FirmAFL/qemu_mode/DECAF_qemu_2.10/shared/sleuthkit/lib/libtsk.so' failed make: *** [/home/test/tools/FirmAFL/qemu_mode/DECAF_qemu_2.10/shared/sleuthkit/lib/libtsk.so] Error 2

    The command is followed the Readme file. The detaild error is : pic

    opened by newthis 2
  • Cannot start DIR-815 example

    Cannot start DIR-815 example

    I have followed the step to setup the DIR-815 fuzzing environment. Eventually I executed python start.py. However after full system launched, the afl-fuzz failed to handshake with fork server. It seems that you chroot afl-fuzz into a folder and give it a /bin/busybox as program? I'm confused with this part. Neither can I chroot nor can I find busybox. Could you please explain a little bit about this?

    opened by BrieflyX 1
  • Error: Cannot find tarball of root filesystem for 9050!

    Error: Cannot find tarball of root filesystem for 9050!

    When I run the test case I meet the question in step 3. this is the output: sudo ./scripts/makeImage.sh 9050 Querying database for architecture... Password for user firmadyne: mipsel ----Running---- ----Copying Filesystem Tarball---- Error: Cannot find tarball of root filesystem for 9050!

    can you help me

    opened by DerZc 1
  • i don't know which kind of fuzz data should i put in

    i don't know which kind of fuzz data should i put in

    i try to start fuzz, but AFL need input file, i download fuzz data from 'https://github.com/MozillaSecurity/fuzzdata' but there was a lot of fuzz data, i don't know which kind of fuzz data should i put in, should i put all in?

    opened by pureGavin 0
  • miniupnpd is not working

    miniupnpd is not working

    I've tried fuzzing my miniupnpd for 161160 images, but when the crash is triggered the process terminates, it doesn't isolate the crashing input. image

    FIRM-AFL is good at isolating the crashing input from other firmwares, but only the 16116 firmware does not isolate the crashing input. In other words, the stability of the emulator is poor.

    When signal 11 occurs in the target program, we are constantly looking for a way to bring the emulator back to the fork point and isolate that crashing input.

    Any hints and help for me would be appreciated. Thank you.

    opened by jyaniii 0
  • qemu failed!!!

    qemu failed!!!

    root@ubuntu:/home/sv/Documents/FirmAFL/image_2540# ./run.sh Creating TAP device tap2540_0... Set 'tap2540_0' persistent and owned by uid 0 Bringing up TAP device... Adding route to 192.168.0.100... Starting firmware emulation... use Ctrl-a + x to exit qemu-system-mips: -net nic,vlan=0: 'vlan' is deprecated. Please use 'netdev' instead. ./vmlinux.mips_3.2.1: No such file or directory qemu-system-mips: qemu: could not load kernel './vmlinux.mips_3.2.1': Failed to load ELF Deleting route... Bringing down TAP device... Deleting TAP device tap2540_0... Set 'tap2540_0' nonpersistent

    I tried a lot ways to fix this problems. is this about qume version?

    opened by skyvast404 0
  • I got a segment error when running sudo. /run.sh

    I got a segment error when running sudo. /run.sh

    The following error occurred when I was running sudo. /run.sh:

    init started: BusyBox v1.14.1 (2011-05-10 18:37:43 CST) starting pid 54, tty '': '/etc/init.d/rcS' [/etc/init.d/S10init.sh] free(): double free detected in tcache 2 ./run.sh: line 75: 107492 Abandoned(core dumped) ${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} -drive if=ide,format=raw,file=${IMAGE} -append "root=${QEMU_ROOTFS} console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0" -nographic -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=1,listen=:2001 -net nic,vlan=0 -net tap,vlan=0,id=net0,ifname=${TAPDEV_0},script=no -net nic,vlan=3 -net socket,vlan=3,listen=:2003 Deleting route... Bringing down TAP device... Deleting TAP device tap9050_0... Set 'tap9050_0' nonpersistent

    My virtual machine environment is Ubuntu 18.04 Does anyone know what a mistake that is? Thank you very much

    opened by 1amfree 0
  • recipe for target '/home/algorithm/FirmAFL/qemu_mode/DECAF_qemu_2.10/shared/sleuthkit/lib/libtsk.so' failed

    recipe for target '/home/algorithm/FirmAFL/qemu_mode/DECAF_qemu_2.10/shared/sleuthkit/lib/libtsk.so' failed

    Hello! There is a error2 when I am making System mode in Setup step. The error messages are as follows:

    Building Sleuthkit, please wait... GEN Sleuthkit Makefile:226: recipe for target '/home/algorithm/FirmAFL/qemu_mode/DECAF_qemu_2.10/shared/sleuthkit/lib/libtsk.so' failed make: *** [/home/algorithm/FirmAFL/qemu_mode/DECAF_qemu_2.10/shared/sleuthkit/lib/libtsk.so] Error 2

    There is no 'lib' in folder /sleuthkit. I try to run makefile in /sleuthkit and another error occurred.

    Is it due to a problem with the sleuthkit version? Where do I look for the contents of the lib file in this area?

    opened by tyj1998 2
  • Running into errors with run.sh

    Running into errors with run.sh

    I am trying to get the tplink 940 firmware working

    when running run.sh I get the error

    Creating TAP device tap105568_0...
    Set 'tap105568_0' persistent and owned by uid 1000
    Bringing up TAP device...
    Adding route to 192.168.0.1...
    Starting firmware emulation... use Ctrl-a + x to exit
    afl-fuzz 2.52b by <[email protected]>
    [+] Looks like we're not running on a tty, so I'll be a bit less verbose.
    [+] You have 1 CPU core and 3 runnable tasks (utilization: 300%).
    [*] Checking core_pattern...
    
    [-] Hmm, your system is configured to send core dump notifications to an
        external utility. This will cause issues: there will be an extended delay
        between stumbling upon a crash and having this information relayed to the
        fuzzer via the standard waitpid() API.
    
        To avoid having crashes misinterpreted as timeouts, please log in as root
        and temporarily modify /proc/sys/kernel/core_pattern, like so:
    
        echo core >/proc/sys/kernel/core_pattern
    
    [-] PROGRAM ABORT : Pipe at the beginning of 'core_pattern'
             Location : check_crash_handling(), afl-fuzz.c:7289
    
    Deleting route...
    Bringing down TAP device...
    Deleting TAP device tap105568_0...
    Set 'tap105568_0' nonpersistent
    

    if I take out the AFL line from

    ${AFL} \
     ${QEMU} -m 256  -M ${QEMU_MACHINE} -kernel ${KERNEL} \
    

    I get the output

    Creating TAP device tap105568_0...
    Set 'tap105568_0' persistent and owned by uid 1000
    Bringing up TAP device...
    Adding route to 192.168.0.1...
    Starting firmware emulation... use Ctrl-a + x to exit
    Could not create fifo ../image_105600/user_cpu_state
    Deleting route...
    Bringing down TAP device...
    Deleting TAP device tap105568_0...
    Set 'tap105568_0' nonpersistent
    

    if i replace QEMU="./qemu-system-mips" with QEMU="get_qemu ${ARCHEND}" the VM starts up but it hangs on [*] Spinning up the fork server... when running the start.py script.

    has anyone encountered this? I feel like i am at the last hurdle of getting this thing working

    opened by majodu 0
  • QEMU Segmentation fault when I run the example

    QEMU Segmentation fault when I run the example

    when I run the example run.sh,I got the crash like this. ./run.sh: line 71: 53030 Segmentation fault (core dumped) ${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} -drive if=ide,format=raw,file=${IMAGE} -append "root=${QEMU_ROOTFS} console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0" -nographic -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=1,listen=:2001 -net nic,vlan=0 -net tap,vlan=0,id=net0,ifname=${TAPDEV_0},script=no -net nic,vlan=3 -net socket,vlan=3,listen=:2003 It seems to trigger a double free.Has anyone ever encountered this problem?Thanks

    opened by b0m13 4
Owner
null
AFLNet: A Greybox Fuzzer for Network Protocols

AFLNet: A Greybox Fuzzer for Network Protocols AFLNet is a greybox fuzzer for protocol implementations. Unlike existing protocol fuzzers, it takes a m

null 626 Jan 6, 2023
DiAne is a smart fuzzer for IoT devices

Diane Diane is a fuzzer for IoT devices. Diane works by identifying fuzzing triggers in the IoT companion apps to produce valid yet under-constrained

seclab 28 Jan 4, 2023
Piotr - IoT firmware emulation instrumentation for training and research

Piotr: Pythonic IoT exploitation and Research Introduction to Piotr Piotr is an emulation helper for Qemu that provides a convenient way to create, sh

Damien Cauquil 51 Nov 9, 2022
Group project for MFIN7036. Our goal is to predict firm profitability with text-based competition measures.

NLP_0-project Group project for MFIN7036. Our goal is to predict firm profitability with text-based competition measures1. We are a "democratic" and c

null 3 Mar 16, 2022
ParmeSan: Sanitizer-guided Greybox Fuzzing

ParmeSan: Sanitizer-guided Greybox Fuzzing ParmeSan is a sanitizer-guided greybox fuzzer based on Angora. Published Work USENIX Security 2020: ParmeSa

VUSec 158 Dec 31, 2022
Easily benchmark PyTorch model FLOPs, latency, throughput, max allocated memory and energy consumption

⏱ pytorch-benchmark Easily benchmark model inference FLOPs, latency, throughput, max allocated memory and energy consumption Install pip install pytor

Lukas Hedegaard 21 Dec 22, 2022
An AFL implementation with UnTracer (our coverage-guided tracer)

UnTracer-AFL This repository contains an implementation of our prototype coverage-guided tracing framework UnTracer in the popular coverage-guided fuz

null 113 Dec 17, 2022
Fuzzing the Kernel Using Unicornafl and AFL++

Unicorefuzz Fuzzing the Kernel using UnicornAFL and AFL++. For details, skim through the WOOT paper or watch this talk at CCCamp19. Is it any good? ye

Security in Telecommunications 283 Dec 26, 2022
Driller: augmenting AFL with symbolic execution!

Driller Driller is an implementation of the driller paper. This implementation was built on top of AFL with angr being used as a symbolic tracer. Dril

Shellphish 791 Jan 6, 2023
FairFuzz: AFL extension targeting rare branches

FairFuzz An AFL extension to increase code coverage by targeting rare branches. FairFuzz has a particular advantage on programs with highly nested str

Caroline Lemieux 222 Nov 16, 2022
IJON is an annotation mechanism that analysts can use to guide fuzzers such as AFL.

IJON SPACE EXPLORER IJON is an annotation mechanism that analysts can use to guide fuzzers such as AFL. Using only a small (usually one line) annotati

Chair for Sys­tems Se­cu­ri­ty 146 Dec 16, 2022
MOpt-AFL provided by the paper "MOPT: Optimized Mutation Scheduling for Fuzzers"

MOpt-AFL 1. Description MOpt-AFL is a AFL-based fuzzer that utilizes a customized Particle Swarm Optimization (PSO) algorithm to find the optimal sele

null 172 Dec 18, 2022
AFLFast (extends AFL with Power Schedules)

AFLFast Power schedules implemented by Marcel Böhme <[email protected]>. AFLFast is an extension of AFL which is written and maintained by Michal

Marcel Böhme 380 Jan 3, 2023
AFL binary instrumentation

E9AFL --- Binary AFL E9AFL inserts American Fuzzy Lop (AFL) instrumentation into x86_64 Linux binaries. This allows binaries to be fuzzed without the

null 242 Dec 12, 2022
A modular, primitive-first, python-first PyTorch library for Reinforcement Learning.

TorchRL Disclaimer This library is not officially released yet and is subject to change. The features are available before an official release so that

Meta Research 860 Jan 7, 2023
A Kernel fuzzer focusing on race bugs

Razzer: Finding kernel race bugs through fuzzing Environment setup $ source scripts/envsetup.sh scripts/envsetup.sh sets up necessary environment var

Systems and Software Security Lab at Seoul National University (SNU) 328 Dec 26, 2022
Fuzzer for Linux Kernel Drivers

difuze: Fuzzer for Linux Kernel Drivers This repo contains all the sources (including setup scripts), you need to get difuze up and running. Tested on

seclab 344 Dec 27, 2022
Inferred Model-based Fuzzer

IMF: Inferred Model-based Fuzzer IMF is a kernel API fuzzer that leverages an automated API model inferrence techinque proposed in our paper at CCS. I

SoftSec Lab 104 Sep 28, 2022
Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.

Angora Angora is a mutation-based coverage guided fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without s

null 833 Jan 7, 2023