FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.

Related tags

Networking FirmAFL
Overview

FIRM-AFL

FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it addresses compatibility issues by enabling fuzzing for POSIX-compatible firmware that can be emulated in a system emulator. Second, it addresses the performance bottleneck caused by system-mode emulation with a novel technique called "augmented process emulation". By combining system-mode emulation and user-mode emulation in a novel way, augmented process emulation provides high compatibility as system-mode emulation and high throughput as user-mode emulation.

Publication

Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, Limin Sun, “FIRM-AFL: High-throughput greybox fuzzing of IoT firmware via augmented process emulation,” in USENIX Security Symposium, 2019.

Introduction

FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it addresses compatibility issues by enabling fuzzing for POSIX-compatible firmware that can be emulated in a system emulator. Second, it addresses the performance bottleneck caused by system-mode emulation with a novel technique called "augmented process emulation". By combining system-mode emulation and user-mode emulation in a novel way, augmented process emulation provides high compatibility as system-mode emulation and high throughput as user-mode emulation. The overview is show in Figure 1.

Figure 1. Overview of Augmented Process Emulation

 

We design and implement FIRM-AFL, an enhancement of AFL for fuzzing IoT firmware. We keep the workflow of AFL intact and replace the user-mode QEMU with augmented process emulation, and the rest of the components remain unchanged. The new workflow is illustrated in Figure 2.

Figure 2. Overview of FIRM-AFL

Setup

Our system has two parts: system mode and user mode. We compile them separately for now.

User mode

cd user_mode/
./configure --target-list=mipsel-linux-user,mips-linux-user,arm-linux-user --static --disable-werror
make

System mode

cd qemu_mode/DECAF_qemu_2.10/
./configure --target-list=mipsel-softmmu,mips-softmmu,arm-softmmu --disable-werror
make

Usage

  1. Download the Firmdyne repo to the root directory of FirmAFL, then setup the firmadyne according to its instructions including importing its datasheet https://cmu.app.boxcn.net/s/hnpvf1n72uccnhyfe307rc2nb9rfxmjp into database.

  2. Replace the scripts/makeImage.sh with modified one in firmadyne_modify directory.

  3. follow the guidance from firmadyne to generate the system running scripts.

Take DIR-815 router firmware as a example,

cd firmadyne
./sources/extractor/extractor.py -b dlink -sql 127.0.0.1 -np -nk "../firmware/DIR-815_FIRMWARE_1.01.ZIP" images
./scripts/getArch.sh ./images/9050.tar.gz
./scripts/makeImage.sh 9050
./scripts/inferNetwork.sh 9050
cd ..
python FirmAFL_setup.py 9050 mipsel
  1. modify the run.sh in image_9050 directory as following, in order to emulate firmware with our modified QEMU and kernel, and running on the RAM file.

For mipsel,

ARCH=mipsel
QEMU="./qemu-system-${ARCH}"
KERNEL="./vmlinux.${ARCH}_3.2.1" 
IMAGE="./image.raw"
MEM_FILE="./mem_file"
${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} \ 

For mipseb,

ARCH=mips
QEMU="./qemu-system-${ARCH}"
KERNEL="./vmlinux.${ARCH}_3.2.1" 
IMAGE="./image.raw"
MEM_FILE="./mem_file"
${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} \
  1. run the fuzzing process

after running the start.py script, FirmAFL will start the firmware emulation, and after the system initialization(120s), the fuzzing process will start. (Maybe you should use root privilege to run it.)

cd image_9050
python start.py 9050

Related Work

Our system is built on top of TriforceAFL, DECAF, AFL, and Firmadyne.

TriforceAFL: AFL/QEMU fuzzing with full-system emulation, https://github.com/nccgroup/TriforceAFL.

DECAF: "Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform", Andrew Henderson, Aravind Prakash, Lok Kwong Yan, Xunchao Hu, Xujiewen Wang, Rundong Zhou, and Heng Yin, to appear in the International Symposium on Software Testing and Analysis (ISSTA'14), San Jose, CA, July 2014. https://github.com/sycurelab/DECAF.

AFL: american fuzzy lop (2.52b), http://lcamtuf.coredump.cx/afl/.

Firmadyne: Daming D. Chen, Maverick Woo, David Brumley, and Manuel Egele. “Towards automated dynamic analysis for Linux-based embedded firmware,” in Network and Distributed System Security Symposium (NDSS’16), 2016. https://github.com/firmadyne.

Troubleshooting

(1) error: static declaration of ‘memfd_create’ follows non-static declaration

Please see https://blog.csdn.net/newnewman80/article/details/90175033.

(2) failed to find romfile "efi-e1000.rom" when run the "run.sh"

Use the run.sh in FirmAFL_config/9050/ instead.

(3) Fork server crashed with signal 11

Run scripts in start.py sequentially. First run "run.sh", when the testing program starts, run "python test.py", and "user.sh".

(4) For the id "12978", "16116" firmware, since these firmware have more than 1 test case, so we use different image directory name to distinguish them.

Before FirmAFL_setup, 
first, change image directory name image_12978 to image_129780, 
then modify the firmadyne/scratch/12978 to firmadyne/scratch/129780
After that, run python FirmAFL_setup.py 129780 mips
(If you want to test another case for image_12978, you can use image_129781 instead image_129780)
Comments
  • error when i use

    error when i use "make" command in dir qemu_mode

    i try use "make" command in dir qemu_mode but there was an error

    GEN config-host.h make all-recursive Making all in pixman make[3]: Nothing to be done for 'all'. Making all in demos make[3]: Nothing to be done for 'all'. Making all in test make[3]: Nothing to be done for 'all'. CHK version_gen.h LEX convert-dtsv0-lexer.lex.c make[1]: flex: Command not found LEX dtc-lexer.lex.c make[1]: flex: Command not found make: *** No rule to make target 'trace/generated-tcg-tracers.h', needed by 'Makefile'. Stop.

    i search in google but still nothing, what should i do?

    opened by pureGavin 6
  • Unable to make FirmAFL work

    Unable to make FirmAFL work

    Hello,

    I am trying to make FirmAFL running, but I am having a hard time with these below issues:

    1. I have firmadyne inside the FirmAFL directory, and I am able to execute all the guidance from firmadyne correctly, but the image when extracted is named 1.tar.gz not 9050.tar.gz. Subsequently, the created image directory in FirmAFL directory is named image_1
    2. I mentioned the previous point because when running python FirmAFL_setup.py 9050 mipsel it does not work. Also when I tried to execute the command with 1 like this: python FirmAFL_setup.py 1 mipsel an error pop saying directory /1/ does not exist
    3. Ok, I tried to do a workaround and rename 1 to 9050, and I even created /1/ similar to the /9050/ directory inside FirmAFL_config directory and went into each file and replaced all 9050 values with 1.
    4. After doing this workaround it seems it is working even tho I do not find it correct to do it. Now, I go to /image_1/ and I execute sudo python start.py 1, it will display sending buffer size 3158 then an error pop saying socket.error: [Error 110] Connection timed out the execution, however, continues running and at the end, it is stuck on Spinning up the fork server...

    Can you please help me with the aforementioned concerns, or correct me in case I have a misunderstanding. Thank you

    opened by josephKhoury95 6
  • FirmAFL can only Emulate 10 FW?

    FirmAFL can only Emulate 10 FW?

    Hello Sir First of all, thank you for realizing this awesome tool.

    Would you mind if I give a few questions?

    1. Does FirmAFL emulate only 10 firmware that stored in FIRMWARE folder? How we can emulate other firmware that not included in FIRMWARE folder

    2. Is it possible to fuzz that emulated firmware binary out of the FirmAFL folder if I install AFL QEMU mode?

    Thank you very much for sharing your time!

    opened by Fayozbek 2
  • Error compile FirmAFL system mdde code

    Error compile FirmAFL system mdde code

    Makefile:226: recipe for target '/home/test/tools/FirmAFL/qemu_mode/DECAF_qemu_2.10/shared/sleuthkit/lib/libtsk.so' failed make: *** [/home/test/tools/FirmAFL/qemu_mode/DECAF_qemu_2.10/shared/sleuthkit/lib/libtsk.so] Error 2

    The command is followed the Readme file. The detaild error is : pic

    opened by newthis 2
  • Cannot start DIR-815 example

    Cannot start DIR-815 example

    I have followed the step to setup the DIR-815 fuzzing environment. Eventually I executed python start.py. However after full system launched, the afl-fuzz failed to handshake with fork server. It seems that you chroot afl-fuzz into a folder and give it a /bin/busybox as program? I'm confused with this part. Neither can I chroot nor can I find busybox. Could you please explain a little bit about this?

    opened by BrieflyX 1
  • Error: Cannot find tarball of root filesystem for 9050!

    Error: Cannot find tarball of root filesystem for 9050!

    When I run the test case I meet the question in step 3. this is the output: sudo ./scripts/makeImage.sh 9050 Querying database for architecture... Password for user firmadyne: mipsel ----Running---- ----Copying Filesystem Tarball---- Error: Cannot find tarball of root filesystem for 9050!

    can you help me

    opened by DerZc 1
  • i don't know which kind of fuzz data should i put in

    i don't know which kind of fuzz data should i put in

    i try to start fuzz, but AFL need input file, i download fuzz data from 'https://github.com/MozillaSecurity/fuzzdata' but there was a lot of fuzz data, i don't know which kind of fuzz data should i put in, should i put all in?

    opened by pureGavin 0
  • miniupnpd is not working

    miniupnpd is not working

    I've tried fuzzing my miniupnpd for 161160 images, but when the crash is triggered the process terminates, it doesn't isolate the crashing input. image

    FIRM-AFL is good at isolating the crashing input from other firmwares, but only the 16116 firmware does not isolate the crashing input. In other words, the stability of the emulator is poor.

    When signal 11 occurs in the target program, we are constantly looking for a way to bring the emulator back to the fork point and isolate that crashing input.

    Any hints and help for me would be appreciated. Thank you.

    opened by jyaniii 0
  • qemu failed!!!

    qemu failed!!!

    root@ubuntu:/home/sv/Documents/FirmAFL/image_2540# ./run.sh Creating TAP device tap2540_0... Set 'tap2540_0' persistent and owned by uid 0 Bringing up TAP device... Adding route to 192.168.0.100... Starting firmware emulation... use Ctrl-a + x to exit qemu-system-mips: -net nic,vlan=0: 'vlan' is deprecated. Please use 'netdev' instead. ./vmlinux.mips_3.2.1: No such file or directory qemu-system-mips: qemu: could not load kernel './vmlinux.mips_3.2.1': Failed to load ELF Deleting route... Bringing down TAP device... Deleting TAP device tap2540_0... Set 'tap2540_0' nonpersistent

    I tried a lot ways to fix this problems. is this about qume version?

    opened by skyvast404 0
  • I got a segment error when running sudo. /run.sh

    I got a segment error when running sudo. /run.sh

    The following error occurred when I was running sudo. /run.sh:

    init started: BusyBox v1.14.1 (2011-05-10 18:37:43 CST) starting pid 54, tty '': '/etc/init.d/rcS' [/etc/init.d/S10init.sh] free(): double free detected in tcache 2 ./run.sh: line 75: 107492 Abandoned(core dumped) ${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} -drive if=ide,format=raw,file=${IMAGE} -append "root=${QEMU_ROOTFS} console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0" -nographic -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=1,listen=:2001 -net nic,vlan=0 -net tap,vlan=0,id=net0,ifname=${TAPDEV_0},script=no -net nic,vlan=3 -net socket,vlan=3,listen=:2003 Deleting route... Bringing down TAP device... Deleting TAP device tap9050_0... Set 'tap9050_0' nonpersistent

    My virtual machine environment is Ubuntu 18.04 Does anyone know what a mistake that is? Thank you very much

    opened by 1amfree 0
  • recipe for target '/home/algorithm/FirmAFL/qemu_mode/DECAF_qemu_2.10/shared/sleuthkit/lib/libtsk.so' failed

    recipe for target '/home/algorithm/FirmAFL/qemu_mode/DECAF_qemu_2.10/shared/sleuthkit/lib/libtsk.so' failed

    Hello! There is a error2 when I am making System mode in Setup step. The error messages are as follows:

    Building Sleuthkit, please wait... GEN Sleuthkit Makefile:226: recipe for target '/home/algorithm/FirmAFL/qemu_mode/DECAF_qemu_2.10/shared/sleuthkit/lib/libtsk.so' failed make: *** [/home/algorithm/FirmAFL/qemu_mode/DECAF_qemu_2.10/shared/sleuthkit/lib/libtsk.so] Error 2

    There is no 'lib' in folder /sleuthkit. I try to run makefile in /sleuthkit and another error occurred.

    Is it due to a problem with the sleuthkit version? Where do I look for the contents of the lib file in this area?

    opened by tyj1998 2
  • Running into errors with run.sh

    Running into errors with run.sh

    I am trying to get the tplink 940 firmware working

    when running run.sh I get the error

    Creating TAP device tap105568_0...
    Set 'tap105568_0' persistent and owned by uid 1000
    Bringing up TAP device...
    Adding route to 192.168.0.1...
    Starting firmware emulation... use Ctrl-a + x to exit
    afl-fuzz 2.52b by <[email protected]>
    [+] Looks like we're not running on a tty, so I'll be a bit less verbose.
    [+] You have 1 CPU core and 3 runnable tasks (utilization: 300%).
    [*] Checking core_pattern...
    
    [-] Hmm, your system is configured to send core dump notifications to an
        external utility. This will cause issues: there will be an extended delay
        between stumbling upon a crash and having this information relayed to the
        fuzzer via the standard waitpid() API.
    
        To avoid having crashes misinterpreted as timeouts, please log in as root
        and temporarily modify /proc/sys/kernel/core_pattern, like so:
    
        echo core >/proc/sys/kernel/core_pattern
    
    [-] PROGRAM ABORT : Pipe at the beginning of 'core_pattern'
             Location : check_crash_handling(), afl-fuzz.c:7289
    
    Deleting route...
    Bringing down TAP device...
    Deleting TAP device tap105568_0...
    Set 'tap105568_0' nonpersistent
    

    if I take out the AFL line from

    ${AFL} \
     ${QEMU} -m 256  -M ${QEMU_MACHINE} -kernel ${KERNEL} \
    

    I get the output

    Creating TAP device tap105568_0...
    Set 'tap105568_0' persistent and owned by uid 1000
    Bringing up TAP device...
    Adding route to 192.168.0.1...
    Starting firmware emulation... use Ctrl-a + x to exit
    Could not create fifo ../image_105600/user_cpu_state
    Deleting route...
    Bringing down TAP device...
    Deleting TAP device tap105568_0...
    Set 'tap105568_0' nonpersistent
    

    if i replace QEMU="./qemu-system-mips" with QEMU="get_qemu ${ARCHEND}" the VM starts up but it hangs on [*] Spinning up the fork server... when running the start.py script.

    has anyone encountered this? I feel like i am at the last hurdle of getting this thing working

    opened by majodu 0
  • QEMU Segmentation fault when I run the example

    QEMU Segmentation fault when I run the example

    when I run the example run.sh,I got the crash like this. ./run.sh: line 71: 53030 Segmentation fault (core dumped) ${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} -drive if=ide,format=raw,file=${IMAGE} -append "root=${QEMU_ROOTFS} console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0" -nographic -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=1,listen=:2001 -net nic,vlan=0 -net tap,vlan=0,id=net0,ifname=${TAPDEV_0},script=no -net nic,vlan=3 -net socket,vlan=3,listen=:2003 It seems to trigger a double free.Has anyone ever encountered this problem?Thanks

    opened by b0m13 4
Owner
null
A web-based app that allows easy, simple - and if desired high-throughput - analysis of qPCR data

qpcr-Analyser A web-based GUI for the qpcr package that allows easy, simple and high-throughput analysis of qPCR data. As is described in more detail

null 1 Sep 13, 2022
Blockchain-Enabled IoT Sensor Framework that uses Augmented Reality and Artificial Intelligence.

Arduino + Raspberry Pi + Unity3D + Cloud + Hyperledger Our Mission: Keep it simple, leave no one behind. Blockchain-Enabled Smart Sensor Framework usi

DappAR 23 Dec 5, 2021
A repository dedicated to IoT(internet of things ) and python scripts

?? Introduction Week of Learning is a weekly program in which you will get all the necessary knowledge about Circuit-Building, Arduino and Micro-Contr

null 27 Nov 22, 2022
MS Iot Device Can Platform

Kavo MS IoT Platform Version: 2.0 Author: Luke Garceau Requirements Read CAN messages in real-time Convert the given variables to engineering useful v

Luke Garceau 1 Oct 13, 2021
PoC code for stealing the WiFi password of a network with a Lovebox IOT device connected

LoveBoxer PoC code for stealing the WiFi password of a network with a Lovebox IOT device connected. This PoC was is what I used in this blogpost Usage

Graham Helton 10 May 24, 2022
Building a Robust IOT device which is customizable, encrypted, secure and user friendly

Building a Robust IOT device which is customizable, encrypted, secure and user friendly, which uses a single GPIO pin to extract multiple sensor values

null 1 Jan 3, 2022
High capacity, high availability, well connected, fast lightning node.

LND ⚡ Routing High capacity, high availability, well connected, fast lightning node. We aim to become a top liquidity provider for the lightning netwo

null 18 Dec 16, 2022
OptiPLANT is a cloud-based based system that empowers professional and non-professional data scientists to build high-quality predictive models

OptiPLANT OptiPLANT is a cloud-based based system that empowers professional and non-professional data scientists to build high-quality predictive mod

Intellia ICT 1 Jan 26, 2022
FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.

FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing

null 356 Dec 23, 2022
Directed Greybox Fuzzing with AFL

AFLGo: Directed Greybox Fuzzing AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo ge

null 380 Nov 24, 2022
AFLNet: A Greybox Fuzzer for Network Protocols

AFLNet: A Greybox Fuzzer for Network Protocols AFLNet is a greybox fuzzer for protocol implementations. Unlike existing protocol fuzzers, it takes a m

null 626 Jan 6, 2023
Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.

Fuzz introspector Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potenti

Open Source Security Foundation (OpenSSF) 221 Jan 1, 2023
Modi2-firmware-updater - MODI+ Firmware Updater With Python

MODI+ Firmware Updater 실행 준비 python3(파이썬3.9 혹은 그 이상의 버전)를 컴퓨터에 설치 python3 -m pip

LUXROBO 1 Feb 4, 2022
DiAne is a smart fuzzer for IoT devices

Diane Diane is a fuzzer for IoT devices. Diane works by identifying fuzzing triggers in the IoT companion apps to produce valid yet under-constrained

seclab 28 Jan 4, 2023
Piotr - IoT firmware emulation instrumentation for training and research

Piotr: Pythonic IoT exploitation and Research Introduction to Piotr Piotr is an emulation helper for Qemu that provides a convenient way to create, sh

Damien Cauquil 51 Nov 9, 2022
IoT owl is light face detection and recognition system made for small IoT devices like raspberry pi.

IoT Owl IoT owl is light face detection and recognition system made for small IoT devices like raspberry pi. Versions Heavy with mask detection withou

Ret2Me 6 Jun 6, 2022
Tool for running a high throughput data ingestion/transformation workload with MongoDB

Mongo Mangler The mongo-mangler tool is a lightweight Python utility, which you can run from a low-powered machine to execute a high throughput data i

Paul Done 9 Jan 2, 2023
A web-based app that allows easy, simple - and if desired high-throughput - analysis of qPCR data

qpcr-Analyser A web-based GUI for the qpcr package that allows easy, simple and high-throughput analysis of qPCR data. As is described in more detail

null 1 Sep 13, 2022
Group project for MFIN7036. Our goal is to predict firm profitability with text-based competition measures.

NLP_0-project Group project for MFIN7036. Our goal is to predict firm profitability with text-based competition measures1. We are a "democratic" and c

null 3 Mar 16, 2022
ParmeSan: Sanitizer-guided Greybox Fuzzing

ParmeSan: Sanitizer-guided Greybox Fuzzing ParmeSan is a sanitizer-guided greybox fuzzer based on Angora. Published Work USENIX Security 2020: ParmeSa

VUSec 158 Dec 31, 2022