Table of contents : Preface Part 1: Foundations 1 Who This Book is For Who is this book for? Prerequisites A custom journey Getting a primer The utility belt Ladies and gentlemen, start your engines QEMU basic instrumentation OpenWrt full system emulation Samsung Exynos baseband iOS and Android Summary 2 History of Emulation What is emulation? Why is emulation needed? Differences between emulation and virtualization Emulation besides QEMU MAME Bochs RetroPie The role of emulation and virtualization in cybersecurity through history Anubis TEMU Ether The Cuckoo sandbox Commercial solutions – VirusTotal and Joe Sandbox Summary 3 QEMU From the Ground Approaching IoT devices with emulation Code structure QEMU emulation QEMU IR A deep-dive into QEMU architecture QEMU extensions and mods A brief example of Avatar 2 PANDA Summary Part 2: Emulation and Fuzzing 4 QEMU Execution Modes and Fuzzing QEMU user mode QEMU full-system mode Fuzzing and analysis techniques The Rosetta Stone of program semantics Fuzzing techniques American Fuzzy Lop and American Fuzzy Lop++ Advantages of AFL and AFL++ versus my own fuzzer Fuzzing with AFL and AFL++ Fuzzing ARM binaries Summary 5 A Famous Refrain: AFL + QEMU = CVEs Is it so easy to find vulnerabilities? Downloading and installing AFL++ Preparing a vulnerable VLC instance VLC exploit Full-system fuzzing – introducing TriforceAFL Passing inputs to the guest system Summary Further reading Appendix 6 Modifying QEMU for Basic Instrumentation Adding a new CPU Emulating an embedded firmware Reverse engineering DMA peripherals Emulating UART with Avatar 2 for firmware debugging – visualizing output Summary Part 3: Advanced Concepts 7 Real-Life Case Study: Samsung Exynos Baseband A crash course on mobile phone architecture Baseband Baseband CPU family Application processor and baseband interface A talk with Shannon A note on GSM/3GPP/LTE protocol specifications Setting up FirmWire for vulnerability validation CVE-2020-25279 – emulator fuzzing CVE-2020-25279 – OTA exploitation Summary 8 Case Study: OpenWrt Full-System Fuzzing OpenWrt Building the firmware Testing the firmware in QEMU Extracting and preparing the kernel Fuzzing the kernel Post-crash core dump triaging Summary 9 Case Study: OpenWrt System Fuzzing for ARM Emulating the ARM architecture to run an OpenWrt system Installing TriforceAFL for ARM Running TriforceAFL in OpenWrt for ARM Obtaining a crash Summary 10 Finally Here: iOS Full System Fuzzing A brief history of iOS emulation iOS basics What it takes to boot iOS Code signatures Plist files and entitlements Binaries compilation IPSW formats and research kernels Setting up an iOS emulator Preparing the environment Building the emulator Boot prepping Booting iOS in QEMU Preparing your harness to start fuzzing Triforce’s driver mod for iOS Summary 11 Deus Ex Machina: Fuzzing Android Libraries Introducing the Android OS and its architecture The Android architecture Fuzzing Android libraries with Sloth Introducing Sloth's mechanisms Introducing AFL coverage Running the ELF linker Running LibFuzzer Addressing issues with the Sloth fuzzing method Running Sloth Summary 12 Conclusion and Final Remarks Index Other Books You May Enjoy