Fuzzing Against the Machine [1 ed.] 9781804614976

Table of contents :
Preface
Part 1: Foundations
1
Who This Book is For
Who is this book for?
Prerequisites
A custom journey
Getting a primer
The utility belt
Ladies and gentlemen, start your engines
QEMU basic instrumentation
OpenWrt full system emulation
Samsung Exynos baseband
iOS and Android
Summary
2
History of Emulation
What is emulation?
Why is emulation needed?
Differences between emulation and virtualization
Emulation besides QEMU
MAME
Bochs
RetroPie
The role of emulation and virtualization in cybersecurity through history
Anubis
TEMU
Ether
The Cuckoo sandbox
Commercial solutions – VirusTotal and Joe Sandbox
Summary
3
QEMU From the Ground
Approaching IoT devices with emulation
Code structure
QEMU emulation
QEMU IR
A deep-dive into QEMU architecture
QEMU extensions and mods
A brief example of Avatar 2
PANDA
Summary
Part 2: Emulation and Fuzzing
4
QEMU Execution Modes and Fuzzing
QEMU user mode
QEMU full-system mode
Fuzzing and analysis techniques
The Rosetta Stone of program semantics
Fuzzing techniques
American Fuzzy Lop and American Fuzzy Lop++
Advantages of AFL and AFL++ versus my own fuzzer
Fuzzing with AFL and AFL++
Fuzzing ARM binaries
Summary
5
A Famous Refrain: AFL + QEMU = CVEs
Is it so easy to find vulnerabilities?
Downloading and installing AFL++
Preparing a vulnerable VLC instance
VLC exploit
Full-system fuzzing – introducing TriforceAFL
Passing inputs to the guest system
Summary
Further reading
Appendix
6
Modifying QEMU for Basic Instrumentation
Adding a new CPU
Emulating an embedded firmware
Reverse engineering DMA peripherals
Emulating UART with Avatar 2 for firmware debugging – visualizing output
Summary
Part 3: Advanced Concepts
7
Real-Life Case Study: Samsung Exynos Baseband
A crash course on mobile phone architecture
Baseband
Baseband CPU family
Application processor and baseband interface
A talk with Shannon
A note on GSM/3GPP/LTE protocol specifications
Setting up FirmWire for vulnerability validation
CVE-2020-25279 – emulator fuzzing
CVE-2020-25279 – OTA exploitation
Summary
8
Case Study: OpenWrt Full-System Fuzzing
OpenWrt
Building the firmware
Testing the firmware in QEMU
Extracting and preparing the kernel
Fuzzing the kernel
Post-crash core dump triaging
Summary
9
Case Study: OpenWrt System Fuzzing for ARM
Emulating the ARM architecture to run an OpenWrt system
Installing TriforceAFL for ARM
Running TriforceAFL in OpenWrt for ARM
Obtaining a crash
Summary
10
Finally Here: iOS Full System Fuzzing
A brief history of iOS emulation
iOS basics
What it takes to boot iOS
Code signatures
Plist files and entitlements
Binaries compilation
IPSW formats and research kernels
Setting up an iOS emulator
Preparing the environment
Building the emulator
Boot prepping
Booting iOS in QEMU
Preparing your harness to start fuzzing
Triforce’s driver mod for iOS
Summary
11
Deus Ex Machina: Fuzzing Android Libraries
Introducing the Android OS and its architecture
The Android architecture
Fuzzing Android libraries with Sloth
Introducing Sloth's mechanisms
Introducing AFL coverage
Running the ELF linker
Running LibFuzzer
Addressing issues with the Sloth fuzzing method
Running Sloth
Summary
12
Conclusion and Final Remarks
Index
Other Books You May Enjoy