Book Image

Fuzzing Against the Machine

By : Antonio Nappa, Eduardo Blázquez
Book Image

Fuzzing Against the Machine

By: Antonio Nappa, Eduardo Blázquez

Overview of this book

Emulation and fuzzing are among the many techniques that can be used to improve cybersecurity; however, utilizing these efficiently can be tricky. Fuzzing Against the Machine is your hands-on guide to understanding how these powerful tools and techniques work. Using a variety of real-world use cases and practical examples, this book helps you grasp the fundamental concepts of fuzzing and emulation along with advanced vulnerability research, providing you with the tools and skills needed to find security flaws in your software. The book begins by introducing you to two open source fuzzer engines: QEMU, which allows you to run software for whatever architecture you can think of, and American fuzzy lop (AFL) and its improved version AFL++. You’ll learn to combine these powerful tools to create your own emulation and fuzzing environment and then use it to discover vulnerabilities in various systems, such as iOS, Android, and Samsung's Mobile Baseband software, Shannon. After reading the introductions and setting up your environment, you’ll be able to dive into whichever chapter you want, although the topics gradually become more advanced as the book progresses. By the end of this book, you’ll have gained the skills, knowledge, and practice required to find flaws in any firmware by emulating and fuzzing it with QEMU and several fuzzing engines.

Related Content you might be interested in

Current Title:

Small book image
Fuzzing Against the Machine
Antonio Nappa | Eduardo Blázquez
May, 2023 | 238 pages
Small book image
Ghidra Software Reverse Engineering for Beginners
David Álvarez Pérez
Jan, 2021 | 322 pages
Small book image
Mobile App Reverse Engineering
Abhinav Mishra
May, 2022 | 166 pages
Table of Contents (18 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Foundations
Part 1: Foundations
Free Chapter
2
Chapter 1: Who This Book is For
Chapter 1: Who This Book is For
Who is this book for?
Prerequisites
A custom journey
Getting a primer
Ladies and gentlemen, start your engines
Summary
3
Chapter 2: History of Emulation
Chapter 2: History of Emulation
What is emulation?
Why is emulation needed?
Emulation besides QEMU
The role of emulation and virtualization in cybersecurity through history
Summary
4
Chapter 3: QEMU From the Ground
Chapter 3: QEMU From the Ground
Approaching IoT devices with emulation
Code structure
QEMU emulation
QEMU extensions and mods
Summary
5
Part 2: Emulation and Fuzzing
Part 2: Emulation and Fuzzing
6
Chapter 4: QEMU Execution Modes and Fuzzing
Chapter 4: QEMU Execution Modes and Fuzzing
QEMU user mode
QEMU full-system mode
Fuzzing and analysis techniques
American Fuzzy Lop and American Fuzzy Lop++
Summary
7
Chapter 5: A Famous Refrain: AFL + QEMU = CVEs
Chapter 5: A Famous Refrain: AFL + QEMU = CVEs
Is it so easy to find vulnerabilities?
Full-system fuzzing – introducing TriforceAFL
Summary
Further reading
Appendix
8
Chapter 6: Modifying QEMU for Basic Instrumentation
Chapter 6: Modifying QEMU for Basic Instrumentation
Adding a new CPU
Emulating an embedded firmware
Reverse engineering DMA peripherals
Emulating UART with Avatar2 for firmware debugging – visualizing output
Summary
9
Part 3: Advanced Concepts
Part 3: Advanced Concepts
10
Chapter 7: Real-Life Case Study: Samsung Exynos Baseband
Chapter 7: Real-Life Case Study: Samsung Exynos Baseband
A crash course on mobile phone architecture
Setting up FirmWire for vulnerability validation
Summary
11
Chapter 8: Case Study: OpenWrt Full-System Fuzzing
Chapter 8: Case Study: OpenWrt Full-System Fuzzing
OpenWrt
Building the firmware
Fuzzing the kernel
Post-crash core dump triaging
Summary
12
Chapter 9: Case Study: OpenWrt System Fuzzing for ARM
Chapter 9: Case Study: OpenWrt System Fuzzing for ARM
Emulating the ARM architecture to run an OpenWrt system
Installing TriforceAFL for ARM
Running TriforceAFL in OpenWrt for ARM
Obtaining a crash
Summary
13
Chapter 10: Finally Here: iOS Full System Fuzzing
Chapter 10: Finally Here: iOS Full System Fuzzing
A brief history of iOS emulation
iOS basics
Setting up an iOS emulator
Preparing your harness to start fuzzing
Triforce’s driver mod for iOS
Summary
14
Chapter 11: Deus Ex Machina: Fuzzing Android Libraries
Chapter 11: Deus Ex Machina: Fuzzing Android Libraries
Introducing the Android OS and its architecture
Fuzzing Android libraries with Sloth
Summary
15
Chapter 12: Conclusion and Final Remarks
Chapter 12: Conclusion and Final Remarks
16
Index
Index
Why subscribe?
17
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Ladies and gentlemen, start your engines

If you have ever been in a playground, you know there are different levels of difficulty in the equipment you can use. Our book is designed to help you figure out which is the best combination of exercises and tools to get your hands dirty with, without getting lost. In our case, the equipment will be different devices, made by different vendors, with different software. Given that we are working with embedded devices, we have had to carefully choose which hardware and software to play with so that you can have the most fun and get the most out of this book.

QEMU basic instrumentation

Instrumentation in computer science is a term that signals that some extra code has been added to an application to analyze or observe a particular behavior or a class of several behaviors. We will explain how it is possible to introduce a new CPU in QEMU and start to execute the first bits of firmware. The code will be almost entirely written in Python. Here, you will see how far this horizon can go, but immediately, you’ll understand the difficulties of running software that expects to interact with sensors, actuators, radio signals, and so on.

OpenWrt full system emulation

OpenWrt (https://openwrt.org/) is a Linux operating system dedicated to baseband routers. It’s a very powerful mod of the world’s favorite penguin software. It is quite easy to install on many old and recent routers and it brings them back to life with a smooth web UI and support for many features of the network. It also includes a package manager. For example, OpenWrt could be instrumented to eavesdrop on HTTPS and save it locally through USB storage if your router has such hardware. At the time of writing, OpenWrt supports almost 2,000 devices. This means that a vulnerability in this system can potentially expose millions of users. Since this firmware embeds an entire operating system, we will be able to perform full system emulation and plug in our harness to hunt for some vulnerabilities. We will show this harness for x86 and ARM32 architectures.

Samsung Exynos baseband

Shannon is the software that’s running within the Exynos chips of Samsung. In this book, we will use it to fuzz into the protocol stack to rediscover some nasty vulnerabilities. This research has been foundational to exploiting GSM and gaining root privileges within cellular phones’ radio chips and eventually escalating to the application processor through the kernel driver. In Android, this interface driver is called RILD (https://hernan.de/research/papers/firmwire-ndss22-hernandez.pdf).

iOS and Android

We will embark on a difficult journey and show how mobile operating systems and their libraries can be executed and fuzzed on your PC. Standing on the shoulders of many giants, we have taken the chance to explain the nuts and bolts of these gems, to empower everyone that has the will to access these precious resources. The final chapter will include a syscall fuzzer for iOS and a library fuzzer for Android.

Previous Section
End of Section 6
Next Section