You're reading from Fuzzing Against the Machine Automate vulnerability research with emulated IoT devices on QEMU

Product type Paperback

Published in May 2023

Publisher Packt

ISBN-13 9781804614976

Length 238 pages

Edition 1st Edition

Languages

Assembly

Tools

Qemu

Concepts

Cybersecurity

Authors (3):

Antonio Nappa

Eduardo Blázquez

Eduardo Blazquez

View More author details

Table of Contents (18) Chapters

Preface

1. Part 1: Foundations

2. Chapter 1: Who This Book is For FREE CHAPTER

3. Chapter 2: History of Emulation

4. Chapter 3: QEMU From the Ground

5. Part 2: Emulation and Fuzzing

6. Chapter 4: QEMU Execution Modes and Fuzzing

7. Chapter 5: A Famous Refrain: AFL + QEMU = CVEs

8. Chapter 6: Modifying QEMU for Basic Instrumentation

9. Part 3: Advanced Concepts

10. Chapter 7: Real-Life Case Study: Samsung Exynos Baseband

11. Chapter 8: Case Study: OpenWrt Full-System Fuzzing

12. Chapter 9: Case Study: OpenWrt System Fuzzing for ARM

13. Chapter 10: Finally Here: iOS Full System Fuzzing

14. Chapter 11: Deus Ex Machina: Fuzzing Android Libraries

15. Chapter 12: Conclusion and Final Remarks

16. Index

Why subscribe?

17. Other Books You May Enjoy

Ladies and gentlemen, start your engines

If you have ever been in a playground, you know there are different levels of difficulty in the equipment you can use. Our book is designed to help you figure out which is the best combination of exercises and tools to get your hands dirty with, without getting lost. In our case, the equipment will be different devices, made by different vendors, with different software. Given that we are working with embedded devices, we have had to carefully choose which hardware and software to play with so that you can have the most fun and get the most out of this book.

QEMU basic instrumentation

Instrumentation in computer science is a term that signals that some extra code has been added to an application to analyze or observe a particular behavior or a class of several behaviors. We will explain how it is possible to introduce a new CPU in QEMU and start to execute the first bits of firmware. The code will be almost entirely written in Python. Here, you will see how far this horizon can go, but immediately, you’ll understand the difficulties of running software that expects to interact with sensors, actuators, radio signals, and so on.

OpenWrt full system emulation

OpenWrt (https://openwrt.org/) is a Linux operating system dedicated to baseband routers. It’s a very powerful mod of the world’s favorite penguin software. It is quite easy to install on many old and recent routers and it brings them back to life with a smooth web UI and support for many features of the network. It also includes a package manager. For example, OpenWrt could be instrumented to eavesdrop on HTTPS and save it locally through USB storage if your router has such hardware. At the time of writing, OpenWrt supports almost 2,000 devices. This means that a vulnerability in this system can potentially expose millions of users. Since this firmware embeds an entire operating system, we will be able to perform full system emulation and plug in our harness to hunt for some vulnerabilities. We will show this harness for x86 and ARM32 architectures.

Samsung Exynos baseband

Shannon is the software that’s running within the Exynos chips of Samsung. In this book, we will use it to fuzz into the protocol stack to rediscover some nasty vulnerabilities. This research has been foundational to exploiting GSM and gaining root privileges within cellular phones’ radio chips and eventually escalating to the application processor through the kernel driver. In Android, this interface driver is called RILD (https://hernan.de/research/papers/firmwire-ndss22-hernandez.pdf).

iOS and Android

We will embark on a difficult journey and show how mobile operating systems and their libraries can be executed and fuzzed on your PC. Standing on the shoulders of many giants, we have taken the chance to explain the nuts and bolts of these gems, to empower everyone that has the will to access these precious resources. The final chapter will include a syscall fuzzer for iOS and a library fuzzer for Android.