Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Fuzzing Against the Machine
Fuzzing Against the Machine

Fuzzing Against the Machine: Automate vulnerability research with emulated IoT devices on QEMU

Arrow left icon
Profile Icon Antonio Nappa Profile Icon Eduardo Blázquez
Arrow right icon
$49.99
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5 (15 Ratings)
Paperback May 2023 238 pages 1st Edition
eBook
$9.99 $39.99
Paperback
$49.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Antonio Nappa Profile Icon Eduardo Blázquez
Arrow right icon
$49.99
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5 (15 Ratings)
Paperback May 2023 238 pages 1st Edition
eBook
$9.99 $39.99
Paperback
$49.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$9.99 $39.99
Paperback
$49.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

Fuzzing Against the Machine

Who This Book is For

Do you hear that, Mr. Anderson? That is the sound of inevitability.” This is a famous phrase from the action movie The Matrix. We refer to this sound as Moore’s law. The constant and inevitable miniaturization of circuits has paved the way for the birth of thousands and thousands of new devices, all equipped with sensors, multiple connections, and operating systems. So, how can a vulnerability researcher cope with so many devices, firmware, and standards?

Owning devices is both expensive and logistically unfeasible – for example, the birth of emulators such as Bleem! In the 90s, emulating the PlayStation on a PC was surely a cheaper option than buying the console, and you could do everything on the same PC.

Nowadays, it is clear that there is a lot of space for doing vulnerability research about any kind of device. Pioneering research was done in the first decade of this century. Tools such as Quick Emulator (QEMU), PANDA, Avatar, and Avatar2 were created. They allow you to control an emulated device and interface it with simulated sensors or real ones. They do not offer 100% functionality and full code reachability for obvious reasons (they don’t replace a real device). Though, over the years, it has been demonstrated that it is possible to find vulnerabilities by emulating a real device stepping through its execution with a debugger attached through a JTAG port.

Still, if we decide to analyze a medium-sized corpus of devices, reversing the firmware code or reading the source code takes a lot of time. Hence, using a fuzzer on the interfaces that are dependent on inputs coming from the user, for instance, may stimulate anomalous behaviors that are easier to backtrack, instead of hunting for them directly.

We will not be able to cope with all devices, interfaces, and protocols, and this is outside the scope of this book. Our aim here is to provide you with the necessary toolkit to understand the process of emulating firmware and hooking it to a fuzzer to trigger anomalous conditions. The examples have been carefully picked to help you understand the process and enable you to adapt the concepts autonomously to new firmware.

In this chapter, we will cover the following topics:

  • Who is this book for?
  • A custom journey
  • Getting a primer
  • Jumping into the dirt

Who is this book for?

Passion, curiosity, and hard work – these are the main drivers for embarking on a journey through two techniques that have become fundamental to security research.

Regardless of whether you are an expert or not, this book is designed to help any kind of reader. We have designed two different paths that can be taken according to your level of experience. To keep you motivated, we have made the effort to provide you with examples, additional material, and useful information to help you foresee the end of every section, chapter, and ultimately this entire book.

Q1 – do you want to start a career in cybersecurity?

Internet of things (IoT) – does this phrase sound familiar now? After years of such claims, we are living in a period where many platforms are connected to our network. From voice assistants to vacuum cleaning robots, smart light bulbs, smart ovens, dishwashers, and, of course, smartphones. So, as software security researchers, how is it possible to analyze all these platforms, firmware, and software stacks?

One of the best candidates that will allow us to avoid buying all these devices is QEMU. QEMU will be our reference platform to embark on a journey into vulnerability research. The reason for our choice is motivated by the fact that QEMU can emulate many platforms and it’s a mature and modular project. Emulation is a great technique for using general-purpose computers (x86) to run any kind of software and firmware. Imagine you want to test an X-ray machine but the entire object doesn’t fit in your room. How would you proceed? For instance, you can get the firmware and emulate its interfaces, fuzz them, and make it crash, crash, crash.

Q2 – are you a passionate programmer? Hobbyist? Tinkerer?

Don’t get afraid of the words emulation, fuzzing, exploit, and vulnerability. Soon, you will become familiar with them. We suggest that you read this book from start to finish and practice the easiest examples. Then, try the most challenging ones.

Q3 – are you a hardened cybersecurity expert?

You are probably the kind of TLDR learner who looks directly at the code snippets in Stack Overflow (https://stackoverflow.com/questions/44991703/a-buffer-overflow-exercise-using-a-shellcode), without even reading the question. Our suggestion is to start from Part 2, Practical Examples, and follow along with all the examples.

Prerequisites

While this book tries to be as self-contained as possible, and the code snippets from the book will be commented, we recommend that you have a basic knowledge of the following topics:

  • The C programming language
  • The Linux operating system and general knowledge of operating systems
  • The Python scripting language
  • Embedded device functioning principles and electronics

A custom journey

This book has been designed to be in three self-contained parts – Foundations, Description of Emulation and Fuzzing, and Advanced Concepts – all of which include examples with famous open source firmware. The first part provides a deep and thoughtful understanding of emulation and fuzzing. These two techniques are extremely common and widespread in security research. Nonetheless, there are no reference books that talk about these matters in detail and help people start their journey toward understanding one of the most ancient and fascinating concepts in computer science, which is emulation. Fuzzing too is a very old technique, but it has become so sophisticated and advanced that evolutionary algorithms have been implemented to select the best inputs to trigger weird machine states and hunt for some vulnerabilities.

The second part has the hard task of gluing very ancient concepts together with everyday reality. 80 years in computer science are probably comparable to millions of years in biology if you think about circuit miniaturization as a reference point. For that reason, in the second part of this book, we will deep-dive into practical examples where we will use the main tools from this book to get in touch with the world of vulnerability analysis of IoT devices with fuzzing techniques. While this is just an introduction, you will grasp the main concepts, and you will be able to practice these concepts with the proposed exercises.

Finally, in the third part of this book, we will guide you through real examples of fuzzing IoT devices. Here, you will learn how to configure the tools to work with emulated hardware, such as the iPhone 11, and how to use emulation with the corresponding configuration to fuzz this machine to look for vulnerabilities. Once we find possible attack vectors (possible vulnerabilities found by the fuzzer), we will learn how to exploit them using the tools professionals use to search for and exploit those vulnerabilities (for example, disassemblers, and debuggers).

Getting a primer

Vulnerability analysis and software exploitation are related and well-known topics in the area of cybersecurity. The purpose of this book is to look for security bugs in embedded firmware through emulation and later search for a way to exploit (take advantage of) these vulnerabilities. There are various types of security flaws. The most known and often exploitable bug is known as the buffer overflow, where an incorrect bound check makes a program buffer and becomes filled with user-provided data, and in some cases allows that user to execute code inside of the process memory. In the cybersecurity world, the code that’s injected and run through the exploitation of that vulnerability is known as shellcode. While it’s possible to run a shell to run commands, this isn’t always the only option, as it’s possible to be creative and execute different codes to put a foot inside of a machine.

Not all bugs are created equal

A bug is a software flaw. In many cases, bugs do not lead to security breaches or exploits. They just exhibit a behavior that is not expected by the user or the developer. In other cases, a bug may also be a software vulnerability, meaning that it may generate security issues, such as data leakages, denial of service, or exploitation. Exploiting a vulnerability normally leads to privilege escalation or to taking control of the CPU to execute arbitrary code.

Since the first document that explained this process was published (http://phrack.org/issues/49/14.html#article), many countermeasures have been created to stop an attacker who could exploit a vulnerability if one was found in a program. Protections help us avoid massive exploitations of buffer overflow vulnerabilities. However, many other flaws exist:

  • Program logic errors (a mistake during the development phase can a cause program to end in an undefined/unexpected state)
  • Buffer overread (where an improper bound check allows an attacker to have access to unauthorized program data)
  • Format string vulnerabilities (https://www.win.tue.nl/~aeb/linux/hh/formats-teso.html)
  • Heap overflow (an evolution of the buffer overflow in the heap), and many other kinds of vulnerabilities

While the process of searching for these vulnerabilities is hard and tedious due to the time it can take to manually find one, there are different techniques to help security researchers automatically discover some types of vulnerabilities, and in the case of this book, we will cover those that involve the use of a tool called a fuzzer. These kinds of tools take advantage of vulnerabilities such as the incorrect handling of user-provided data in programs to find an input that makes a program crash. The fuzzer will then run the program, giving different inputs and monitoring them to know when that program crashes. To improve the success of the fuzzing process, these programs take a set of inputs and mutate them (for example, changing some bits in the case of some file structures) to give a weird input to the program that it will not be able to handle and will make it crash, where this could or couldn’t be used to take advantage of the vulnerability (sadly, not all vulnerabilities are exploitable).

The utility belt

We have already roughly mentioned what we’ll see in each part of this book, as well as what tools we will use throughout. We will use this section to move a step forward and provide a better overview of the tools we will use, as well as install them (we will not deep-dive into these tools as they will be part of future chapters).

Git, Python3, build-essential

Git is a software version control system that helps keep track of code modifications, which allows us to store our code in a remote server. One of the main servers that contains Git repositories is GitHub. Everybody can upload their artifacts and share them with other people.

Python was created in 1991 by Guido Van Rossum and has exploded as a prototyping language in the last decade thanks to the myriad of libraries written in this language. Without any doubt, Python represents a milestone in computer science because it made programming accessible and readable to everyone. The build-essential package is a basic collection of packages that help compile software in Ubuntu/Debian Linux distributions. Often, Python3 comes already installed and git can be installed with a package manager; for example:

  • Arch: pacman -S git python3 make gcc cmake g++
  • Debian/Ubuntu: apt-get install git python3 build-essential
  • RHEL/CentOS: yum install git python3 make gcc cmake g++
    • Also, for build essentials in RHEL/CentOS, you can use dnf group install "C Development Tools and Libraries" "Development Tools"
  • SUSE: zypper install git python3 make gcc cmake g++

QEMU

QEMU is a piece of software that aims to provide users with a tool where they can emulate different systems, as well as some system peripherals. QEMU uses an intermediate representation (IR) to represent these operations, and through binary translation, it will transform the instructions of the given system or binary into the IR and compile those instructions into the current architecture-supported instructions (just-in-time mode, faster), or it will interpret those IR instructions on its own interpreter (interpreter mode, slower).

To use QEMU, we have two options. The first and simplest one is to use a package manager. The command that’s used will depend on the system that we are using. If we look at the QEMU web page, we will see that they provide different sets of commands, depending on the system:

  • Arch: pacman -S qemu
  • Debian/Ubuntu: apt-get install qemu
  • RHEL/CentOS: yum install qemu-kvm
  • SUSE: zypper install qemu

In our case, we will make use of an Ubuntu system, so we will use the commands for Debian/Ubuntu. Therefore, the command will be super user: sudo apt-get install qemu or sudo apt install qemu.

The other option is to download the QEMU source. This can be downloaded from its download web page or directly from git. In both cases, we will compile and install the tool. Sometimes, this option can be a better fit for us if we want to decide what to install or not during the installation phase.

If we decide to download from its web page (to download the last version, 6.2), we can use the following code:

wget https://download.qemu.org/qemu-6.2.0.tar.xz
tar xvJf qemu-6.2.0.tar.xz
cd qemu-6.2.0
./configure
make
make install

Alternatively, if we want to download using git (this will download the last version in the master), we can do the following:

git clone https://gitlab.com/qemu-project/qemu.git
cd qemu
git submodule init
git submodule update --recursive
./configure
make
make install

AFL/AFL++

American Fuzzy Lop (AFL) (https://lcamtuf.coredump.cx/afl/) has become the de facto standard for program fuzzing and vulnerability research. Michal Zalewski (https://lcamtuf.coredump.cx/silence/), a famous Google security engineer, developed AFL for internal purposes at Google, which, as a company, owns trillions of lines of code and among them, potentially thousands of vulnerabilities. The approach of AFL follows a genetic algorithm that makes the initial program input evolve and makes AFL smart. Moreover, it offers a suite for analyzing crash dumps that are generated by the program that is being fuzzed. AFL helped users find thousands of vulnerabilities, even in famous software such as MySQL, Adobe Reader, VLC, and IDA Pro, as well as several browsers.

AFL++ has been presented as an evolution of AFL and includes patches to hook in a full system emulator (QEMU) or to instrument a binary (QEMU user mode). In this book, we will start with AFL++ and apply some patches that come from other projects to show how flexible it is to have a fuzzing suite embedded with an emulator to hunt for vulnerabilities in embedded firmware. The following is an example of how to install AFL. Throughout this book, we will provide all the instructions we will need to install what is needed for every specific exercise:

git clone https://github.com/google/AFL.git
cd AFL && make

The Ghidra disassembler

Ghidra is a powerful free alternative to IDA Pro. This software was previously owned by the NSA and it was released publicly in 2019. It’s extremely portable since its UI and most of the disassembler internals are written in Java, and it is not dependent on any specific architecture. However, the internal components are compiled natively for the different architectures. This marks a huge difference from other disassemblers because the Java UI makes Ghidra very versatile. Also, Ghidra includes a free decompiler for various architectures, which will be useful when analyzing difficult code.

Installing Ghidra

First of all, as stated previously, Ghidra is written in Java, so we will need to install the Java 11 SDK.

For Linux, follow these steps:

  1. Download the JDK:
    wget https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.tar.gz
  2. Extract the JDK distribution (the .tar.gz file) to your desired location, and add the JDK’s bin directory to your PATH: directory.
  3. Extract the JDK:
    tar xvf <JDK distribution .tar.gz>
  4. Open ~/.bashrc with an editor of your choice; for example, see the following:
    vi ~/.bashrc
  5. At the very end of the file, add the JDK bin directory to the PATH variable:
    export PATH=<path of extracted JDK dir>/bin:$PATH
  6. Save the file.
  7. Restart any open Terminal windows for changes to take effect.

Once the JDK is installed, we will download Ghidra from https://ghidra-sre.org/ and download the ghidra_10.1.2_PUBLIC_20220125.zip file or a more recent version if there is one. Unzip the archive and execute ghidraRun to start the application. Ghidra keeps consistent on its commands, so newer versions will fit what we see in this book. If you are hungry for knowledge about this tool, we recommend reading Ghidra Software Reverse Engineering for Beginners from Packt (https://www.packtpub.com/product/ghidra-software-reverse-engineering-for-beginners/9781800207974). We will also install GNU Debugger, gdb, with some plugins and for different architectures. This tool can help you analyze executables while they’re running. Normally, Ghidra is mostly used for static analysis.

GDB Multiarch and GEF/Pwndbg

GDB is the default debugger on Linux systems. It is a command-line debugger, and we can use it to debug binaries from architectures different from our current one. To do this, we need to install the multiarch version. We will also install a couple of plugins that improve the view of the tool since gdb without plugins can be tough at the beginning. The scripts will show the views from the stack, the registers, and the assembly code at every moment. Throughout this book, we will learn how to use gdb for debugging purposes. The installation commands for the different environments are as follows:

  • Arch: pacman -S gdb-multiarch
  • Debian/Ubuntu: apt-get install gdb-multiarch
  • SUSE: zypper install gdb-multiarch

Then, download or clone https://github.com/apogiatzis/gdb-peda-pwndbg-gef and, from its main directory, execute install.sh.

Avatar2

The Eurecom institute in South France often hosts very talented students and researchers. This is where Avatar2 was designed by Marius Muench, Dario Nisi, Aurelienne Francillon, and Davide Balzarotti. It’s a Python framework that helps orchestrate embedded systems with the help of QEMU. It contains code to patch memory, emulate peripherals, and mock interfaces to bring firmware to a specific state. Some recent Samsung baseband vulnerabilities (disclosed in September 2020) were discovered thanks to Avatar2, AFL, and QEMU. These vulnerabilities were extremely critical and led to remote code execution within the connection processor (CP) of Samsung phones.

Ladies and gentlemen, start your engines

If you have ever been in a playground, you know there are different levels of difficulty in the equipment you can use. Our book is designed to help you figure out which is the best combination of exercises and tools to get your hands dirty with, without getting lost. In our case, the equipment will be different devices, made by different vendors, with different software. Given that we are working with embedded devices, we have had to carefully choose which hardware and software to play with so that you can have the most fun and get the most out of this book.

QEMU basic instrumentation

Instrumentation in computer science is a term that signals that some extra code has been added to an application to analyze or observe a particular behavior or a class of several behaviors. We will explain how it is possible to introduce a new CPU in QEMU and start to execute the first bits of firmware. The code will be almost entirely written in Python. Here, you will see how far this horizon can go, but immediately, you’ll understand the difficulties of running software that expects to interact with sensors, actuators, radio signals, and so on.

OpenWrt full system emulation

OpenWrt (https://openwrt.org/) is a Linux operating system dedicated to baseband routers. It’s a very powerful mod of the world’s favorite penguin software. It is quite easy to install on many old and recent routers and it brings them back to life with a smooth web UI and support for many features of the network. It also includes a package manager. For example, OpenWrt could be instrumented to eavesdrop on HTTPS and save it locally through USB storage if your router has such hardware. At the time of writing, OpenWrt supports almost 2,000 devices. This means that a vulnerability in this system can potentially expose millions of users. Since this firmware embeds an entire operating system, we will be able to perform full system emulation and plug in our harness to hunt for some vulnerabilities. We will show this harness for x86 and ARM32 architectures.

Samsung Exynos baseband

Shannon is the software that’s running within the Exynos chips of Samsung. In this book, we will use it to fuzz into the protocol stack to rediscover some nasty vulnerabilities. This research has been foundational to exploiting GSM and gaining root privileges within cellular phones’ radio chips and eventually escalating to the application processor through the kernel driver. In Android, this interface driver is called RILD (https://hernan.de/research/papers/firmwire-ndss22-hernandez.pdf).

iOS and Android

We will embark on a difficult journey and show how mobile operating systems and their libraries can be executed and fuzzed on your PC. Standing on the shoulders of many giants, we have taken the chance to explain the nuts and bolts of these gems, to empower everyone that has the will to access these precious resources. The final chapter will include a syscall fuzzer for iOS and a library fuzzer for Android.

Summary

In this introductory chapter, we have provided a small overview of what this world is about, and we have also summarized what you will find in this book, along with a set of prerequisites that, while not mandatory, are recommended for fully enjoying this book. Please keep reading this book if you want to learn more about emulation from a security perspective and how to use this powerful tool, together with fuzzing, to start in the world of vulnerability discovery.

In the next chapter, we will provide some coverage of the history of emulation and underline its importance in the world of cybersecurity.

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Understand the vulnerability landscape and useful tools such as QEMU and AFL
  • Explore use cases to find vulnerabilities and execute unknown firmware
  • Create your own firmware emulation and fuzzing environment to discover vulnerabilities
  • Purchase of the print or Kindle book includes a free PDF eBook

Description

Emulation and fuzzing are among the many techniques that can be used to improve cybersecurity; however, utilizing these efficiently can be tricky. Fuzzing Against the Machine is your hands-on guide to understanding how these powerful tools and techniques work. Using a variety of real-world use cases and practical examples, this book helps you grasp the fundamental concepts of fuzzing and emulation along with advanced vulnerability research, providing you with the tools and skills needed to find security flaws in your software. The book begins by introducing you to two open source fuzzer engines: QEMU, which allows you to run software for whatever architecture you can think of, and American fuzzy lop (AFL) and its improved version AFL++. You’ll learn to combine these powerful tools to create your own emulation and fuzzing environment and then use it to discover vulnerabilities in various systems, such as iOS, Android, and Samsung's Mobile Baseband software, Shannon. After reading the introductions and setting up your environment, you’ll be able to dive into whichever chapter you want, although the topics gradually become more advanced as the book progresses. By the end of this book, you’ll have gained the skills, knowledge, and practice required to find flaws in any firmware by emulating and fuzzing it with QEMU and several fuzzing engines.

Who is this book for?

This book is for security researchers, security professionals, embedded firmware engineers, and embedded software professionals. Learners interested in emulation, as well as software engineers interested in vulnerability research and exploitation, software testing, and embedded software development will also find it useful. The book assumes basic knowledge of programming (C and Python); operating systems (Linux and macOS); and the use of Linux shell, compilation, and debugging.

What you will learn

  • Understand the difference between emulation and virtualization
  • Discover the importance of emulation and fuzzing in cybersecurity
  • Get to grips with fuzzing an entire operating system
  • Discover how to inject a fuzzer into proprietary firmware
  • Know the difference between static and dynamic fuzzing
  • Look into combining QEMU with AFL and AFL++
  • Explore Fuzz peripherals such as modems
  • Find out how to identify vulnerabilities in OpenWrt
Estimated delivery fee Deliver to United States

Economy delivery 10 - 13 business days

Free $6.95

Premium delivery 6 - 9 business days

$21.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : May 19, 2023
Length: 238 pages
Edition : 1st
Language : English
ISBN-13 : 9781804614976
Category :
Languages :
Concepts :
Tools :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to United States

Economy delivery 10 - 13 business days

Free $6.95

Premium delivery 6 - 9 business days

$21.95
(Includes tracking information)

Product Details

Publication date : May 19, 2023
Length: 238 pages
Edition : 1st
Language : English
ISBN-13 : 9781804614976
Category :
Languages :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 133.97
Burp Suite Cookbook
$49.99
Data Science for Malware Analysis
$33.99
Fuzzing Against the Machine
$49.99
Total $ 133.97 Stars icon
Banner background image

Table of Contents

17 Chapters
Part 1: Foundations Chevron down icon Chevron up icon
Chapter 1: Who This Book is For Chevron down icon Chevron up icon
Chapter 2: History of Emulation Chevron down icon Chevron up icon
Chapter 3: QEMU From the Ground Chevron down icon Chevron up icon
Part 2: Emulation and Fuzzing Chevron down icon Chevron up icon
Chapter 4: QEMU Execution Modes and Fuzzing Chevron down icon Chevron up icon
Chapter 5: A Famous Refrain: AFL + QEMU = CVEs Chevron down icon Chevron up icon
Chapter 6: Modifying QEMU for Basic Instrumentation Chevron down icon Chevron up icon
Part 3: Advanced Concepts Chevron down icon Chevron up icon
Chapter 7: Real-Life Case Study: Samsung Exynos Baseband Chevron down icon Chevron up icon
Chapter 8: Case Study: OpenWrt Full-System Fuzzing Chevron down icon Chevron up icon
Chapter 9: Case Study: OpenWrt System Fuzzing for ARM Chevron down icon Chevron up icon
Chapter 10: Finally Here: iOS Full System Fuzzing Chevron down icon Chevron up icon
Chapter 11: Deus Ex Machina: Fuzzing Android Libraries Chevron down icon Chevron up icon
Chapter 12: Conclusion and Final Remarks Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5
(15 Ratings)
5 star 66.7%
4 star 20%
3 star 13.3%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




c Aug 17, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Well written and easy to understand with plenty of history provided along with practical examples. Multiple tracks are present in the book based on your level of expertise. Great reference and guide.
Amazon Verified review Amazon
GUNDERSTONE Jun 04, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
"Fuzzing Against the Machine: Automate vulnerability research with emulated IoT devices on QEMU" is a comprehensive guide to understanding and utilizing the powerful tools of emulation and fuzzing in cybersecurity. This book, by Antonio Nappa and Eduardo Blázquez, provides practical examples and real-world use cases to help them grasp the fundamental concepts of fuzzing and emulation and advanced vulnerability research.This book's intended audience is security researchers, embedded firmware and software professionals, and learners interested in emulation. It is also helpful for those involved in vulnerability research and exploitation, software testing, and embedded software development. Basic knowledge of programming (C and Python), operating systems (Linux and macOS), and Linux shell usage, compilation, and debugging is assumed.To gain a complete comprehension of topics within this book, readers should have prior knowledge in the following areas:• General understanding of operating systems, particularly those that are POSIX-compliant• Familiarity with the C and Python programming languages• Basic knowledge of embedded devices and electronicsThe primary audience is early-career cybersecurity researchers or students seeking hands-on experience with fuzzing-embedded software. However, curious readers are also welcome to continue reading. Please refer to the following section, 'To get the most out of this book,' for more information."The book is divided into three main sections: Introduction, Fuzzing, and Emulation. An overview of the book's contents is provided in the Introduction section and an explanation of why these techniques are essential in cybersecurity. The authors stress the need for hands-on experience with these tools, which is part of what this book provides.The Fuzzing section covers everything from basic concepts to advanced techniques. It starts with explaining what fuzzing is and how it works, then moves on to cover topics such as mutation-based fuzzing, coverage-guided fuzzing, and black-box fuzzing. The authors provide practical examples throughout this section to help readers understand how these techniques can be applied in real-world scenarios.The Emulation section focuses on using emulated IoT devices for vulnerability research. It goes through topics such as setting up a virtual environment using QEMU, creating custom firmware images for emulated devices, and using emulated devices for network analysis. This section also includes practical examples to help readers understand how to apply these techniques in their work.The book excels in providing practical examples. The authors provide step-by-step instructions for setting up virtual environments and running tests using various tools. They also include screenshots and code snippets throughout the book to help readers visualize their learning.Another strength of this book is its clear writing style. The authors explain complex concepts in a way that is easy to understand without sacrificing technical accuracy. They also provide definitions for key terms throughout the book, making it accessible even to readers who are new to cybersecurity."Fuzzing Against the Machine" is an excellent resource for anyone interested in cybersecurity, particularly those looking to improve their vulnerability research skills. The book's focus on practical examples and clear writing style make it easy to understand and apply the concepts covered. Regardless of your level of expertise in cybersecurity, this book offers valuable insights and methods applicable to your work.
Amazon Verified review Amazon
Michael Gates Jun 15, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
“Fuzzing Against the Machine” is a good book for learning practical applications of emulation, specifically QEMU, and fuzzing various systems in it. The authors explain the concepts in a way that even someone new to cybersecurity can follow along and understand. The code snippets are definitely helpful, but make sure you get the free pdf that’s included at the end of the book so you can copy and paste if you need to!This book is a must read for any cybersecurity professionals who want to enhance their bug hunting skill set but aren’t very familiar with emulating IoT systems or the tools required for fuzzing them.
Amazon Verified review Amazon
Dwayne Natwick Jun 03, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Emulation and simulation of potential attacks is a common tactic to learn vulnerabilities and determine ways to decrease attack surfaces. One of these methods that is gaining popularity is fuzzing. Packt's Fuzzing Against the Machine from Antonio Nappa and Eduardo B. provides guidance and steps for performing these fuzzing emulations on IoT devices. It is an excellent practical guide for performing this vulnerability testing. A must have for anyone that is working to research their cybersecurity protection for these devices.
Amazon Verified review Amazon
Rodrigo Rubira Branco Jun 10, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I usually do not write reviews for books. A book is so personal, there are so many reasons why someone is interested in a given content, and so many ways to approach it. But this book was in my read list and when Packt folks approached me asking for an opinion, I thought it was a chance to help both the authors and the interested readers.The way I see it, this book replaces a full week of training on the topic. With the advantage that you are able to take it at your own pace. It has plenty of practical examples, with just enough introductory theory (the theory is highly condensed, so even in 'deep dives' we are talking about only a few pages). And then practical examples and use-cases. The reading is not boring at all, and one can easily follow what is going on thru the text, since the content and outputs are there (and later do it themselves).There are just two (very minimal) down-sides to the book: one is that when you condense the theory so much, there will be gaps. And the other is that references are provided across the book and not organized in a section per chapter. The former IMHO, is actually totally fine and even ideal for the book objectives which is to give hands-on experience on the topic. Anyone interested in diving deep on the theoretical aspects can easily follow other references to do so. The balance and compromises chosen by the authors are great. The later issue (about references) is really a matter of preferences (there are plenty of references, they are just not easy to view altogether, one has to read thru and collect them as they go).For folks that have been doing the work for a long time, the book is valuable to cover different use-cases, making sure one is aware of other tricks (and it is a fast read, therefore worth it). For folks that are just starting, the book is excellent to give then a practical start, with plenty of opportunity to continue from there.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela