Workshop: Fuzz Testing Bare Metal and RTOS Firmware

TOBIAS SCHARNOWSKI, MARIUS MUENCH

March 22 @ TCC >>

Abstract

Fuzz testing is a powerful technique for uncovering vulnerabilities, but applying it to deeply embedded, bare-metal, or real-time operating system (RTOS) firmware presents unique challenges compared to traditional Linux-based systems. This hands-on, 90-minute workshop will guide participants through the process of analyzing and fuzz testing deeply embedded firmware using a modern technique called firmware rehosting.

Workshop Outline

Attendees will gain practical experience in:

1. Understanding the Landscape: We will explore the differences between deeply embedded firmware and Linux-based firmware.
2. Firmware Analysis with Ghidra: Participants will learn how to load and start analyzing deeply embedded firmware in Ghidra.
3. Fuzz Testing with Fuzzware: We will introduce Fuzzware, a rehosting-based fuzzing framework for deeply embedded systems, and demonstrate how to set up and execute fuzz tests to uncover security issues.

This workshop is ideal for security researchers, embedded developers, and anyone interested in securing low-level firmware. No prior experience is required. Attendees will leave with the knowledge and practical skills needed to start integrating fuzz testing into their embedded security workflows.

Tobias and Marius' BOOTSTRAP25 Training

All trainings come with complimentary access to our BOOTSTRAP25 event! Book a virtual or in-person trainings and get a taste of the others at BOOTSTRAP25!

Fuzzing and Attacking Custom Embedded Systems

This training covers analyzing, fuzz testing, and exploiting devices with custom embedded OS. It dives into Arm Firmware, teaches reverse engineering with Ghidra, and offers hands-on exercises to build proficiency with tools like Unicorn, AFL++, and Fuzzware.

Ringzer0Ringzer0

Tobias Scharnowski and Marius Muench

Tobias Scharnowski is a systems security researcher at CISPA. He focuses on automated firmware security analysis techniques. Besides academia, he is a CTF RE/pwning veteran and repeat Pwn2Own participant. At Pwn2Own, he demonstrated RCE on 10 targets in the automotive and industrial automation domains. This included an exploit of the core DNP3 implementation, the protocol that powers the US electric grid.

• https://twitter.com/scepticCtf
• https://github.com/fuzzware-fuzzer

Marius Muench is an assistant professor at the University of Birmingham. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM and worked as postdoctoral researcher at the Vrije Universiteit Amsterdam. He developed and maintains avatar2, a framework for analyzing embedded systems firmware, and FirmWire, an emulation and fuzzing platform for cellular basebands. Throughout his career, Marius publicly shared his findings and presented at venues such as Black Hat, REcon, and Hardwear.io.

• https://twitter.com/nsinusr
• @nsr@infosec.exchange
• https://www.linkedin.com/in/marius-muench-801aa580
• https://github.com/FirmWire/FirmWire & https://github.com/avatartwo/avatar2

Ringzer0 ★ BOOTSTRAP25

Welcome To BOOTSTRAP25 Thompson Conference Center, Austin TX // March 18-22 BOOK NOW Keep Austin reverse-engineering and learn with Ringzer0! Ringzer0 returns to the Thompson Conference Center, Austin, TX in March 2025 with BOOTSTRAP25, a celebration of South-West Cyber. Our one-day event follows a week of intense reverse engineering. Come for

Ringzer0Ringzer0