IoT Emulation and Vulnerability Research with LLMs - From Assisted Device Design to Vulnerability Discovery // Antonio Nappa, Eduardo Blázquez

Virtual | October 26-31 | 32 Hours

BOOK NOW

ABSTRACT

Modern vulnerability research increasingly depends on the ability to emulate complex targets, reason about hardware/software interactions, and turn firmware or binary-only systems into practical fuzzing targets.

This training takes participants from lightweight emulation and binary instrumentation into full-system QEMU-based device emulation and fuzzing. Students will learn how to model devices, build custom QEMU platforms, instrument targets, create fuzzing harnesses, and apply these workflows to embedded, mobile, and RTOS-based environments. A recurring thread throughout the course is the use of LLMs not only to build and model devices, but also to author, refine, and stabilize fuzzing harnesses.

The course is lab-driven and designed around practical research workflows: understanding execution, modeling hardware, fuzzing realistic targets, triaging crashes, and moving from prototype emulation to scalable vulnerability discovery. These techniques are not theoretical: using this exact LLM-assisted emulation-and-fuzzing pipeline we discovered and reported 5 vulnerabilities so far — 1 in an OpenWRT core service, 3 in a widely deployed WiFi package, and 1 in a printing service — and we fully expect to find many more. The IoT ecosystem is a target-rich environment, and the pipeline taught here keeps producing results.

INTENDED AUDIENCE

This training is designed for:

  • Vulnerability researchers
  • Reverse engineers
  • Embedded security engineers
  • Firmware analysts
  • Fuzzing practitioners
  • Low-level security engineers
  • Researchers interested in QEMU-based emulation
  • Security engineers who want to move from binary analysis into scalable emulation-assisted bug discovery

KEY LEARNING OBJECTIVES

By the end of the training, participants will be able to:

  • Understand the fundamentals of CPU emulation, memory mapping, and execution instrumentation.
  • Use lightweight emulation frameworks such as Unicorn and Qiling to prototype analysis workflows.
  • Understand QEMU architecture, machine models, devices, memory regions, and execution internals.
  • Build and emulate a custom device or platform in QEMU.
  • Instrument emulated targets for fuzzing and vulnerability research.
  • Use AFL++ and Hongfuzz against realistic firmware and software examples.
  • Apply persistent, mutational, and evolutionary fuzzing techniques.
  • Explore peripheral and bus fuzzing scenarios, including UART/USART-style targets.
  • Write fuzzing harnesses and analyze memory-safety issues in embedded environments.
  • Use LLMs to draft, refine, and stabilize fuzzing harnesses — not only to model devices and peripherals.
  • Use AI-assisted workflows to speed up board modeling, peripheral understanding, and firmware fuzzing preparation.
  • Reproduce a real LLM-assisted research pipeline that has already yielded 5 reported vulnerabilities across OpenWRT, WiFi, and printing components — with many more expected.
  • Understand why IoT targets fall faster than hardened, well-maintained software such as the Linux kernel or Chromium.
  • Understand responsible disclosure and mitigation paths after vulnerability discovery.

COURSE AGENDA

Stage 1 — Emulation Foundations and Lightweight Instrumentation

The first stage builds the intuition required to understand emulation-assisted vulnerability research before moving into full-system targets.

Topics include:

  • CPU emulation fundamentals
  • Memory mapping and execution models
  • Binary instrumentation basics
  • Lightweight emulation with Unicorn
  • Higher-level emulation workflows with Qiling
  • Abstract interpretation concepts for program understanding
  • Modeling execution state
  • Building small analysis and instrumentation workflows
  • Understanding where lightweight emulation helps and where it breaks down

Hands-on labs:

  • Emulating small code fragments
  • Mapping memory and controlling execution
  • Hooking instructions and memory accesses
  • Building simple instrumentation helpers
  • Using an LLM to scaffold instrumentation hooks and explain unfamiliar code fragments
  • Moving from static understanding to dynamic execution

Stage 2 — QEMU Internals and Custom Device Modeling

The second stage moves into QEMU internals and explains how full-system emulation is structured.

Topics include:

  • QEMU architecture overview
  • Machine types, CPUs, devices, and memory regions
  • Device models and MMIO
  • QEMU object model basics
  • Translation flow and execution internals
  • Guest-to-host execution concepts
  • Peripheral modeling
  • Debugging QEMU targets
  • Building custom hardware abstractions

Hands-on labs:

  • Reading and modifying a QEMU machine
  • Adding or extending a simple emulated device
  • Modeling memory-mapped registers
  • Observing guest interaction with emulated hardware
  • Prompting an LLM to generate a first-pass device skeleton from register descriptions
  • Debugging device behavior

Stage 3 — Firmware Fuzzing and Harness Construction

The third day focuses on turning emulated systems into useful fuzzing targets, with a strong emphasis on using LLMs to author and iterate on the harnesses themselves.

Topics include:

  • Firmware fuzzing strategy
  • Harness design for embedded systems
  • LLM-assisted harness authoring: generating input parsers, entry points, and stubs from target code
  • Prompting strategies for turning a service or library into a fuzzable harness
  • Persistent fuzzing models
  • AFL++ and Hongfuzz workflows
  • Input delivery strategies
  • Peripheral and bus fuzzing
  • UART/USART-style fuzzing scenarios
  • Crash detection and triage
  • Coverage feedback and instrumentation
  • Memory-safety issue analysis

Hands-on labs:

  • Building fuzzing harnesses around emulated targets
  • Using an LLM to draft a harness for a real service and iterating on it against compiler and runtime feedback
  • Feeding inputs through emulated interfaces
  • Instrumenting execution for coverage
  • Running AFL++ and Hongfuzz campaigns
  • Reproducing and analyzing crashes
  • Improving harness stability and fuzzing throughput with LLM-suggested fixes

The labs walk through the same harnesses that led to our reported vulnerabilities — 5 so far and counting: 1 in an OpenWRT core service, 3 in a widely deployed WiFi package, and 1 in a printing service — showing how LLM-authored harnesses turned each target into a fuzzable surface.

Stage 4 — Scaling Firmware Fuzzing with QEMU and AI-Assisted Board Modeling

The final stage focuses on scaling the workflow from a working prototype into a practical research pipeline.

A new section introduces AI-assisted techniques for rapidly modeling boards and peripherals with enough accuracy to support firmware fuzzing.

Topics include:

  • Scaling from single-target emulation to repeatable fuzzing workflows
  • Modeling boards quickly and accurately for firmware fuzzing
  • Using AI to accelerate peripheral identification and register-map reconstruction
  • Extracting hardware hints from firmware, headers, datasheets, logs, and traces
  • AI-assisted generation of initial QEMU device skeletons
  • Using LLMs to scale harness production across many targets, not just to model boards
  • Validating AI-generated models and AI-generated harnesses against firmware behavior
  • Improving model accuracy through differential testing and execution feedback
  • Prioritizing which peripherals need high-fidelity modeling
  • Building fuzzing-ready board models without over-modeling unnecessary hardware
  • Managing harness quality, determinism, and reproducibility
  • Crash triage, deduplication, and root-cause analysis
  • Responsible disclosure and mitigation workflows
  • Why complex devices such as iPhone/Android aren't easy to model with AI

Hands-on labs:

  • Starting from incomplete firmware and hardware information
  • Building a first-pass board model
  • Using AI to speed up register and peripheral modeling
  • Validating emulation accuracy through firmware interaction
  • Connecting the modeled board to an LLM-authored fuzzing harness
  • Running a scaled fuzzing workflow
  • Triage and post-crash analysis, using an LLM to summarize crash context and suggest root causes

Included with the Training

  • Hands-on labs and guided exercises
  • CTF-style challenges
  • Slides and markdown materials
  • Docker images
  • Live lab environment
📀
Includes Official Hex-Rays IDA Classroom Licenses

Knowledge Prequisites

Participants should be comfortable with:

  • C or C++
  • Python scripting
  • Linux command-line workflows
  • Basic reverse engineering concepts
  • Basic vulnerability research concepts
  • Familiarity with fuzzing is helpful but not strictly required
  • Familiarity with embedded systems, firmware, or QEMU is useful but will be built progressively during the course

System Requirements

Hardware

  • Laptop capable of running Linux or macOS
  • 16 GB RAM preferred
  • Approximately 180GB of free disk space if you want to download the Docker container locally

Software

  • Docker (if you wish to execute the labs locally) and VSCode (for Linux/macOS)
  • Ghidra

YOUR INSTRUCTORS: Antonio Nappa and Eduardo Blázquez

Antonio Nappa, Ph.D is the Application Analysis Team Leader at Zimperium Inc. Before joining Zimperium he worked at Brave Software and Corelight.

Antonio has been active in the cybersecurity industry since 17 years. He has been a visiting scholar at UC Berkeley, EURECOM, VSB-TUO. He has published more than 15 papers in international peer-reviewed venues. He is also an inventor and a well recognized adjunct professor at UC3M Madrid.

He is co-author of: Fuzzing Against the Machine: Automate vulnerability research with emulated IoT devices on QEMU, Packt Publishing 2023.

Since the DEFCON 2008 Finals with the Guard@Mylan0 team, he never goes to sleep with a segfault.

Eduardo Blázquez, PhD. is a Compiler Engineer at QuarksLab

Since learning about security during his bachelor’s degree, he has focused on low-level security. He enjoys writing analysis tools in various languages such as Python, C, and C++.

His interests lie in the internals of fuzzing, compilers, and symbolic execution technologies. He has published papers related to Android ecosystem security and privacy, malware analysis, and tool development for Dalvik static
analysis.

Outside of computers, he enjoys martial arts, and learning about Japanese culture

Ringzer0’s Virtual Training Experience & FAQ
What can I expect from a virtual training delivered by Ringzer0, and answers to frequently asked questions.
Cancellation Policy

Cancellations are not permitted but attendee changes can be accommodated anytime prior to the start of the course.

Note: In the event of a class cancellation, Ringzer0 will endeavor to offer transfer to another training at no additional charge.
Virtual Training Oct 26-31 // In-Person Training Nov 2-4 / Conference Nov 5,6

OTHER VIRTUAL TRAINING COURSES

Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated