QEMU Internals and Fuzzing: From IoT to iPhone // Antonio Nappa, Eduardo Blazquez

Virtual | October 26-31 | 32 Hours

BOOK NOW

ABSTRACT

Modern vulnerability research increasingly depends on the ability to emulate complex targets, reason about hardware/software interactions, and turn firmware or binary-only systems into practical fuzzing targets.

This training takes participants from lightweight emulation and binary instrumentation into full-system QEMU-based device emulation and fuzzing. Students will learn how to model devices, build custom QEMU platforms, instrument targets, create fuzzing harnesses, and apply these workflows to embedded, mobile, and RTOS-based environments.

The course is lab-driven and designed around practical research workflows: understanding execution, modeling hardware, fuzzing realistic targets, triaging crashes, and moving from prototype emulation to scalable vulnerability discovery.

INTENDED AUDIENCE

This training is designed for:

  • Vulnerability researchers
  • Reverse engineers
  • Embedded security engineers
  • Firmware analysts
  • Fuzzing practitioners
  • Low-level security engineers
  • Researchers interested in QEMU-based emulation
  • Security engineers who want to move from binary analysis into scalable emulation-assisted bug discovery

KEY LEARNING OBJECTIVES

By the end of the training, participants will be able to:

  • Understand the fundamentals of CPU emulation, memory mapping, and execution instrumentation.
  • Use lightweight emulation frameworks such as Unicorn and Qiling to prototype analysis workflows.
  • Understand QEMU architecture, machine models, devices, memory regions, and execution internals.
  • Build and emulate a custom device or platform in QEMU.
  • Instrument emulated targets for fuzzing and vulnerability research.
  • Use AFL++ and Hongfuzz against realistic firmware and software examples.
  • Apply persistent, mutational, and evolutionary fuzzing techniques.
  • Explore peripheral and bus fuzzing scenarios, including UART/USART-style targets.
  • Write fuzzing harnesses and analyze memory-safety issues in embedded environments.
  • Use AI-assisted workflows to speed up board modeling, peripheral understanding, and firmware fuzzing preparation.
  • Understand responsible disclosure and mitigation paths after vulnerability discovery.

COURSE AGENDA

Stage 1 — Emulation Foundations and Lightweight Instrumentation

Participants start with Unicorn, Qiling, and abstract interpretation to understand execution flow, memory mapping, instrumentation, and the limits of lightweight emulation.

Topics include:

  • CPU emulation fundamentals
  • Memory mapping and execution models
  • Binary instrumentation basics
  • Lightweight emulation with Unicorn
  • Higher-level emulation workflows with Qiling
  • Abstract interpretation concepts for program understanding
  • Modeling execution state
  • Building small analysis and instrumentation workflows
  • Understanding where lightweight emulation helps and where it breaks down

Hands-on labs:

  • Emulating small code fragments
  • Mapping memory and controlling execution
  • Hooking instructions and memory accesses
  • Building simple instrumentation helpers
  • Moving from static understanding to dynamic execution

Stage 2 — QEMU Internals and Custom Device Modeling

Participants learn how QEMU represents CPUs, machines, memory, and devices, and how these components interact during full-system emulation.

Topics include:

  • QEMU architecture overview
  • Machine types, CPUs, devices, and memory regions
  • Device models and MMIO
  • QEMU object model basics
  • Translation flow and execution internals
  • Guest-to-host execution concepts
  • Peripheral modeling
  • Debugging QEMU targets
  • Building custom hardware abstractions

Hands-on labs:

  • Reading and modifying a QEMU machine
  • Adding or extending a simple emulated device
  • Modeling memory-mapped registers
  • Observing guest interaction with emulated hardware
  • Debugging device behavior

Stage 3 — Firmware Fuzzing and Harness Construction

Participants build custom emulated platforms and use them to fuzz systems ranging from IoT firmware to mobile and RTOS-based environments.

Topics include:

  • Firmware fuzzing strategy
  • Harness design for embedded systems
  • Persistent fuzzing models
  • AFL++ and Hongfuzz workflows
  • Input delivery strategies
  • Peripheral and bus fuzzing
  • UART/USART-style fuzzing scenarios
  • Crash detection and triage
  • Coverage feedback and instrumentation
  • Memory-safety issue analysis

Hands-on labs:

  • Building fuzzing harnesses around emulated targets
  • Feeding inputs through emulated interfaces
  • Instrumenting execution for coverage
  • Running AFL++ and Hongfuzz campaigns
  • Reproducing and analyzing crashes
  • Improving harness stability and fuzzing throughput

Stage 4 — Scaling Firmware Fuzzing with QEMU and AI-Assisted Board Modeling

Participants learn how to use AI-assisted workflows to quickly model boards and peripherals, validate emulation accuracy, and prepare fuzzing-ready firmware targets at scale.

Topics include:

  • Scaling from single-target emulation to repeatable fuzzing workflows
  • Modeling boards quickly and accurately for firmware fuzzing
  • Using AI to accelerate peripheral identification and register-map reconstruction
  • Extracting hardware hints from firmware, headers, datasheets, logs, and traces
  • AI-assisted generation of initial QEMU device skeletons
  • Validating AI-generated models against firmware behavior
  • Improving model accuracy through differential testing and execution feedback
  • Prioritizing which peripherals need high-fidelity modeling
  • Building fuzzing-ready board models without over-modeling unnecessary hardware
  • Managing harness quality, determinism, and reproducibility
  • Crash triage, deduplication, and root-cause analysis
  • Responsible disclosure and mitigation workflows
  • Why complex devices such as iPhone/Android aren't easy to model with AI

Hands-on labs:

  • Starting from incomplete firmware and hardware information
  • Building a first-pass board model
  • Using AI to speed up register and peripheral modeling
  • Validating emulation accuracy through firmware interaction
  • Connecting the modeled board to a fuzzing harness
  • Running a scaled fuzzing workflow
  • Triage and post-crash analysis
BOOK NOW

Included with the Training

  • Hands-on labs and guided exercises
  • CTF-style challenges
  • Slides and markdown materials
  • Docker images
  • Live lab environment
  • Official Hex-Rays IDA classroom licenses for students
  • Live audio recordings of the sessions, including interactive Q&A

Knowledge Prequisites

Participants should be comfortable with:

  • C or C++
  • Python scripting
  • Linux command-line workflows
  • Basic reverse engineering concepts
  • Basic vulnerability research concepts
  • Familiarity with fuzzing is helpful but not strictly required
  • Familiarity with embedded systems, firmware, or QEMU is useful but will be built progressively during the course

System Requirements

Hardware

  • Laptop capable of running Linux or macOS
  • 16 GB RAM preferred
  • Approximately 180GB of free disk space if you want to download the Docker container locally

Software

  • Docker (if you wish to execute the labs locally) and VSCode (for Linux/macOS)
  • Ghidra

YOUR INSTRUCTORS: Antonio Nappa and Eduardo Blazquez

Antonio Nappa, Ph.D is the Application Analysis Team Leader at Zimperium Inc. Before joining Zimperium he worked at Brave Software and Corelight.

Antonio has been active in the cybersecurity industry since 17 years. He has been a visiting scholar at UC Berkeley, EURECOM, VSB-TUO. He has published more than 15 papers in international peer-reviewed venues. He is also an inventor and a well recognized adjunct professor at UC3M Madrid.

He is co-author of: Fuzzing Against the Machine: Automate vulnerability research with emulated IoT devices on QEMU, Packt Publishing 2023.

Since the DEFCON 2008 Finals with the Guard@Mylan0 team, he never goes to sleep with a segfault.

Eduardo Blázquez, PhD. is a Compiler Engineer at QuarksLab

Since learning about security during his bachelor’s degree, he has focused on low-level security. He enjoys writing analysis tools in various languages such as Python, C, and C++.

His interests lie in the internals of fuzzing, compilers, and symbolic execution technologies. He has published papers related to Android ecosystem security and privacy, malware analysis, and tool development for Dalvik static
analysis.

Outside of computers, he enjoys martial arts, and learning about Japanese culture

Ringzer0’s Virtual Training Experience & FAQ
What can I expect from a virtual training delivered by Ringzer0, and answers to frequently asked questions.
Ringzer0Ringzer0
BOOK NOW
Cancellation Policy

Cancellations are not permitted but attendee changes can be accommodated anytime prior to the start of the course.

Note: In the event of a class cancellation, Ringzer0 will endeavor to offer transfer to another training at no additional charge.
FALL:2026 // Virtual Training // October 26-31

OTHER VIRTUAL TRAINING COURSES

Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated