QEMU Internals, Instrumentation and Fuzzing // Antonio Nappa

Virtual | Oct 26-Nov 1 | 32 Hours

BOOK NOW

ABSTRACT

In QEMU Internals, Instrumentation and Fuzzing, participants will learn about the fundamentals of emulation and fuzzing, how to emulate a custom device in QEMU from the ground up, and how to instrument it for fuzzing and vulnerability research.

We will dive into QEMU, one of the most powerful software tools designed for emulation and fuzzing, to gain a deep understanding of its architecture and design principles. We'll cover machine types, hardware emulation, and how to write your own platform to emulate and fuzz.

Students will use AFL++, Hongfuzz and some handcrafted examples for testing large software systems for vulnerabilities. We will apply persistent fuzzing, mutational fuzzing and evolutionary fuzzing on real world firmware examples including CANBUS, Fitness devices, Media Players, Networked RTOS based systems, peripheral and bus fuzzing techniques such as USART, UART, baseband, routers, and device sensors.

The class features several hands on exercises where participants will gain an understanding of memory vulnerabilities in IoT devices and how to write exploits, as well as managing responsible disclosure and vulnerability mitigation.

By the end of the course, participants will have a unique set of skills and knowledge from different fields such as emulation of custom embedded systems, instrumented fuzzing, and dynamic analysis, all with a single goal: to find security vulnerabilities.

QEMU Internals, Instrumentation and Fuzzing // Antonio Nappa

Virtual | Oct 26-Nov 1 | 32 Hours

BOOK NOW

INTENDED AUDIENCE

  • Researchers and developers working with low level embedded systems
  • Members of internal penetration testing teams to find and exploit vulnerabilities in bare metal embedded IoT devices
  • Vulnerability researchers interested in implementing custom emulation and fuzzing harnesses for proprietary IoT devices

KEY LEARNING OBJECTIVES

  • Fundamental concepts of emulation and fuzzing as useful tools in vulnerability research
    • QEMU, Panda, AFL++, Hongfuzz, Avatar2
  • Set up an emulation and fuzzing environment for the course using QEMU and AFL/AFL++
  • QEMU architecture and design principles, including machine types and hardware emulation
  • QEMU execution modes and performance optimization using Panda or Avatar2
  • Static and dynamic fuzzing techniques, and fuzzer injection into proprietary firmware
  • Corellium™ for IoT running OpenWRT, and the same emulated device to explore pitfalls, differences, and advantages of full-system emulation.
  • Apply emulation and fuzzing techniques to real-world targets:
    • IoT devices, CANBUS fuzzing, Media Players, Network Services, Fitness devices, Real-Time Tasks
  • Knowledge of peripheral and bus fuzzing such as USART, UART, baseband, routers, device sensors
  • Identify memory vulnerabilities and write exploits, and understand responsible disclosure and vulnerability mitigation
  • Understand how fuzzing+emulation are the game changer for vulnerability research

COURSE AGENDA

Part 1: Introduction

  • Static analysis
  • Binary lifting
  • From lifting to execution
  • Examples, P-Code, Intro to TCG
  • Hands-on -> Kunai, disasm and lift
  • Hands-on -> Kunai, IR analysis
  • TCG Internals
  • Hands-on tracking code through the TCG: registers
  • Hands-on tracking code through the TCG: jumps
  • Hands-on tracking code through the TCG: Code coverage

Part 2: Introduction to QEMU architecture and design principles

  • Overview of QEMU components and their interactions
  • Understanding QEMU machine types and hardware emulation
  • QEMU execution modes and performance optimisation
  • Hands-on exercise: Building and customising a QEMU machine type for the ST Nucleo L452RE board
  • Case studies of successful emulation and fuzzing in vulnerability research (e.g., IoT devices, web applications)
  • Hands-on exercise: Write clock module for a ST Nucleo L452RE QEMU board
  • Hands-on exercise: Write UART module for the ST Nucleo L452RE QEMU board
  • Hands-on exercise: Finding and exploiting vulnerabilities in our RTOS based firmware on the ST Nucleo L452RE board
  • Hands-on exercise: Writing the harness for a specific component

Part 3: Pebble watch and RebbleOS on QEMU

  • Fuzzing campaign
  • Code analysis
  • Harness
  • Checking crashes
  • Bugs and patches
  • CAN Bus fuzzing
  • Can Bus crash course
  • Setup messages

Part 4: iOS Devices

  • Approaching closed source firmwares iPod Touch 1/2g
  • Finding code caves
  • Injecting and testing code
  • Re-writing the AFL harness
  • iPhone 11 approach with syscalls
BOOK NOW

VIRTUAL LAB ENVIRONMENT

  • We will use Corellium™ for IoT running OpenWRT, leveraging virtual hardware to rapidly prepare and inspect the system.
  • Virtualized setups offer lightning-fast operations such as rebooting, modifying the filesystem, and snapshotting, making them ideal for iterative development and debugging.
  • However, to scale fuzzing effectively and in parallel, we will transition to a fully emulated setup once the fuzzing harness is prepared.
  • This allows a direct comparison between virtualized and emulated environments, balancing speed and scalability.
  • We'll demonstrate how to set up a fuzzing harness in emulated OpenWRT, using the speed of virtual hardware to our advantage during the initial preparation phase.

Knowledge Prequisites

C Programming, GDB and static analysis

System Requirements

Hardware

  • Laptop capable of running Linux or macOS
  • 16 GB RAM preferred
  • Approximately 180GB of free disk space if you want to download the Docker container locally

Software

  • Docker (if you wish to execute the labs locally) and VSCode (for Linux/macOS)
  • Ghidra

YOUR INSTRUCTOR: Antonio Nappa

Antonio Nappa, Ph.D is the Application Analysis Team Leader at Zimperium Inc. Before joining Zimperium he worked at Brave Software and Corelight.

Antonio has been active in the cybersecurity industry since 17 years. He has been a visiting scholar at UC Berkeley, EURECOM, VSB-TUO. He has published more than 15 papers in international peer-reviewed venues. He is also an inventor and a well recognized adjunct professor at UC3M Madrid.

He is co-author of: Fuzzing Against the Machine: Automate vulnerability research with emulated IoT devices on QEMU, Packt Publishing 2023.

Since the DEFCON 2008 Finals with the Guard@Mylan0 team, he never goes to sleep with a segfault.

Ringzer0’s Virtual Training Experience & FAQ
What can I expect from a virtual training delivered by Ringzer0, and answers to frequently asked questions.
Ringzer0Ringzer0
BOOK NOW
Cancellation Policy

COUNTERMEASURE25: 60+ days before the event 75% of fees refunded; 45-60 days before event 50% refunded, less than 45 days 0% refunded. Course changes are allowed up to 14 days before event start (some restrictions will apply). Attendee changes can be accommodated up to 14 days prior to the event.

Note: In the event of a class cancellation, Ringzer0 will endeavor to offer transfer to another training at no additional charge.

OTHER VIRTUAL TRAINING COURSES

Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated