Fuzzing and Attacking Custom Embedded Systems

Tobias Scharnowski, Marius Muench
In-Person Training | August 3 - 6 | 4 days


Fuzzing And Attacking Custom Embedded Systems

Tobias Scharnowski, Marius Muench

Book Now - Early Bird Rate USD 4200

This training teaches how to analyze, fuzz test, and exploit deeply embedded devices that use custom embedded operating systems. We will take a deep dive into the inner workings of Arm Firmware, teach reverse engineering essentials with Ghidra, and will have plenty of hands-on exercises to teach proficiency with Unicorn, AFL++, and Fuzzware.


Deeply embedded systems play a crucial role in the ever-growing Internet of Things and typically offer a lucrative attack surface with over-the-air interfaces, hardcoded secrets, and missing security protections.

During the training, we will understand the inner workings of a typical embedded system, and re-discover memory corruption vulnerabilities in a real-world, non-linux embedded operating system by combining reverse engineering, emulation and fuzzing. We will then develop proof-of-concept exploits using the discovered vulnerabilities to demonstrate how an attacker could compromise the target system.

The full training is accompanied with various practical hands-on exercises and tinkering with a physical embedded training platform created for this training. After the training, we expect participants to feel comfortable to independently analyze deeply embedded systems of their choice.


- Security Researchers
- Firmware Developers
- Curious Minds


  • The inner workings of deeply embedded firmware
  • Fundamentals of firmware reverse engineering
  • Harnessing parsers for fuzzing
  • Fuzzing via full-system firmware rehosting
  • Overcoming typical fuzzing roadblocks
  • Triaging found crashes
  • Exploitation strategies for Arm Cortex-M systems



Day 1: Obtaining and Analyzing Firmware

  • Introduction to embedded systems and firmware
  • Hardware reconnaissance
  • Firmware extraction
  • Arm Thumb-v2 disassembly
  • Firmware reversing engineering with Ghidra

Day 2: Emulation and Harnessing

  • Introduction to emulation
  • Parser harnessing with unicornAFL
  • Hooking functions and emulating peripherals
  • Firmware Fuzzing with AFL++

Day 3: Full-system fuzzing via Rehosting

  • Introduction to rehosting
  • Full-system fuzzing with Fuzzware
  • Overcoming emulation roadblocks
  • Advanced rehosting for interrupts and DMA
  • Triaging and understanding crashes

Day 4: Exploitation

  • Introduction to Cortex-M exploitation
  • Arm Shellcoding
  • Building and debugging exploits
  • Return-Oriented Programming for firmware
  • Advanced topics and training recap

Note that this is a highly practical training. Besides the introductory and recap sessions which discuss key concepts, all sessions are accompanied with hands-on exercises.


  • Basic knowledge in Python
  • Being comfortable with using command-line tools
  • Some background in C is a plus
  • Previous experience with firmware analysis, reverse engineering, or fuzzing is not required



Students should bring their own laptop with:

  • At least 8GB of RAM
  • At least 50 GB of available disk space
  • Access to the internet (including github)
  • One free and usable USB port

Note that this training, conceptually, supports Windows, Linux, and MacOS. However, we strongly encourage the use of Linux or a Linux VM (e.g., Ubuntu 22.04).


  • Visual Studio Code
  • Docker
  • Ghidra

Students will be provided with a detailed setup guide before the training.


Tobias Scharnowski is a systems security researcher at CISPA. He focuses on automated firmware security analysis techniques. Besides academia, he is a CTF RE/pwning veteran and repeat Pwn2Own participant. At Pwn2Own, he demonstrated RCE on 10 targets in the automotive and industrial automation domains. This included an exploit of the core DNP3 implementation, the protocol that powers the US electric grid.


Marius Muench is an assistant professor at the University of Birmingham. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM and worked as postdoctoral researcher at the Vrije Universiteit Amsterdam. He developed and maintains avatar2, a framework for analyzing embedded systems firmware, and FirmWire, an emulation and fuzzing platform for cellular basebands. Throughout his career, Marius publicly shared his findings and presented at venues such as Black Hat, REcon, and Hardwear.io.

https://github.com/FirmWire/FirmWire & https://github.com/avatartwo/avatar2