QEMU Internals, Instrumentation and Fuzzing

IN-PERSON 4 DAYS TRAINING: AUGUST 2023

Antonio Nappa

for IoT and Embedded Systems

Abstract

Are you struggling to keep up with the rapidly evolving cybersecurity landscape? Are traditional vulnerability discovery methods such as code auditing and manual crashes no longer sufficient? Do you wish to find vulnerabilities at scale?

QEMU Internals, Instrumentation and Fuzzing is a 4 day hands-on course where participants will learn about the fundamentals of emulation and fuzzing, how to emulate a custom device in QEMU from the ground up, and how to instrument it for fuzzing and vulnerability research.

We will dive into QEMU, one of the most powerful software tools designed for emulation and fuzzing, to gain a deep understanding of its architecture and design principles. We'll cover machine types, hardware emulation, and how to write your own platform to emulate and fuzz.

Students will use AFL++, Hongfuzz and some handcrafted examples for testing large software systems for vulnerabilities. We will apply persistent fuzzing, mutational fuzzing and evolutionary fuzzing on real world firmware examples including CANBUS, Fitness devices, Media Players, Networked RTOS based systems, peripheral and bus fuzzing techniques such as USART, UART, baseband, routers, and device sensors.

The class features several hands on exercises where participants will gain an understanding of memory vulnerabilities in IoT devices and how to write exploits, as well as managing responsible disclosure and vulnerability mitigation.

By the end of the course, participants will have a unique set of skills and knowledge from different fields such as emulation of custom embedded systems, instrumented fuzzing, and dynamic analysis, all with a single goal: to find security vulnerabilities.

Order a copy!

Key Learning Objectives

  • Fundamental concepts of emulation and fuzzing as useful tools in vulnerability research (QEMU, Panda, AFL++, Hongfuzz, Avatar2)
  • Set up an emulation and fuzzing environment for the course using QEMU and AFL/AFL++
  • QEMU architecture and design principles, including machine types and hardware emulation
  • QEMU execution modes and performance optimization using Panda or Avatar2
  • Static and dynamic fuzzing techniques, and fuzzer injection into proprietary firmware
  • Apply emulation and fuzzing techniques to real-world targets, including IoT devices and web applications (CAN bus fuzzing, Media Players, Network Services, Fitness devices, Real-Time Tasks)
  • Knowledge of peripheral and bus fuzzing such as USART, UART, baseband, routers, device sensors
  • Identify memory vulnerabilities and write exploits, and understand responsible disclosure and vulnerability mitigation.
  • Understand how fuzzing+emulation are the game changer for vulnerability research

Detailed Agenda

Day 1: Introduction and Overview

  • Introduction
  • Overview of the vulnerability landscape and the importance of finding security flaws
  • Introduction to emulation and fuzzing as useful tools in vulnerability research (QEMU, Panda, AFL++, Hongfuzz, Avatar2)
  • Setting up the environment - QEMU/Panda and AFL/AFL++
  • Overview of the STM32 (Cortex M4) board(s) and their features
  • Hands-on exercise: Running QEMU and AFL++ to fuzz a simple application on the old STM32 board QEMU implementation
  • Hands-on exercise: Modify QEMU support one new specific board (ST Nucleo L452RE)
  • Hands-on exercise: QEMU TCG, the mysterious source of all the execution

Day 2: Understanding QEMU Internals and Advanced Fuzzing Techniques

  • Introduction to QEMU architecture and design principles
  • Overview of QEMU components and their interactions
  • Understanding QEMU machine types and hardware emulation
  • QEMU execution modes and performance optimisation
  • Comparison between static and dynamic fuzzing
  • Injecting a fuzzer into proprietary firmware
  • Hands-on exercise: Building and customising a QEMU machine type for the ST Nucleo L452RE board
  • Hands-on exercise: Fuzz a Fitness device firmware
  • Hands-on exercise: Fuzz a Media Player firmware

Day 3: Fuzzing Real-World Targets

  • Case studies of successful emulation and fuzzing in vulnerability research (e.g., IoT devices, web applications)
  • Hands-on exercise: Running QEMU and AFL++ to fuzz a real-world application or firmware on the ST Nucleo L452RE board (e.g., an embedded system or IoT device)
  • Overview of fuzzing peripherals such as modems
  • Hands-on exercise: Fuzzing peripherals on the ST Nucleo L452RE board
  • Hands-on exercise: Compare Avatar2 approach with Python vs. pure QEMU board emulation
  • Hands-on exercise: CANBUS fuzzing, am I exploiting the car or the car is exploiting my probe?

Day 4: Finding and Exploiting Vulnerabilities

  • Analysing and interpreting fuzzing results
  • Identifying vulnerabilities and writing exploits
  • Hands-on exercise: Finding and exploiting vulnerabilities in our RTOS based firmware on the ST Nucleo L452RE board
  • Hands-on exercise: Writing the harness for a specific component
  • Wrap-up of the course and final remarks
  • Q&A session with participants

Who Should Attend

Researchers and developers working with low level embedded systems Members of internal penetration testing teams to find and exploit vulnerabilities in bare metal embedded IoT devices Vulnerability researchers interested in implementing custom emulation and fuzzing harnesses for proprietary IoT devices

System Requirements

  • A laptop running Windows / Linux / macOS
  • A modern browser (Brave / Chrome / Firefox preferred)
  • SSH client to access the cloud labs