A snapshotting, coverage-guided fuzzer for software (UEFI, Kernel, firmware, BIOS) built on SIMICS

Related tags

Testing rust security fuzzing simics
Overview

TSFFS Logo

TSFFS: Target Software Fuzzer For SIMICS

TSFFS is a snapshotting, coverage-guided fuzzer built on the SIMICS full system simulator. TSFFS makes it easy to fuzz and triage crashes on traditionally challenging targets including UEFI applications, bootloaders, BIOS, kernel modules, and device firmware. TSSFS can even fuzz user-space applications on Linux and Windows. See the requirements to find out if TSSFS can fuzz your code.

UEFI Fuzzing Demo

mini.mp4

Capabilities

This fuzzer is built using LibAFL and SIMICS and takes advantage of several of the state of the art capabilities of both.

  • Edge coverage guided
  • Snapshotting (fully deterministic)
  • Parallel fuzzing (across cores, machines soon)
  • Easy to add to existing SIMICS projects
  • Triage mode to reproduce and debug crashes
  • Modern fuzzing methodologies:
    • Redqueen/I2S taint-based mutation
    • MOpt & Auto-token mutations
    • More coming soon!

Documentation

Documentation for this project lives in the docs directory of this repository.

Use Cases

TSFFS is focused on several primary use cases:

  • UEFI and BIOS code, particulary based on EDKII
  • Pre- and early-silicon firmware and device drivers
  • Hardware-dependent kernel and firmware code
  • Fuzzing for complex error conditions

Setup

Detailed instructions for setting up and building this project can be found in Setup.md. You should follow the documentation there to set up the fuzzer before trying to run the sample targets.

Running a Simple Sample Target

We provide a sample target that represents the simplest possible use of the fuzzer. Once you have set up the fuzzer by following the directions above, you can run it with (from the root of this repo):

cargo run --release --features=6.0.169 -- \
    --corpus /tmp/corpus --solutions solution --log-level INFO --cores 1  \
    --file examples/harnessing-uefi/rsrc/target.efi:%simics%/target.efi \
    --file examples/harnessing-uefi/rsrc/fuzz.simics:%simics%/fuzz.simics \
    --file examples/harnessing-uefi/rsrc/minimal_boot_disk.craff:%simics%/minimal_boot_disk.craff \
    --package 2096:6.0.70 \
    --command 'COMMAND:run-script "%simics%/fuzz.simics"'

If you want to see the visualizer above, you can enable the SIMICS GUI during fuzzing by adding -g/--enable-simics-gui and if you want a fancy TUI output, add the -t flag!

Running an EDK2 Sample Target

There are two provided sample targets, hello-world and x509-parse. You can run them in the basic configuration with the commands below, respectively.

cargo run --release --features=6.0.169 -- \
  -c /tmp/hello-world-corpus/ -o /tmp/hello-world-solution/ -l ERROR -t -C 1 \
  -P 2096:6.0.70 \
  -f examples/hello-world/rsrc/HelloWorld.efi:%simics%/targets/hello-world/HelloWorld.efi \
  -f examples/hello-world/rsrc/app.py:%simics%/scripts/app.py \
  -f examples/hello-world/rsrc/app.yml:%simics%/scripts/app.yml \
  -f examples/hello-world/rsrc/minimal_boot_disk.craff:%simics%/targets/hello-world/minimal_boot_disk.craff \
  -f examples/hello-world/rsrc/run_uefi_app.nsh:%simics%/targets/hello-world/run_uefi_app.nsh \
  -f examples/hello-world/rsrc/run-uefi-app.simics:%simics%/targets/hello-world/run-uefi-app.simics \
  -x CONFIG:%simics%/scripts/app.yml
cargo run --release --features=6.0.169 -- \
  -c /tmp/x509-parse-corpus/ -o /tmp/x509-parse-solution/ -l ERROR -t -C 1 \
  -P 2096:6.0.70 \
  -f examples/x509-parse/rsrc/X509Parse.efi:%simics%/targets/x509-parse/X509Parse.efi \
  -f examples/x509-parse/rsrc/app.py:%simics%/scripts/app.py \
  -f examples/x509-parse/rsrc/app.yml:%simics%/scripts/app.yml \
  -f examples/x509-parse/rsrc/minimal_boot_disk.craff:%simics%/targets/x509-parse/minimal_boot_disk.craff \
  -f examples/x509-parse/rsrc/run_uefi_app.nsh:%simics%/targets/x509-parse/run_uefi_app.nsh \
  -f examples/x509-parse/rsrc/run-uefi-app.simics:%simics%/targets/x509-parse/run-uefi-app.simics \
  -x CONFIG:%simics%/scripts/app.yml

Contact

If you discover a non-security issue or problem, please file an issue!

The best place to ask questions about and get help using TSFFS is in the Awesome Fuzzing Discord server. If you prefer, you can email the authors. Questions we receive are periodically added from both Discord and email to the FAQ.

Please do not create issues or ask publicly about possible security issues you discover in TSFFS. Instead, see our Security Policy and follow the linked guidelines.

Help Wanted / Roadmap

See the issues for a roadmap of planned features and enhancements. Help is welcome for any features listed here. If someone is assigned an issue you'd like to work on, please ping them to avoid duplicating effort!

Why TSFFS

There are several tools capable of fuzzing firmware and UEFI code. Notably, the HBFA project and the kAFL project enable system software fuzzing with various tradeoffs.

HBFA is very fast, and enables fuzzing with sanitizers in Linux userspace. However, it requires stubs for any hardware interactions as well as the ability to compile code with instrumentation. For teams with resources to create a working HBFA configuration, it should be used alongside TSFFS to enable additional error condition detection.

kAFL is also extremely fast, and is hypervisor based which allows deterministic snapshotting of systems under test. This also makes it ideal for very complex systems and system-of-systems fuzzing, where interactions between components or the use of real hardware is necessary. kAFL suffers from a similar limitation as HBFA in that it requires working device stubs or simulation to be implemented in QEMU, and additionally requires a patched kernel to run the required KVM modifications.

Both of these tools should be used where possible to take advantage of their unique capabilities, but TSFFS aims to reduce the barrier to fuzzing low-level systems software. It is slower (though not unacceptably so) than HBFA or kAFL, and is not (yet) capable of leveraging sanitizers. In exchange, using it is as simple as adding a few lines of code to a SIMICS script and ten or less lines of code to your firmware source code. In addition, because it is based on SIMICS, the tool of choice of firmware developers, the models and configurations for the code under test can be used as they are, and developers can continue to use familiar tools to reduce the lift of enabling fuzzing.

Authors

Brandon Marken Ph.D. [email protected]

Robert Geunzel Ph.D. [email protected]

Rowan Hart [email protected]

Comments
  • Can tsffs fuzz test VMs device (eg:Cisco ASA)?

    Can tsffs fuzz test VMs device (eg:Cisco ASA)?

    Can tsffs fuzz test virtual machines device?eg:Citrix adc,Cisco ASA,and so on. if sure, Can you provide a example booting the vm platform in and running a special application on it.

    documentation 
    opened by madjohn698 2
  • Add binary-only example

    Add binary-only example

    TSFFS is perfectly capable of fuzzing binary-only UEFI targets with some small patches to the binary, we should add an example of how this can be done.

    documentation major low-priority 
    opened by novafacing 0
  • Intermittent crash/race using multiple cores

    Intermittent crash/race using multiple cores

    Thanks @richinseattle for reporting. System is WSL2, which may or may not be relevant.

    after 12 seconds, using anything other than single core, this happens most of the time but on rare occasion managed to work

    (base) rjohnson@codex:~/tsffs$ RUST_BACKTRACE=1 cargo run --release --features=6.0.169 --   -c /tmp/x509-parse-corpus/ -o /tmp/x509-parse-s
olution/ -l ERROR -t -C 2   -P 2096:6.0.70   -f examples/x509-parse/rsrc/X509Parse.efi:%simics%/targets/x509-parse/X509Parse.efi   -f examp
les/x509-parse/rsrc/app.py:%simics%/scripts/app.py   -f examples/x509-parse/rsrc/app.yml:%simics%/scripts/app.yml   -f examples/x509-parse/
rsrc/minimal_boot_disk.craff:%simics%/targets/x509-parse/minimal_boot_disk.craff   -f examples/x509-parse/rsrc/run_uefi_app.nsh:%simics%/ta
rgets/x509-parse/run_uefi_app.nsh   -f examples/x509-parse/rsrc/run-uefi-app.simics:%simics%/targets/x509-parse/run-uefi-app.simics   -x CO
NFIG:%simics%/scripts/app.yml
warning: skipping duplicate package `demo` found at `/home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/utils/gdb_qemu/demo`
warning: skipping duplicate package `libfuzzer_libpng_launcher` found at `/home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/fuzzers/libfuzzer_libpng_launcher`
    Finished release [optimized + debuginfo] target(s) in 0.13s
     Running `target/release/simics-fuzz -c /tmp/x509-parse-corpus/ -o /tmp/x509-parse-solution/ -l ERROR -t -C 2 -P '2096:6.0.70' -f 'examples/x509-parse/rsrc/X509Parse.efi:%simics%/targets/x509-parse/X509Parse.efi' -f 'examples/x509-parse/rsrc/app.py:%simics%/scripts/app.py' -f 'examples/x509-parse/rsrc/app.yml:%simics%/scripts/app.yml' -f 'examples/x509-parse/rsrc/minimal_boot_disk.craff:%simics%/targets/x509-parse/minimal_boot_disk.craff' -f 'examples/x509-parse/rsrc/run_uefi_app.nsh:%simics%/targets/x509-parse/run_uefi_app.nsh' -f 'examples/x509-parse/rsrc/run-uefi-app.simics:%simics%/targets/x509-parse/run-uefi-app.simics' -x 'CONFIG:%simics%/scripts/app.yml'`
thread '<unnamed>' panicked at /home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/libafl/src/monitors/tui/ui.rs:523:18:
called `Option::unwrap()` on a `None` value
stack backtrace:
   0: rust_begin_unwind
             at /rustc/ca2b74f1ae5075d62e223c0a91574a1fc3f51c7c/library/std/src/panicking.rs:619:5
   1: core::panicking::panic_fmt
             at /rustc/ca2b74f1ae5075d62e223c0a91574a1fc3f51c7c/library/core/src/panicking.rs:72:14
   2: core::panicking::panic
             at /rustc/ca2b74f1ae5075d62e223c0a91574a1fc3f51c7c/library/core/src/panicking.rs:127:5
   3: core::option::Option<T>::unwrap
             at /rustc/ca2b74f1ae5075d62e223c0a91574a1fc3f51c7c/library/core/src/option.rs:935:21
   4: libafl::monitors::tui::ui::TuiUI::draw_process_timing_text
             at /home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/libafl/src/monitors/tui/ui.rs:523:18
   5: libafl::monitors::tui::ui::TuiUI::draw_client_ui
             at /home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/libafl/src/monitors/tui/ui.rs:290:9
   6: libafl::monitors::tui::ui::TuiUI::draw
             at /home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/libafl/src/monitors/tui/ui.rs:128:9
   7: libafl::monitors::tui::run_tui_thread::{{closure}}::{{closure}}
             at /home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/libafl/src/monitors/tui/mod.rs:567:31
   8: ratatui::terminal::Terminal<B>::draw
             at /home/rjohnson/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ratatui-0.23.0/src/terminal.rs:292:9
   9: libafl::monitors::tui::run_tui_thread::{{closure}}
             at /home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/libafl/src/monitors/tui/mod.rs:567:13
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

    also happened without tui tho too I think, let me test without tui it just seems to hang but does not run and emit fuzzing output like with single core It runs the initial script ..

    Running command: set -v UEFI_APP_ON_HOST "/tmp/projecttmp.RO1LoLdL/targets/x509-parse/X509Parse.efi"

Running command: set -v UEFI_APP_NODIR "X509Parse.efi"

Running command: SimicsAgent.efi --download "/tmp/projecttmp.RO1LoLdL/targets/x509-parse/run_uefi_app.nsh"

Running command: set -v UEFI_APP_ON_HOST "/tmp/projecttmp.RO1LoLdL/targets/x509-parse/X509Parse.efi"

Running command: set -v UEFI_APP_NODIR "X509Parse.efi"

Running command: "run_uefi_app.nsh"

Running command: SimicsAgent.efi --download "/tmp/projecttmp.RO1LoLdL/targets/x509-parse/run_uefi_app.nsh"

Running command: "run_uefi_app.nsh"

[matic0 info] The Simics agent has terminated.
[matic0 info] disconnected from UEFI0 (0x1b90f02e10d5a84c)
[matic0 info] The Simics agent has terminated.
[matic0 info] disconnected from UEFI0 (0x1b90f02e10d5a84c)
[matic1 info] The Simics agent has terminated.
[matic1 info] disconnected from UEFI1 (0x1b90f02e10d61ca9)
[matic1 info] The Simics agent has terminated.
[matic1 info] disconnected from UEFI1 (0x1b90f02e10d61ca9)

    stuck in llmp. on the 2nd thread its in accept4()

    #4  libafl_bolts::llmp::LlmpBroker<libafl_bolts::shmem::unix_shmem::default::CommonUnixShMemProvider>::loop_with_timeouts<libafl_bolts::shmem::unix_shmem::default::CommonUnixShMemProvider, libafl::events::llmp::{impl#0}::broker_loop::{closure_env#0}<libafl::inputs::bytes::BytesInput, libafl::monitors::multi::MultiMonitor<simics_fuzz::fuzzer::{impl#1}::launch::{closure_env#2}>, libafl_bolts::shmem::unix_shmem::default::CommonUnixShMemProvider>> (self=0x7fffffff78b8, timeout=<optimized out>, sleep_time=..., on_new_msg_or_timeout=<optimized out>)
    at /home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/libafl_bolts/src/llmp.rs:2290
#5  libafl::events::llmp::LlmpEventBroker<libafl::inputs::bytes::BytesInput, libafl::monitors::multi::MultiMonitor<simics_fuzz::fuzzer::{impl#1}::launch::{closure_env#2}>, libafl_bolts::shmem::unix_shmem::default::CommonUnixShMemProvider>::broker_loop<libafl::inputs::bytes::BytesInput, libafl::monitors::multi::MultiMonitor<simics_fuzz::fuzzer::{impl#1}::launch::{closure_env#2}>, libafl_bolts::shmem::unix_shmem::default::CommonUnixShMemProvider> (self=0x7fffffff78b0)
    at /home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/libafl/src/events/llmp.rs:178
#6  libafl::events::llmp::{impl#23}::launch::{closure#0}<libafl::monitors::multi::MultiMonitor<simics_fuzz::fuzzer::{impl#1}::launch::{closure_env#2}>, libafl::state::StdState<libafl::inputs::bytes::BytesInput, libafl::corpus::cached::CachedOnDiskCorpus<libafl::inputs::bytes::BytesInput>, libafl_bolts::rands::RomuDuoJrRand, libafl::corpus::ondisk::OnDiskCorpus<libafl::inputs::bytes::BytesInput>>, libafl_bolts::shmem::unix_shmem::default::CommonUnixShMemProvider> (broker=..., remote_broker_addr=...)
    at /home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/libafl/src/events/llmp.rs:1171
#7  0x000055555584e40d in libafl::events::llmp::RestartingMgr<libafl::monitors::multi::MultiMonitor<simics_fuzz::fuzzer::{impl#1}::launch::{closure_env#2}>, libafl::state::StdState<libafl::inputs::bytes::BytesInput, libafl::corpus::cached::CachedOnDiskCorpus<libafl::inputs::bytes::BytesInput>, libafl_bolts::rands::RomuDuoJrRand, libafl::corpus::ondisk::OnDiskCorpus<libafl::inputs::bytes::BytesInput>>, libafl_bolts::shmem::unix_shmem::default::CommonUnixShMemProvider>::launch<libafl::monitors::multi::MultiMonitor<simics_fuzz::fuzzer::{impl#1}::launch::{closure_env#2}>, libafl::state::StdState<libafl::inputs::bytes::BytesInput, libafl::corpus::cached::CachedOnDiskCorpus<libafl::inputs::bytes::BytesInput>, libafl_bolts::rands::RomuDuoJrRand, libafl::corpus::ondisk::OnDiskCorpus<libafl::inputs::bytes::BytesInput>>, libafl_bolts::shmem::unix_shmem::default::CommonUnixShMemProvider> (self=0x7fffffff90a0)
    at /home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/libafl/src/events/llmp.rs:1208
#8  0x000055555584a082 in libafl::events::launcher::Launcher<&mut simics_fuzz::fuzzer::{impl#1}::launch::{closure_env#0}, libafl::monitors::multi::MultiMonitor<simics_fuzz::fuzzer::{impl#1}::launch::{closure_env#2}>, libafl::state::StdState<libafl::inputs::bytes::BytesInput, libafl::corpus::cached::CachedOnDiskCorpus<libafl::inputs::bytes::BytesInput>, libafl_bolts::rands::RomuDuoJrRand, libafl::corpus::ondisk::OnDiskCorpus<libafl::inputs::bytes::BytesInput>>, libafl_bolts::shmem::unix_shmem::default::CommonUnixShMemProvider>::launch<&mut simics_fuzz::fuzzer::{impl#1}::launch::{closure_env#0}, libafl::monitors::multi::MultiMonitor<simics_fuzz::fuzzer::{impl#1}::launch::{closure_env#2}>, libafl::state::StdState<libafl::inputs::bytes::BytesInput, libafl::corpus::cached::CachedOnDiskCorpus<libafl::inputs::bytes::BytesInput>, libafl_bolts::rands::RomuDuoJrRand, libafl::corpus::ondisk::OnDiskCorpus<libafl::inputs::bytes::BytesInput>>, libafl_bolts::shmem::unix_shmem::default::CommonUnixShMemProvider> (self=0x7fffffff86d0)
    at /home/rjohnson/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/defe908/libafl/src/events/launcher.rs:240
#9  simics_fuzz::fuzzer::SimicsFuzzer::launch (self=0x7fffffffb2e0) at simics-fuzz/src/fuzzer/mod.rs:841
#10 0x0000555555843603 in simics_fuzz::fuzzer::SimicsFuzzer::cli_main (args=...) at simics-fuzz/src/fuzzer/mod.rs:229
#11 0x00005555555cabb7 in simics_fuzz::main () at simics-fuzz/src/bin/simics-fuzz.rs:10

    the worker processes run but the main ui seems to not be hooking up properly

    rjohnson 18549  0.4  0.0 105600 16356 pts/0    Sl+  18:40   0:01      |   \_ ./target/release/simics-fuzz -c /tmp/x509-parse-corpus/ -o /tmp/x509-parse-solution/ -l ERROR -C 2 -P 2096:6.0.70 -f examples/x509-parse/rsrc/X509Parse.efi:%simics%/targets/x509-parse/X509Parse.efi -f examp
rjohnson 18749  0.0  0.0 297072  9832 pts/0    S+   18:40   0:00      |       \_ ./target/release/simics-fuzz -c /tmp/x509-parse-corpus/ -o /tmp/x509-parse-solution/ -l ERROR -C 2 -P 2096:6.0.70 -f examples/x509-parse/rsrc/X509Parse.efi:%simics%/targets/x509-parse/X509Parse.efi -f e
rjohnson 18752 66.0  0.2 1190056 254148 pts/0  Sl+  18:40   4:35      |       |   \_ ./target/release/simics-fuzz -c /tmp/x509-parse-corpus/ -o /tmp/x509-parse-solution/ -l ERROR -C 2 -P 2096:6.0.70 -f examples/x509-parse/rsrc/X509Parse.efi:%simics%/targets/x509-parse/X509Parse.efi
rjohnson 18750  0.0  0.0 297072  9836 pts/0    S+   18:40   0:00      |       \_ ./target/release/simics-fuzz -c /tmp/x509-parse-corpus/ -o /tmp/x509-parse-solution/ -l ERROR -C 2 -P 2096:6.0.70 -f examples/x509-parse/rsrc/X509Parse.efi:%simics%/targets/x509-parse/X509Parse.efi -f e
rjohnson 18753 59.0  0.2 1108876 252664 pts/0  Sl+  18:40   4:06      |           \_ ./target/release/simics-fuzz -c /tmp/x509-parse-corpus/ -o /tmp/x509-parse-solution/ -l ERROR -C 2 -P 2096:6.0.70 -f examples/x509-parse/rsrc/X509Parse.efi:%simics%/targets/x509-parse/X509Parse.efi
rjohnson 18501  0.0  0.0 297072 11384 pts/0    S    18:38   0:00      \_ /home/rjohnson/tsffs/target/release/simics-fuzz -c /tmp/x509-parse-corpus/ -o /tmp/x509-parse-solution/ -l ERROR -C 2 -P 2096:6.0.70 -f examples/x509-parse/rsrc/X509Parse.efi:%simics%/targets/x509-parse/X509Par
rjohnson 18505 53.4  0.2 1108876 269408 pts/0  Sl   18:38   4:41          \_ /home/rjohnson/tsffs/target/release/simics-fuzz -c /tmp/x509-parse-corpus/

    was trying to show load there I attached with gdb and they step through

    bug high-priority 
    opened by novafacing 0
  • Raw pointer from boxed closure discards vtable

    Raw pointer from boxed closure discards vtable

    ref: https://godbolt.org/z/n11PbaKan, thanks @elnardu for pointing this out.

    Casting a pointer from Box::into_raw to a raw pointer is invalid in some scenarios. We need to evaluate whether our usage of this pattern is valid in the following usages:

    • https://github.com/intel/tsffs/blob/0ee60dc477d76306ebf8e7c6d5e75e5fd0c6cacf/simics-api/src/safe/simulator/callbacks.rs#L20
    • https://github.com/intel/tsffs/blob/0ee60dc477d76306ebf8e7c6d5e75e5fd0c6cacf/simics-api/src/safe/base/conf_object.rs#L70
    • https://github.com/intel/tsffs/blob/0ee60dc477d76306ebf8e7c6d5e75e5fd0c6cacf/simics-fuzz/src/fuzzer/mod.rs#L313
    • https://github.com/intel/tsffs/blob/0ee60dc477d76306ebf8e7c6d5e75e5fd0c6cacf/simics-api/src/safe/base/attr_value.rs#L151

    If usage is invalid, we need to fix it (this may be invalid on non-linux64 and non-windows, in which case it should still be fixed even though SIMICS does not support those platforms). If not, each case needs a // NOTE: describing why it is OK.

    bug minor low-priority 
    opened by novafacing 0
  • Set up Simics package associations using standard tools

    Set up Simics package associations using standard tools

    The example instructions are using non-orthodox ways to set up the Simics project--package association.

    For example: https://github.com/intel/tsffs/blob/main/docs/Requirements.md:

    $ "${SIMICS_HOME}/simics-6.0.169/bin/project-setup" ./test-micro-checkpoints
Project created successfully

    This should be accomplished using the documented addon-manager script. Or even better, starting with setting up the project based on Public Simics using the Intel Simics Package Manager (ISPM). Since the later page https://github.com/intel/tsffs/blob/main/docs/Setup.md does use the public Simics as an example, maybe that could be moved up to the start of the docs?

    The instructions on the https://github.com/intel/tsffs/blob/main/docs/Setup.md page are also missing how to set up a project pointing at the installed public release. As documented on https://www.intel.com/content/www/us/en/developer/articles/guide/simics-simulator-installation.html, it should be enough to add a --create-project option to the ispm CLI invocation.

    documentation minor low-priority 
    opened by jakob-engblom-i 3
  • Allow multiple harnesses with harness selection

    Allow multiple harnesses with harness selection

    For some use cases, it would be nice to allow having multiple harnesses compiled into the same target software and selectively enable them at run-time. There are a few ways we can do this:

    • [ ] Encode it into n of the magic instruction. This is problematic on some architectures, for example ARM Thumb-2, n <= 12.
    • [ ] Encode it into yet another magic register. This is an OK approach but it does further increase the harness code complexity. If enabled with MAGIC_START_SELECT (4) this will be OK. Extended stop harnesses already include a way to communicate a value back to the fuzzer, so only start harnesses need to be extended.
    minor low-priority enhancement 
    opened by novafacing 0
Owner
Intel Corporation
Intel Corporation
GitHub
Structure-aware, in-process, coverage-guided, evolutionary fuzzing engine for Rust functions.

fuzzcheck Fuzzcheck is a structure-aware, in-process, coverage-guided, evolutionary fuzzing engine for Rust functions. Given a function test: (T) -> b

Loïc Lecrenier 394 Dec 20, 2022
A symbolic-model-guided fuzzer for TLS

tlspuffin TLS Protocol Under FuzzINg A symbolic-model-guided fuzzer for TLS Master Thesis | Thesis Presentation | Documentation Description Fuzzing im

null 69 Dec 20, 2022
A fuzzer framework built in Rust

lain This crate provides functionality one may find useful while developing a fuzzer. A recent nightly Rust build is required for the specialization f

Microsoft 469 Dec 9, 2022
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Dec 29, 2022
a grammar based feedback fuzzer

Nautilus NOTE: THIS IS AN OUTDATE REPOSITORY, THE CURRENT RELEASE IS AVAILABLE HERE. THIS REPO ONLY SERVES AS A REFERENCE FOR THE PAPER Nautilus is a

Chair for Sys­tems Se­cu­ri­ty 157 Oct 26, 2022
Fuzzer to automatically find side-channel (timing) vulnerabilities

SideFuzz: Fuzzing for side-channel vulnerabilities SideFuzz is an adaptive fuzzer that uses a genetic-algorithm optimizer in combination with t-statis

PHAYES 94 Sep 29, 2022
Black-box fuzzer that fuzzes APIs based on OpenAPI specification. Find bugs for free!

OpenAPI fuzzer Black-box fuzzer that fuzzes APIs based on OpenAPI specification. All you need to do is to supply URL of the API and its specification.

Matúš Ferech 406 Dec 31, 2022
An example fuzzer about how to fuzz a JS engine combinign Nautilus with Token-level fuzzing

LibAFL QuickJS Fuzzing Example An example fuzzer about how to fuzz a JS engine combinign Nautilus with Token-level fuzzing. Prepare Make sure to have

Andrea Fioraldi 32 Dec 21, 2022
StdFuzzer - StdFuzzer is the reference implementation of a generic bit-level fuzzer with LibAFL

StdFuzzer StdFuzzer is the reference implementation of a generic bit-level fuzzer with LibAFL Building Build with $ cargo build --release Compiling a

Advanced Fuzzing League ++ 41 Sep 7, 2022
A fuzzer setup to fuzz libc functions.

libc-fuzzer This does what it sounds like! It attempts to, as automatically as possible, generate and run fuzzers for up to the entire set of libc (in

null 9 Nov 30, 2022
Easy-to-use grammar-based black-box fuzzer. Has found dozens of bugs in important targets like Clang, Deno, and rustc.

tree-crasher tree-crasher is an easy-to-use grammar-based black-box fuzzer. It parses a number of input files using tree-sitter grammars, and produces

Langston Barrett 5 Mar 28, 2023
🧵 Generate self-describing strings of a given length to help aid software testing

rust-counter-strings Counter strings generator written in rust to help aid software testing What is a counterstring? "A counterstring is a graduated s

Thomas Chaplin 23 Jun 24, 2022
Playwright is a rust library to automate Chromium, Firefox and WebKit built on top of Node.js library.

?? Playwright for Rust Playwright is a rust library to automate Chromium, Firefox and WebKit built on top of Node.js library. Installation [dependenci

octaltree 132 Jan 6, 2023
Scriptable tool to read and write UEFI variables from EFI shell. View, save, edit and restore hidden UEFI (BIOS) Setup settings faster than with the OEM menu forms.

UEFI Variable Tool (UVT) UEFI Variable Tool (UVT) is a command-line application that runs from the UEFI shell. It can be launched in seconds from any

null 4 Dec 11, 2023
Rewind is a snapshot-based coverage-guided fuzzer targeting Windows kernel components.

Rewind is a snapshot-based coverage-guided fuzzer targeting Windows kernel components.

Quarkslab 259 Dec 26, 2022
Structure-aware, in-process, coverage-guided, evolutionary fuzzing engine for Rust functions.

fuzzcheck Fuzzcheck is a structure-aware, in-process, coverage-guided, evolutionary fuzzing engine for Rust functions. Given a function test: (T) -> b

Loïc Lecrenier 394 Dec 20, 2022
Zero-cost and safe interface to UEFI firmware

ZFI – Zero-cost and safe interface to UEFI firmware ZFI is a Rust crate for writing a UEFI application with the following goals: Provides base APIs th

Ultima Microsystems 22 Sep 14, 2023
OpenAPI-based test coverage analysis tool that helps teams improve integration test coverage in CI/CD pipelines

Ready-to-use OpenAPI test coverage analysis tool that helps teams improve integration CoveAPI is an advanced test coverage analysis tool based on the

Yasser Tahiri 18 Aug 3, 2023
A symbolic-model-guided fuzzer for TLS

tlspuffin TLS Protocol Under FuzzINg A symbolic-model-guided fuzzer for TLS Master Thesis | Thesis Presentation | Documentation Description Fuzzing im

null 69 Dec 20, 2022
Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

null 294 Dec 23, 2022