K0retux has created a new Fuddly, a fuzzing and data manipulation framework. It is a Python based (v2 or v3) command line tool. Fuddly uses a graph-based data model that enables: to represent complex data formats and also to mix them, complex data manipulations, to dissect/absorb existing data, and generation & mutation fuzzing strategy. Fuddly’s fuzzing automation framework enables: target abstraction, monitoring means based on independant probes, replay & logging, data manipulation based on disruptors (objects that implement specific data transformation), and virtual operator abstraction.
Fuddly is a fuzzing and data manipulation framework whose main objectives are: 1) To allow users to build data model that: 1.1) mix very accurate representations for certain aspects with much coarser ones for others that are outside the focus of the testing; leaving open the way of refining the other parts should the need arise; 1.2) may be combined with each other; 1.3) enable to dissect raw data for analyzing them and enable to absorb them within the data model for manipulation; 1.4) enable to mix up generation and mutation fuzzing techniques. 2) To represent the data in a way that simplify the process of fuzzing and especially to enable the implementation of elaborated transformations. By ‘’elaborated’’ we mean the capability to act on any data part (that is not necessarily contiguous) while preserving consistency of dependent parts if so desired. This amounts to allowing transformations to be articulated around syntactic criteria—e.g., modification of an integer depending on the size of the field hosting it—or semantic ones—e.g., alteration of a value regarding its meaning for a given data format or protocol, alteration of specific data sub-parts forming a sound group for a given data format or protocol. 3) To automate the fuzzing process relying on various fuddly’s sub-systems enabling: the communication with the target, to follow and monitor its behavior and to act accordingly (e.g., deviate from the protocol requirements like sequencing, timing constraints, and so on), thanks to data model search and modification primitives, while recording every piece of information generated during this process and enabling to replay it.
Firmware Security 