A Fuzzer for Windows NDIS Drivers OID Handlers developed by @kiqueNissim of @IOActive: https://t.co/JSF9tm9CMM … anyone interested in fuzzing, in general, is welcome to a digital copy of @pedramamini's book on the matter: https://t.co/y0pVF1QKhj bit dated, but still applicable.
— InQuest (@InQuest) November 8, 2018
afl-unicorn let’s you fuzz any piece of binary that can be emulated by Unicorn Engine.
[…]Unicorn Mode works by implementing the block-edge instrumentation that AFL’s QEMU Mode normally does into Unicorn Engine. Basically, AFL will use block coverage information from any emulated code snippet to drive its input generation. The whole idea revolves around proper construction of a Unicorn-based test harness, as shown in the figure below:
fastboot oem vuln: Android Bootloader Vulnerabilities in Vendor Customizations:
We discuss the fastboot interface of the Android bootloader, an area of fragmentation in Android devices. We then present a variety of vulnerabilities we have found across multiple Android devices. Most notable ones include Secure Boot & Device Locking bypasses in the Motorola and OnePlus 3/3T bootloaders. Another critical flaw in OnePlus 3/3T enables easy attacks by malicious chargers – the only prerequisite is a powered-off device to be connected. An unexpected attack vector in Nexus 9 is also shown – malicious headphones. Other discovered weaknesses allow for data exfiltration (including a memory dumping of a Nexus 5X device), enablement of hidden functionality such as access to the device’s modem diagnostics and AT interfaces , and attacks against internal System-on-Chips (SoCs) found on the Nexus 9 board.
abootool: Simple fuzzer for discovering hidden fastboot gems. Modus Operandi: Based on static knowledge (strings fetched from available bootloader images), dynamically fuzz for hidden fastboot OEM commands.
s a n d s i f t e r : the x86 processor fuzzer
The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor’s instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips. With the multitude of x86 processors in existence, the goal of the tool is to enable users to check their own systems for hidden instructions and bugs.[…]
NEZHA is an evolutionary-based efficient and domain-independent differential testing framework developed at Columbia University. NEZHA exploits the behavioral asymmetries between multiple test programs to focus on inputs that are more likely to trigger semantic bugs. NEZHA features several runtime diversity-promoting metrics used to generate inputs for multi-app differential testing.[…]
syzkaller is an unsupervised, coverage-guided Linux syscall fuzzer. It is meant to be used with KASAN (CONFIG_KASAN=y), KTSAN (CONFIG_KTSAN=y), or KUBSAN.
This is a set of tests (benchmarks) for fuzzing engines (fuzzers). The goal of this project is to have a set of fuzzing benchmakrs derived from real-life libraries that have interesting bugs, hard-to-find code paths, or other challenges for bug finding tools. The current version supports libFuzzer, in future versions we exect to support AFL and potentially other fuzzers. […]
“KernelFuzzer: This is the core Kernel Fuzzer, with example library calls and Syscalls to start fuzzing Windows. The fuzzer has been tested on Windows 7 / 10, OS X and QNX. […] See our Def Con 24 slides over at MWR Labs which give an explanation of the fuzzer and examples of writing library calls and syscalls for the fuzzer. One of each is provided as an example and more examples are provided in the slides. […]”
“I am happy to announce today the public release of our evolutionary knowledge-based fuzzer, Choronzon. An overview of the architecture of Choronzon was initially presented at the ZeroNights 2015 conference. A recording of the presentation and the slide deck are also available. You can now find the full source code of Choronzon on the official CENSUS GitHub page. We welcome any feedback you may have and pull requests!”
Excerpt from readme:
Original AFL code written by Michal Zalewski <firstname.lastname@example.org>
Windows fork written and maintained by Ivan Fratric <email@example.com>
Copyright 2016 Google Inc. All Rights Reserved.
[…] Unfortunately, the original AFL does not work on Windows due to very *nix-specific design (e.g. instrumentation, forkserver etc). This project is a fork of AFL that uses different instrumentation approach which works on Windows even for black box binary fuzzing. […] The WinAFL approach: Instead of instrumenting the code at compilation time, WinAFL relies on dynamic instrumentation using DynamoRIO to measure and extract target coverage. This approach has been found to introduce an overhead about 2x compared to the native execution speed, which is comparable to the original AFL in binary instrumentation mode. To improve the process startup time, WinAFL relies heavily on persistant fuzzing mode, that is, executing multiple input samples without restarting the target process. This is accomplished by selecting a target function (that the user wants to fuzz) and instrumenting it so that it runs in a loop. […]
vusbf-Framework: A KVM/QEMU based USB-fuzzing framework.
Sergej Schumilo, OpenSource Security Spenneberg 2015
A USB-fuzzer which takes advantage of massive usage of virtual machines and also offers high reproducibility. This framework was initially released at Black Hat Europe 2014. This software is licensed under GPLv2. vUSBf was written in Python2 and requires the Scapy-framework. This framework provides:
* USB-fuzzing in practical time frames
* multiprocessing and clustering
* export sequences of payloads and replay them for debugging or investigation
* XML-based dynamic testcase generating
* expandable by writing new testcases, USB-emulators or monitoring-modules
R00tkitSMM has created a Windows win32k.sys fuzzer project called Win32k-Fuzzer:
Fuzz and Detect “Use After Free” vulnerability in win32k.sys (Heap based)
“Win32k.sys for Windows is like Java for internet.”
Hubert Kario of Red Hat announced a new tool on the OSS-security list today. The tool, ‘tlsfuzzer’, is for reproducing, testing and (in the future) automatically finding issues in TLS implementations.
I’m looking forward to seeing if this can help test Tianocore’s HTTPS support, when TLS is added. 🙂
For more information, see the full post on the OSS-security list.
KLEE is the LLVM-based fuzzer. Life with QEMU/OVMF will hopefully get more interesting, especially with SMM moving into OVMF.