Coverage guided fuzzing becomes a trending technique to discover vulnerabilities in powerful systems such as PC, and is a main contributor to countless 0days in the last few years.
Unfortunately, this breakthrough methodology is not yet applied to find bugs in embedded devices (like network routers, IP cameras, etc). We found some of the reasons as follows:
This research aims to overcome the mentioned issues to build a new guided fuzzer for embedded systems.
We emulate the firmware so we can put in our fuzzing & debugging tools. We will first explain how we directly extract firmware from physical devices, then emulating them on Virtual Machine with a lot of tricks involving static binary dependency duplication, patching firmware for NVRAM simulation in-order to feed actual response for program configuration.
We will introduce a new powerful dynamic binary instrumentation (DBI) framework that supports all platforms & embedded architectures in use today, including Arm, Arm64, Mips, PowerPC & Sparc (plus, we also support Intel X86). The design & implementation of this framework will be presented in detail, so the audience can also see many other applications of our DBI beyond this project.
We will also discuss how we built an advanced guided fuzzer to run inside emulated firmware. Using our own DBI at the heart, this requires no firmware source code, and can find vulnerabilities in binary-only applications onl all kind of embedded CPUs available.
In a limited time of just few months, our fuzzer has already discovered many 0days in some very popular embedded network devices. Among them, several vulnerabilities allow pre-authenticated remote code execution that affect multi-million users, and can be potentially turned into a new botnet-worm with massive-scale infection. These bugs will be released to public in our talk if the vendors fixes them in time.
The audience can expect a deeply technical, but still entertaining presentation, with many exciting demos.