BruCON 0x0A

Coverage guided fuzzing becomes a trending technique to discover vulnerabilities in powerful systems such as PC, and is a main contributor to countless 0days in the last few years. 

Unfortunately, this breakthrough methodology is not yet applied to find bugs in embedded devices (like network routers, IP cameras, etc). We found some of the reasons as follows: 

- As closed ecosystems, embedded devices usually come without built-in shell access or development facilities such as compiler & debugger. This makes it impossible to introduce a fuzzer to directly run & find bugs inside them. 

- In case available for download (rarely), most embedded firmware are not open source, which limit usage of available guided fuzzers such as AFL & LibFuzzer, as these tools require source code to inject basic block instrumentation at compile time. 

- Most existing work focus on Intel architecture, while all embedded devices run on other CPUs such as ARM, MIPS or PowerPC. Our study reveals that fuzzing tools on these architectures are sorely lacking. 

This research aims to overcome the mentioned issues to build a new guided fuzzer for embedded systems. 

- We emulate the firmware so we can put in our fuzzing & debugging tools. We will first explain how we directly extract firmware from physical devices, then emulate them in Virtual Machine with a lot of tricks involving static binary dependency duplication, patching firmware for NVRAM simulation in order to feed actual response for program configuration. 

- We will introduce a new lightweight dynamic binary instrumentation (DBI) framework that supports all platforms & embedded architectures in use today, including Arm, Arm64, Mips, PowerPC & Sparc (plus, we also support Intel X86). The design & implementation of this framework will be presented in details, so the audience can also see many other applications of our DBI beyond this project. 

- We will discuss how we built a powerful guided fuzzer to run inside emulated firmware. Using our own DBI at the heart for basic block instrumentation, this requires no firmware source code, and can find vulnerabilities in binary-only applications on all kind of embedded CPUs available. 

In a limited time of just few months, our fuzzer discovered many 0days in some widely popular embedded network devices. Among them, several vulnerabilities allow pre-authenticated remote code execution that affect multi-million users, and can be potentially turned into a new botnet-worm with massive-scale infection. These bugs will be released to public in our talk if the vendors fix them in time. 

The audience can expect a deeply technical, but still entertaining presentation, with many exciting demos.