Skip to content

Emulation and Feedback Fuzzing of Firmware with Memory Sanitization

License

Notifications You must be signed in to change notification settings

fgsect/BaseSAFE

Repository files navigation

BaseSAFE

base safe paper

This repository contains the BaseSAFE Rust APIs, introduced by "BaseSAFE: Baseband SAnitized Fuzzing through Emulation".

The example/ directory contains two harnesses emulating parts of the firmware for MediaTek’s Helio X10 (MT6795) baseband processor. _EMM_ demonstrates a crash inside the decoder for ATTACH/ACCEPT messages as part of the Mobility Management. _ERRC_ emulates various ASN.1 decoders which are being used for Radio Resource Control messages. Example inputs can be found inside the _data/_ directories.


Setup

Make AFL++ and build AFLplusplus/unicorn_mode.

./build_afl.sh

A single emulation run can be started by navigating into e.g. examples/errc and executing the harness on the provided data:

cd examples/errc/
cargo run data/pcch.raw

The emulated code can be fuzzed with AFL++ in Unicorn mode:

cd examples/errc
cargo build --release
../../AFLplusplus/afl-fuzz -U -i connections/ -o out/ -m none -- target/release/errc_fuzz @@

About

Emulation and Feedback Fuzzing of Firmware with Memory Sanitization

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published