TSFFS is a snapshotting, coverage-guided fuzzer built on the SIMICS full system simulator. TSFFS makes it easy to fuzz and triage crashes on traditionally challenging targets including UEFI applications, bootloaders, BIOS, kernel modules, and device firmware. TSSFS can even fuzz user-space applications on Linux and Windows. See the requirements to find out if TSSFS can fuzz your code.
The fastest way to start using TSFFS is with our dockerfile. To set up TSFFS locally instead, read the documentation. To start using TSFFS right away:
git clone https://github.com/intel/tsffs
cd tsffs
docker build -t tsffs .
docker run -it tsffsThen, run the provided example target and fuzzing configuration:
./simics -no-gui --no-win ./fuzz.simicsDocumentation for setup & usage of this project lives online at intel.github.io/tsffs.
This fuzzer is built using LibAFL and SIMICS and takes advantage of several of the state of the art capabilities of both.
- Edge coverage guided
- Snapshotting (fully deterministic)
- Parallel fuzzing (across cores, machines soon)
- Easy to add to existing SIMICS projects
- Triage mode to reproduce and debug crashes
- Modern fuzzing methodologies:
- Redqueen/I2S taint-based mutation
- MOpt & Auto-token mutations
- More coming soon!
TSFFS is focused on several primary use cases:
- UEFI and BIOS code, particulary based on EDKII
- Pre- and early-silicon firmware and device drivers
- Hardware-dependent kernel and firmware code
- Fuzzing for complex error conditions
However, TSFFS is also capable of fuzzing:
- Kernel & kernel drivers on Windows Linux, and more
- User-space applications on Windows, Linux, and more
- Network applications
- Hypervisors and bare-metal systems
If you discover a non-security issue or problem, please file an issue!
The best place to ask questions about and get help using TSFFS is in the Awesome Fuzzing Discord server. If you prefer, you can email the authors. Questions we receive are periodically added from both Discord and email to the FAQ.
Please do not create issues or ask publicly about possible security issues you discover in TSFFS. Instead, see our Security Policy and follow the linked guidelines.
See the issues for a roadmap of planned features and enhancements. Help is welcome for any features listed here. If someone is assigned an issue you'd like to work on, please ping them to avoid duplicating effort!
Rowan Hart rowan.hart@intel.com
Brandon Marken Ph.D. brandon.marken@intel.com
Robert Guenzel Ph.D. robert.guenzel@intel.com