• Stars
    star
    194
  • Rank 200,219 (Top 4 %)
  • Language
    Python
  • Created over 5 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

GUSTAVE is a fuzzing platform for embedded OS kernels. It is based on QEMU and AFL (and all of its forkserver siblings). It allows to fuzz OS kernels like simple applications.

(c) Airbus 2021, sduverger

GUSTAVE - Embedded OS kernel fuzzer

What is it ?

GUSTAVE is a fuzzing platform for embedded OS kernels. It is based on QEMU and AFL (and all of its forkserver siblings). It allows to fuzz OS kernels like simple applications.

Thanks to QEMU, it is multi-platform. One can see GUSTAVE as a AFL forkserver implementation inside QEMU, with fine grain target inspection.

What are the supported kernels ?

GUSTAVE has mainly been designed to target embedded OS kernels. It might not be the best tool to fuzz large and complex kernels as found in Windows, Linux or MACOS.

However if you have a target under the hood which can be prepared with one or two applications to boot without any user interaction, it might be interesting to give GUSTAVE a try.

How does it work ?

The afl-fuzz tool, from the AFL project, is used to automatically fuzz your target. However, AFL can't directly fuzz an OS kernel and expects its target to directly parse the generated test cases.

To make it short, afl-fuzz will run QEMU with GUSTAVE integration as its target. In turn, GUSTAVE will handle :

  • forkserver synchronization
  • generated test cases translation to target system calls
  • target kernel monitoring (execution coverage and memory accesses)

As AFL/QEMU-user mode found in AFL++ project, GUSTAVE implements QEMU TCG IR level binary instrumentation for code coverage.

However, you can choose to disable it and rebuild your target kernel code with only specific parts being subject to code coverage analysis. You will have to inject AFL shims at build time to update the trace bitmaps though. That was our initial approach (see Publications).

Less prevalent in existing solutions, GUSTAVE does not care about monitoring kernel panics. We consider them managed errors, and want to discover illegal behaviors that did not trigger any alarm.

For that purpose GUSTAVE relies on a O(1) byte oriented memory filtering bitmap to detect illegal accesses from the kernel. There might be large debate about defining what could be considered illegal from the kernel point of view. But in restricted embedded, highly deterministic environments you might find yourself comfortable defining legitimate memory areas for your firmware and tracking out-of-bound accesses.

How does it compare to existing solutions ?

There exists comparable approaches, such as:

GUSTAVE design choices imply the following differences:

  • really target agnostic (OS, architecture), as long as QEMU offers support
  • covers all system calls implemented in the target kernel
  • no specific devs are needed inside the target

However, you still need to tell GUSTAVE:

  • how your target handles system calls
  • what is your target legitimate memory layout

Current status ?

Host hardware

For now only x86 host is supported, as many working environments are based upon this architecture we don't consider it a prohibiting limitation.

The restriction comes from the way we initially implemented memory filtering backend at tcg-target level for the QEMU load/store fast-path. The recent TCGPlugin memory callbacks architecture might be an alternative approach to support any host.

Guest Hardware

We have implemented and tested Intel x86 and PowerPC support. The GUSTAVE implementation is architecture independent. If you can run your target with QEMU, you can fuzz it with GUSTAVE with little effort.

We provide example Intel 440FX and PowerPC PREP boards with GUSTAVE integration. The implementation of your own board is really easy, and consist in wrapping the MACHINE_INIT function for a given architecture.

We also added support for x86 and PowerPC GUSTAVE instrumentation shims to afl-gcc, in case you don't want to proceed with TCG binary instrumentation.

Example target

We provide POK micro-kernel specific developments:

  • firmware with simple applications
  • system calls ABI generator for both x86/PPC
  • filtering bitmap

How to use it ?

You will need to:

  • build AFL
  • build QEMU with GUSTAVE integration
  • create or generate the filtering bitmap
  • write a JSON configuration file for your target
  • run it in a terminal

Read the manual for the POK target.

Publications

Material from different talks on GUSTAVE can be found at https://airbus-seclab.github.io/.

More Repositories

1

bincat

Binary code static analyser, with IDA integration. Performs value and taint analysis, type reconstruction, use-after-free and double-free detection
OCaml
1,662
star
2

qemu_blog

A series of posts about QEMU internals:
1,345
star
3

cpu_rec

Recognize cpu instructions in an arbitrary binary file
Python
640
star
4

ilo4_toolbox

Toolbox for HPE iLO4 & iLO5 analysis
Python
412
star
5

warbirdvm

An analysis of the Warbird virtual-machine protection for the CI!g_pStore
Ruby
216
star
6

diffware

An extensively configurable tool providing a summary of the changes between two files or directories, ignoring all the fluff you don't care about.
Python
196
star
7

powersap

Powershell SAP assessment tool
PowerShell
187
star
8

crashos

A tool dedicated to the research of vulnerabilities in hypervisors by creating unusual system configurations.
C
182
star
9

c-compiler-security

Security-related flags and options for C compilers
Python
179
star
10

ramooflax

a bare metal (type 1) VMM (hypervisor) with a python remote control API
C
178
star
11

bta

Open source Active Directory security audit framework.
Python
131
star
12

android_emuroot

Android_Emuroot is a Python script that allows granting root privileges on the fly to shells running on Android virtual machines that use google-provided emulator images called Google API Playstore, to help reverse engineers to go deeper into their investigations.
Python
121
star
13

AutoResolv

Python
71
star
14

elfesteem

ELF/PE/Mach-O parsing library
Python
50
star
15

GEA1_break

Implementation of the key recovery attack against GEA-1 keys (Eurocrypt 2021)
C
47
star
16

airbus-seclab.github.io

Conferences, tools, papers, etc.
43
star
17

AFLplusplus-blogpost

Blogpost about optimizing binary-only fuzzing with AFL++
Shell
34
star
18

nbutools

Tools for offensive security of NetBackup infrastructures
Python
30
star
19

rebus

REbus facilitates the coupling of existing tools that perform specific tasks, where one's output will be used as the input of others.
Python
25
star
20

usbq_core

USB man in the middle linux kernel driver
C
19
star
21

AppVsWild

application process protection hypervisor virtualization encryption
9
star
22

gunpack

Generic unpacker (dynamic)
C
8
star
23

usbq_userland

User land program to be used with usbq_core
Python
8
star
24

ramooflax_scripts

ramooflax python scripts
Python
6
star
25

cpu_doc

Curated set of documents about CPU
3
star
26

c2newspeak

C
3
star
27

rebus_demo

REbus demo agents
Python
2
star
28

security-advisories

2
star
29

pwnvasive

semi-automatic discovery and lateralization
Python
1
star
30

pok

forked from pok-kernel/pok
C
1
star
31

afl

Airbus seclab fork of AFL
C
1
star