Fuzzing Against the Machine E-Book

Fuzzing Against the Machine

Automate vulnerability research with emulated IoT devices on QEMU

Antonio Nappa

Eduardo Blázquez

BIRMINGHAM—MUMBAI

Fuzzing Against the Machine

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Khusbhoo Samkaria

Senior Editor: Athikho Sapuni Rishana

Technical Editor: Irfa Ansari

Copy Editor: Safis Editing

Project Coordinator: Ashwin Kharwa

Proofreader: Safis Editing

Indexer: Subalakshmi Govindhan

Production Designer: Jyoti Chauhan

Marketing Coordinator: Agnes D’souza

First published: April 2023

Production reference: 2300623

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80461-497-6

www.packtpub.com

To all the people that helped me along the way, in some way, somehow you are part of my family. Special thanks to Elo, my wife, and Amalia and Salvo, my children. Thank you for every smile, every breath, every thought.

- Antonio Nappa

To all those who trusted me, the people that supported me along the way, and to all those who are part of my life, both in Spain and in Japan. To all of you, thank you, gracias, ありがとうございます, and 谢谢你.

- Eduardo Blázquez

Forewords

I have been working with Antonio Nappa for about 2 years now, and his striving for perfection never fails to amaze me. Together, we dealt with numerous iOS and macOS-related research targets, and his academic approach to analyzing and solving problems is fascinating. When I learned he was writing a book, I was surprised, but at the same time, knew it would be great.

There are many ways to perform vulnerability research on computer systems or parts thereof. Fuzzing is certainly one path and should never be underestimated. With systems becoming more and more complex, approaches such as reverse engineering or source code auditing are also resulting in increased effort, with mostly little results. Fuzzing, on the other hand, might uncover vulnerabilities without having to understand the entire system. Obviously, the more an understanding of a system can be brought into the fuzzing logic, the better the performance and chances for any findings.

This book will take you through different stages, where the first part provides a base of concepts from vulnerabilities and exploitation to emulation. The next part will take you deeper into emulation and how it can be used in conjunction with fuzzing, and help to understand how a vulnerability can be found based on a real-world example. The third and final part will then apply the concepts and knowledge of real systems with real-world examples for different types of systems. This part is actually my favorite since it also dedicates a chapter to fuzzing an emulated iOS system.

Altogether, you will learn about a decent amount of concepts and techniques around emulation and fuzzing based on real examples, which are provided with great details and explanations. You will be able to base future research on the presented target systems or even new targets.

Nikias Bassen

VP of Product Security and iOS Research Team Leader at Zimperium, Inc.

I first met Eduardo accidentally in 2019. And I say “accidentally” because I overheard him, through a room divider, talking to another colleague about low-level topics – something related to electronics, if I recall correctly. As it is one of my areas of expertise, I couldn’t help but contribute to the conversation to offer my point of view. Since then, our relationship has been growing to the point of being very good friends now in 2023. We have shared good moments, together with Antonio Nappa (another author of this book). Throughout the last few years, Eduardo has not ceased in surprising me, always willing to extend his knowledge, especially around the areas of binary analysis and compiler design and implementation.

During the last few years, I have worked strictly in the development of fairly low-level software, including the implementation of an unofficial Linux kernel module, development of microcontroller firmware, contributions in the area of compilers, mainly around the LLVM/clang ecosystem, and the implementation of a number of new features in the experimental columnar I/O system for high-energy physics analysis, which is expected to be in production as of 2025.

In this book, together with Antonio Nappa, Eduardo takes us into the journey of fuzzing embedded devices’ firmware through the use of QEMU. He does so in an engaging manner, covering topics that range from an introduction to system emulation with QEMU, and the use of well-known tools such as AFL to practical hands-on use cases. The book includes interesting and relevant practical use cases such as fuzzing an OpenWrt-based firmware (which is used as a replacement in many routers) and vulnerability search in the firmware used in some commercial mobile phones. In summary, this book poses an excellent quick start in the area of fuzzing embedded devices’ firmware. Therefore, I’m proud to write the foreword to this book, which I’m sure will be helpful to many people.

Enjoy reading!

Dr. Javier López-Gómez

Senior Fellow in the Software for Physics Experiments group at CERN

Contributors

About the authors

Antonio Nappa, PhD., is the application analysis lead at Zimperium. Since the DEFCON 2008 CTF Finals, he has tried to stay on top of the cybersecurity game. He is an experienced low-level C/C++ developer and a skilled reverse engineer, with expertise in automated fuzzing, firmware emulation, device emulation, and concolic execution. He never goes to sleep with a segfault. He has published several peer-reviewed papers in top-tier conferences. During his academic career, he was a visiting scholar at UC Berkeley, and in industry, he has worked for many eminent start-ups, including Brave and Corelight. Besides working hard, lately, he enjoys exploring side-channel attacks and quantum computing. Outside of computers, he enjoys paddling, swimming, and playing the guitar.

This is a manifesto, not only a book. We wrote this manuscript during one of the hardest times in recent human history, the COVID-19 pandemic. The entire book is a message to help to understand and dominate machines that are all around us and control more aspects of our lives every day, from news feeds to hospitals.

I want to thank my co-author, Eduardo, for his pragmatism, sharpness (like a Katana), and attention to detail.

When you are desperate, in the remotest places of yourself, fuzzing may be one answer to help find your path out of the gears of the trapping machine.

Eduardo Blázquez is a PhD. candidate and researcher at the Universidad Carlos III de Madrid. Since learning about security during his bachelor’s degree, he has focused on low-level security. He enjoys writing analysis tools in various languages such as Python, C, and C++. His interests lie in the internals of fuzzing, compilers, and symbolic execution technologies. He has published papers related to Android ecosystem security and privacy, malware analysis, and tool development for Dalvik static analysis. Outside of computers, he enjoys martial arts, listening to Asian music, and learning about Japan and the Japanese language.

About the reviewers

Mauro Matteo Cascella has an MS degree in computer science from the University of Milan. In 2016, Mauro joined team CodeJitsu at UC Berkeley to participate in DARPA’s Cyber Grand Challenge, the first-ever all-machine hacking tournament. He worked on designing and developing new techniques and tools for disassembling, analyzing, and instrumenting x86 program binaries automatically.

He currently works at Red Hat as a product security engineer in the Product Security Incident Response Team (PSIRT), where he is responsible for triaging, assessing, and coordinating the remediation of common vulnerabilities and exposures (CVEs) within RHEL. Mauro is a member of the QEMU security team and has contributed to the project by fixing CVEs and backporting security patches to Fedora.

Adrian Herrera has worked as a cybersecurity researcher for over 10 years. His work has spanned several research areas in support of the Australian government, including malware analysis, high-assurance systems, and vulnerability research. His research interests are in (binary) code analysis and automatic bug finding, and he is currently finishing his PhD. in fuzzing at the Australian National University. Adrian is a proponent of open source software, contributing to many security tools, including the S2E binary analysis platform, the Magma fuzzer benchmark, the AFL++ fuzzer, the angr binary analysis platform, and the Kaitai Struct binary format parsing language. Adrian regularly presents at security conferences in Australia.

Part 1: Foundations

This part of the book introduces you to concepts such as vulnerability analysis, software exploitation, software emulation, or fuzzing, among others. You will be able to get in touch with the tooling and install it on the system. A historical view, as well as a technical introduction to emulation, is given to understand the differences between this and other technologies such as virtualization. An overview of the QEMU internals is provided, and you will be able to start doing emulation with the tool.

This part consists of the following chapters:

1

Who This Book is For

“Do you hear that, Mr. Anderson? That is the sound of inevitability.” This is a famous phrase from the action movie The Matrix. We refer to this sound as Moore’s law. The constant and inevitable miniaturization of circuits has paved the way for the birth of thousands and thousands of new devices, all equipped with sensors, multiple connections, and operating systems. So, how can a vulnerability researcher cope with so many devices, firmware, and standards?

Owning devices is both expensive and logistically unfeasible – for example, the birth of emulators such as Bleem! In the 90s, emulating the PlayStation on a PC was surely a cheaper option than buying the console, and you could do everything on the same PC.

Nowadays, it is clear that there is a lot of space for doing vulnerability research about any kind of device. Pioneering research was done in the first decade of this century. Tools such as Quick Emulator (QEMU), PANDA, Avatar, and Avatar2 were created. They allow you to control an emulated device and interface it with simulated sensors or real ones. They do not offer 100% functionality and full code reachability for obvious reasons (they don’t replace a real device). Though, over the years, it has been demonstrated that it is possible to find vulnerabilities by emulating a real device stepping through its execution with a debugger attached through a JTAG port.

Still, if we decide to analyze a medium-sized corpus of devices, reversing the firmware code or reading the source code takes a lot of time. Hence, using a fuzzer on the interfaces that are dependent on inputs coming from the user, for instance, may stimulate anomalous behaviors that are easier to backtrack, instead of hunting for them directly.

We will not be able to cope with all devices, interfaces, and protocols, and this is outside the scope of this book. Our aim here is to provide you with the necessary toolkit to understand the process of emulating firmware and hooking it to a fuzzer to trigger anomalous conditions. The examples have been carefully picked to help you understand the process and enable you to adapt the concepts autonomously to new firmware.

In this chapter, we will cover the following topics:

Who is this book for?

Passion, curiosity, and hard work – these are the main drivers for embarking on a journey through two techniques that have become fundamental to security research.

Regardless of whether you are an expert or not, this book is designed to help any kind of reader. We have designed two different paths that can be taken according to your level of experience. To keep you motivated, we have made the effort to provide you with examples, additional material, and useful information to help you foresee the end of every section, chapter, and ultimately this entire book.

Q1 – do you want to start a career in cybersecurity?

Internet of things (IoT) – does this phrase sound familiar now? After years of such claims, we are living in a period where many platforms are connected to our network. From voice assistants to vacuum cleaning robots, smart light bulbs, smart ovens, dishwashers, and, of course, smartphones. So, as software security researchers, how is it possible to analyze all these platforms, firmware, and software stacks?

One of the best candidates that will allow us to avoid buying all these devices is QEMU. QEMU will be our reference platform to embark on a journey into vulnerability research. The reason for our choice is motivated by the fact that QEMU can emulate many platforms and it’s a mature and modular project. Emulation is a great technique for using general-purpose computers (x86) to run any kind of software and firmware. Imagine you want to test an X-ray machine but the entire object doesn’t fit in your room. How would you proceed? For instance, you can get the firmware and emulate its interfaces, fuzz them, and make it crash, crash, crash.

Q2 – are you a passionate programmer? Hobbyist? Tinkerer?

Don’t get afraid of the words emulation, fuzzing, exploit, and vulnerability. Soon, you will become familiar with them. We suggest that you read this book from start to finish and practice the easiest examples. Then, try the most challenging ones.

Q3 – are you a hardened cybersecurity expert?

You are probably the kind of TLDR learner who looks directly at the code snippets in Stack Overflow (https://stackoverflow.com/questions/44991703/a-buffer-overflow-exercise-using-a-shellcode), without even reading the question. Our suggestion is to start from Part 2, Practical Examples, and follow along with all the examples.

Prerequisites

While this book tries to be as self-contained as possible, and the code snippets from the book will be commented, we recommend that you have a basic knowledge of the following topics:

A custom journey

This book has been designed to be in three self-contained parts – Foundations, Description of Emulation and Fuzzing, and Advanced Concepts – all of which include examples with famous open source firmware. The first part provides a deep and thoughtful understanding of emulation and fuzzing. These two techniques are extremely common and widespread in security research. Nonetheless, there are no reference books that talk about these matters in detail and help people start their journey toward understanding one of the most ancient and fascinating concepts in computer science, which is emulation. Fuzzing too is a very old technique, but it has become so sophisticated and advanced that evolutionary algorithms have been implemented to select the best inputs to trigger weird machine states and hunt for some vulnerabilities.

The second part has the hard task of gluing very ancient concepts together with everyday reality. 80 years in computer science are probably comparable to millions of years in biology if you think about circuit miniaturization as a reference point. For that reason, in the second part of this book, we will deep-dive into practical examples where we will use the main tools from this book to get in touch with the world of vulnerability analysis of IoT devices with fuzzing techniques. While this is just an introduction, you will grasp the main concepts, and you will be able to practice these concepts with the proposed exercises.

Finally, in the third part of this book, we will guide you through real examples of fuzzing IoT devices. Here, you will learn how to configure the tools to work with emulated hardware, such as the iPhone 11, and how to use emulation with the corresponding configuration to fuzz this machine to look for vulnerabilities. Once we find possible attack vectors (possible vulnerabilities found by the fuzzer), we will learn how to exploit them using the tools professionals use to search for and exploit those vulnerabilities (for example, disassemblers, and debuggers).

Getting a primer

Vulnerability analysis and software exploitation are related and well-known topics in the area of cybersecurity. The purpose of this book is to look for security bugs in embedded firmware through emulation and later search for a way to exploit (take advantage of) these vulnerabilities. There are various types of security flaws. The most known and often exploitable bug is known as the buffer overflow, where an incorrect bound check makes a program buffer and becomes filled with user-provided data, and in some cases allows that user to execute code inside of the process memory. In the cybersecurity world, the code that’s injected and run through the exploitation of that vulnerability is known as shellcode. While it’s possible to run a shell to run commands, this isn’t always the only option, as it’s possible to be creative and execute different codes to put a foot inside of a machine.

Not all bugs are created equal

A bug is a software flaw. In many cases, bugs do not lead to security breaches or exploits. They just exhibit a behavior that is not expected by the user or the developer. In other cases, a bug may also be a software vulnerability, meaning that it may generate security issues, such as data leakages, denial of service, or exploitation. Exploiting a vulnerability normally leads to privilege escalation or to taking control of the CPU to execute arbitrary code.

Since the first document that explained this process was published (http://phrack.org/issues/49/14.html#article), many countermeasures have been created to stop an attacker who could exploit a vulnerability if one was found in a program. Protections help us avoid massive exploitations of buffer overflow vulnerabilities. However, many other flaws exist:

While the process of searching for these vulnerabilities is hard and tedious due to the time it can take to manually find one, there are different techniques to help security researchers automatically discover some types of vulnerabilities, and in the case of this book, we will cover those that involve the use of a tool called a fuzzer. These kinds of tools take advantage of vulnerabilities such as the incorrect handling of user-provided data in programs to find an input that makes a program crash. The fuzzer will then run the program, giving different inputs and monitoring them to know when that program crashes. To improve the success of the fuzzing process, these programs take a set of inputs and mutate them (for example, changing some bits in the case of some file structures) to give a weird input to the program that it will not be able to handle and will make it crash, where this could or couldn’t be used to take advantage of the vulnerability (sadly, not all vulnerabilities are exploitable).

The utility belt

We have already roughly mentioned what we’ll see in each part of this book, as well as what tools we will use throughout. We will use this section to move a step forward and provide a better overview of the tools we will use, as well as install them (we will not deep-dive into these tools as they will be part of future chapters).

Git, Python3, build-essential

Git is a software version control system that helps keep track of code modifications, which allows us to store our code in a remote server. One of the main servers that contains Git repositories is GitHub. Everybody can upload their artifacts and share them with other people.

Python was created in 1991 by Guido Van Rossum and has exploded as a prototyping language in the last decade thanks to the myriad of libraries written in this language. Without any doubt, Python represents a milestone in computer science because it made programming accessible and readable to everyone. The build-essential package is a basic collection of packages that help compile software in Ubuntu/Debian Linux distributions. Often, Python3