Hödur

Hoedur is a firmware fuzzing implementation which utilizes a multi-stream input format that is described in our USENIX Security 2023 paper HOEDUR: Embedded Firmware Fuzzing using Multi-Stream Inputs.

Repository Overview

Hoedur consists of different main components as listed below:

Directory	Description
emulator	High-level emulator logic
fuzzer	Hoedur fuzzer implementation
hoedur	Command-line logic and runner
scripts	Usability and evaluation scripts
modeling	Integration with Fuzzware modeling
frametracer	Trace events
hoedur-analyze	Utilities to evaluate fuzzing runs
archive	Reading and writing fuzzing corpus archives
common	Configurations and common utilities
qemu-build	Qemu build, link, and interface code generation utility
qemu-rs	Low-level emulator impl
qemu-sys	Qemu rust bindings

Getting Started

Dependencies

Ubuntu 18.04:

apt install -y clang curl git libfdt-dev libglib2.0-dev libpixman-1-dev libxcb-shape0-dev libxcb-xfixes0-dev ninja-build patchelf pkg-config python3-psutil zstd build-essential

rust:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Install

cargo install --path hoedur/ --bin hoedur-arm
sudo cp target/release/libqemu-system-arm.release.so /usr/lib/

Development / Debug Build

Run a debug build (without install):

cargo run --bin hoedur-arm -- $ARGS

Run a release build (without install):

cargo run --bin hoedur-arm --release -- $ARGS

Chinese mirror:

Because https://download.qemu.org resolve failed in our server, so change the current lines in qemu-sys/build.rs

change the /path/to/qemu-.. to where you put your qemu archive

// download QEMU
  //assert!(Command::new("wget")
   //   .arg("https://download.qemu.org/qemu-7.1.0.tar.xz")
    //  .arg("-O")
     // .arg(&qemu_tar)
     // .status()
      //.expect("QEMU download failed")
      //.success());

  assert!(Command::new("cp")
          .arg("/path/to/qemu-7.1.0.tar.xz")
          .arg(&qemu_tar)
          .status()
          .expect("no")
          .success());

Fuzzer / Runner (Hoedur)

Fuzzer

Basic usage:

CONFIG=arm/Hoedur/loramac-node/CVE-2022-39274/config.yml
cargo run --bin hoedur-arm -- --config $CONFIG fuzz

See help for details:

cargo run --bin hoedur-arm -- fuzz --help

Runner

Run corpus archive:

ARCHIVE=corpus/hoedur.corpus.tar.zst
cargo run --bin hoedur-arm -- --import-config $ARCHIVE run-corpus $ARCHIVE

Run single input:

INPUT=corpus/input-123.bin
cargo run --bin hoedur-arm -- --import-config $ARCHIVE run $INPUT

Coverage

Run fuzzer with --statistics enabled.

Collect coverage report from corpus archive:

REPORT=corpus/hoedur.report.bin.zst
hoedur-arm --debug --trace --import-config $ARCHIVE run-cov $REPORT $ARCHIVE

Tracing / Hook Scripts

# run hoedur with a custom hook
# `--trace` enables tracing (will hook every basic block / instruction, needed for scripts)
hoedur-arm --import-config $ARCHIVE --debug --trace --hook example.rn run $INPUT

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Hödur

Repository Overview

Getting Started

Dependencies

Install

Development / Debug Build

Fuzzer / Runner (Hoedur)

Fuzzer

Runner

Coverage

Tracing / Hook Scripts

About

Releases

Packages

Languages

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
.cargo		.cargo
.git-hooks		.git-hooks
archive		archive
common		common
emulator		emulator
frametracer		frametracer
fuzzer		fuzzer
hoedur-analyze		hoedur-analyze
hoedur		hoedur
modeling		modeling
qemu-build		qemu-build
qemu-rs		qemu-rs
qemu-sys		qemu-sys
scripts		scripts
.gitignore		.gitignore
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
README.md		README.md

IoTS-P/hoedur

Folders and files

Latest commit

History

Repository files navigation

Hödur

Repository Overview

Getting Started

Dependencies

Install

Development / Debug Build

Fuzzer / Runner (Hoedur)

Fuzzer

Runner

Coverage

Tracing / Hook Scripts

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages