Awesome
PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary
Setup
Prerequisites
- An AArch64 toolchain
- Android platform tools:
adb
andfastboot
- Python and dependent packages:
invoke
andprettytable
- Go and Syzkaller packages
Building and flashing boot image
-
Get kernel source code and apply our patches
-
Make sure to have the following config options set
CONFIG_KCOV=y CONFIG_HWIOTRACE=y CONFIG_HWIOFUZZ=y CONFIG_KHWIO_MMIO=y CONFIG_KHWIO_STREAMING_DMA=y CONFIG_KHWIO_CONSISTENT_DMA=y
-
Build the kernel and create a boot image, and flash it
Building executor and fuzzer (AFL)
make executor fuzzer
# Push executables to the target device
python host/cli.py push --executables
Monitoring and seed generation
# enable tracing
python host/cli.py monitor --enable
python host/cli.py monitor --status # should return "enabled"
# enable probes
python host/cli.py monitor --list-probes
python host/cli.py monitor --activate <CTX_ID>
# enable monitoring for active probes for the specified duration
python host/cli.py monitor --trace <MONITOR_SEC>
# check trace_pipe in $PWD
python host/cli.py monitor --parse trace_pipe --generate-seed <SEED_DIR>
python host/cli.py push --seed <SEED_DIR>
Starting automated fuzzing
# create CONFIG_FILE for your needs (see default.cfg)
python host/manager.py --config <CONFIG_FILE>
Starting AFL manually
adb shell
# setup necessary dirs and provide some seed
AFL_NO_ARITH=1 AFL_FAST_CAL=1 AFL_NO_FORKSRV=1 AFL_SKIP_CPUFREQ=1 \
/data/local/tmp/fuzzer -i /data/local/tmp/seed -o /data/local/tmp/out -t 500000+ /data/local/tmp/executor @@
Diagnosing crashes
python host/cli.py diagnose --last-crash
Citing our paper
@inproceedings{song2019periscope,
title = {{PeriScope}: An Effective Probing and Fuzzing Framework for
the Hardware-{OS} Boundary},
author = {Song, Dokyung and Hetzelt, Felicitas and Das, Dipanjan and
Spensky, Chad and Na, Yeoul and Volckaert, Stijn and Vigna,
Giovanni and Kruegel, Christopher and Seifert, Jean-Pierre and
Franz, Michael},
booktitle = {Network and Distributed System Security Symposium (NDSS)},
year = {2019}
}