Home

Awesome

PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary

Setup

Prerequisites

Building and flashing boot image

Building executor and fuzzer (AFL)

make executor fuzzer

# Push executables to the target device
python host/cli.py push --executables

Monitoring and seed generation

# enable tracing
python host/cli.py monitor --enable
python host/cli.py monitor --status # should return "enabled"

# enable probes
python host/cli.py monitor --list-probes
python host/cli.py monitor --activate <CTX_ID>

# enable monitoring for active probes for the specified duration
python host/cli.py monitor --trace <MONITOR_SEC>

# check trace_pipe in $PWD

python host/cli.py monitor --parse trace_pipe --generate-seed <SEED_DIR>
python host/cli.py push --seed <SEED_DIR>

Starting automated fuzzing

# create CONFIG_FILE for your needs (see default.cfg)
python host/manager.py --config <CONFIG_FILE>

Starting AFL manually

adb shell

# setup necessary dirs and provide some seed

AFL_NO_ARITH=1 AFL_FAST_CAL=1 AFL_NO_FORKSRV=1 AFL_SKIP_CPUFREQ=1 \
  /data/local/tmp/fuzzer -i /data/local/tmp/seed -o /data/local/tmp/out -t 500000+ /data/local/tmp/executor @@

Diagnosing crashes

python host/cli.py diagnose --last-crash

Citing our paper

@inproceedings{song2019periscope,
  title =        {{PeriScope}: An Effective Probing and Fuzzing Framework for
                  the Hardware-{OS} Boundary},
  author =       {Song, Dokyung and Hetzelt, Felicitas and Das, Dipanjan and
                  Spensky, Chad and Na, Yeoul and Volckaert, Stijn and Vigna,
                  Giovanni and Kruegel, Christopher and Seifert, Jean-Pierre and
                  Franz, Michael},
  booktitle =    {Network and Distributed System Security Symposium (NDSS)},
  year =         {2019}
}