Gustave – Embedded OS kernel fuzzer
GUSTAVE is a fuzzing system for embedded OS kernels. It is based mostly on QEMU and AFL (and all of its forkserver siblings). It will allow to fuzz OS kernels like easy applications.
Many thanks to QEMU, it is multi-platform. A single can see GUSTAVE as a AFL forkserver implementation within QEMU, with high-quality grain concentrate on inspection.
What are the supported kernels ?
GUSTAVE has primarily been intended to concentrate on embedded OS kernels. It may not be the finest resource to fuzz a substantial and complicated Home windows or Linux kernel.
Nevertheless if you have a focus on below the hood which can be rebuilt from scratch and crafted with 1 or two apps to boot devoid of any user conversation, it may possibly be appealing to give GUSTAVE a attempt.
How does it work ?
The afl-fuzz software, from the AFL task, is utilized to mechanically fuzz your focus on. Nonetheless, AFL can’t instantly fuzz an OS kernel and expects its target to immediately parse the created examination cases.
To make it short, afl-fuzz will operate QEMU with GUSTAVE integration as its concentrate on. In transform, GUSTAVE will deal with :
- forkserver synchronization
- created check circumstances translation to focus on method phone calls
- concentrate on kernel monitoring
How does it review to existing options ?
There exists comparable methods, these types of as:
GUSTAVE design and style decisions implies the following variations:
- you want to inject AFL instrumentation shims in the target kernel
- no precise devs are desired within the concentrate on
- definitely target agnostic (OS, architecture), as extended as QEMU offers support
- can even use hardware-virtualization with kvm
- addresses all system calls carried out in the target kernel
- you nonetheless want to carry out target unique matters:
- program calls translator
- memory guard oracles
Current status ?
Hardware
We have applied and tested Intel x86 and PowerPC assist. The GUSTAVE implementation is architecture impartial. If you can run your goal with QEMU, you can fuzz it with GUSTAVE with little energy.
For now, we provide example Intel 440Fx and PowerPC PREP boards with GUSTAVE integration. The implementation of your individual board is definitely effortless. Have a appear at x86 board.
We also extra help for x86 and PowerPC GUSTAVE instrumentation shims to afl-gcc.
Software
We also present POK micro-kernel goal distinct developments:
- procedure calls ABI generator for both of those x86/PPC
- x86 memory oracles
How to use it ?
- put together your goal (rebuild with
afl-gcc, or binary repair it) - carry out target particular translator
- construct QEMU with GUSTAVE integration
- compose a JSON configuration file for your target
- operate it in a terminal
A move-by-phase tutorial is accessible.
Demands
Beside a working compilation surroundings for both your concentrate on and QEMU, you will need the adhering to git trees:
$ git clone -b gustave https://github.com/airbus-seclab/afl
$ git clone -b gustave https://github.com/airbus-seclab/qemuPublications
Product from distinctive talks on GUSTAVE can be found at https://airbus-seclab.github.io/: Slides(en), Slides(fr), Paper, Movie
