This directory contains all information required to reproduce our fuzzing targets regarding the previously unknown bugs that Hoedur detected. The directory holds the following components:
- References to Firmware targets (prebuilt binaries and build environment)
- Scripts to run the fuzzer against the targets newly introduced by hoedur
- Details on the bugs found by Hoedur
- Pre-generated POC inputs that trigger each CVE bug
In this repository we provide pre-extracted bug reproducer inputs under ./results/bug-reproducers. These are also linked to in the tables below. The script run_reproducer.py can be used to execute the reproducing input in Hoedur. To run the script execute this command:
./scripts/run_reproducer.py <bug_name>
Where bug_name is the name of the reproducer in the table Bug Overview, e.g., CVE-2023-31129.
Additional options are --results to pass a custom bug-reproducers directory, --targets to pass a custom targets directory, and --trace to show additional execution trace information.
E.g., to execute an input from experiment 01-bug-finding-ability run:
./scripts/run_reproducer.py --results ../01-bug-finding-ability/results/bug-reproducers <bug_name>
After the execution finishes a register dump and the crash reason for the bug are printed.
For convenience scripts to run each reproducer are located in repro-run-scripts. Additionally for each reproducer a README is provided that describes how the emulator output can be interpreted and why this input leads to a given crash.
To rerun the experiment, refer to ../generate_host_run_config.py. Based on a description of the hosts that are available to run the experiments, this utility generates scripts that can be distributed to the available hosts to split the overall workload and allow for a more time efficient reproduction.
This table contains information on the fuzzing target. Note that some of the new CVEs found by Hoedur were identified while fuzzing targets from the Fuzzware data set (for reference, see also the originally published Fuzzware experiment data).
| CVE | OS / Lib | Build Script | Prebuilt Target |
|---|---|---|---|
| CVE-2023-23609 | Contiki-NG | Fuzzware | Firmware |
| CVE-2023-28116 | Contiki-NG | Fuzzware | Firmware |
| CVE-2023-29001 | Contiki-NG | Fuzzware | Firmware |
| CVE-2023-31129 | Contiki-NG | build.py | Firmware |
| CVE-2022-41873 | Contiki-NG | build.py | Firmware |
| CVE-2022-41972 | Contiki-NG | build.py | Firmware |
| CVE-2023-0397 | Zephyr | Fuzzware | Firmware |
| CVE-2023-1422 | Zephyr | Fuzzware | Firmware |
| CVE-2023-1423 | Zephyr | Fuzzware | Firmware |
| CVE-2023-1901 | Zephyr | Fuzzware | Firmware |
| CVE-2023-1902 | Zephyr | Fuzzware | Firmware |
| CVE-2023-0359 * | Zephyr | Fuzzware | Firmware |
| CVE-2022-3806 | Zephyr | build.py | Firmware |
| CVE-2023-24817 | RIOT | build.py | Firmware |
| CVE-2023-24818 | RIOT | build.py | Firmware |
| CVE-2023-24819 | RIOT | build.py | Firmware |
| CVE-2023-24820 | RIOT | build.py | Firmware |
| CVE-2023-24821 | RIOT | build.py | Firmware |
| CVE-2023-24822 | RIOT | build.py | Firmware |
| CVE-2023-24823 | RIOT | build.py | Firmware |
| CVE-2023-24825 | RIOT | build.py | Firmware |
| CVE-2023-24826 | RIOT | build.py | Firmware |
| CVE-2022-39274 | LoRaMac-node | build.py | Firmware |
This table contains information on the bugs found by Hoedur. Note that some of the new CVEs found by Hoedur were identified while fuzzing targets from the Fuzzware CVE data set (for reference, see also the original published experiment data). As a result, some POC inputs are located in the results of experiment 01-bug-finding-ability.
The bug corresponding to CVE-2023-0359 was originally found on the Fuzzware target CVE-2020-10064. Originally already an extremely hard bug to trigger, the fuzzer does not seem to produce this bug on a target which is built against the latest version of Zephyr. The reason for this is that an additional layer of complex timing requirements must be satisfied for the bug to be triggered on the latest version of Zephyr. Thus, we provide a reproducer based on the original Fuzzware target in this directory. Fuzz testing may result in a trigger of CVE-2023-0359 in rare cases of running experiment 01-bug-finding-ability.
For reference, we include example timings for the discovery of the new bugs which were found in targets outside the Fuzzware CVE target set. Note that these numbers are not meant to be definitive and may vary based on the number of runs and based on chance.
The bug discovery timings of the new bugs that were found in the Fuzzware CVE data set can be found in the Hoedur paper or as part of the results of experiment 01 after re-running the experiments.
| CVE ID | Time | Runs |
|---|---|---|
| CVE-2023-31129 | 2h | 17 |
| CVE-2022-41873 | < 30m | 17 |
| CVE-2022-41972 | < 30m | 17 |
| CVE-2023-0359 | h | |
| CVE-2022-3806 | 8h | 25 |
| CVE-2023-24817 | 24h | 52 |
| CVE-2023-24818 | < 24h | 5 |
| CVE-2023-24819 | < 24h | 5 |
| CVE-2023-24820 | < 24h | 5 |
| CVE-2023-24821 | < 24h | 5 |
| CVE-2023-24822 | < 24h | 5 |
| CVE-2023-24823 | < 24h | 5 |
| CVE-2023-24825 | 12h | 52 |
| CVE-2023-24826 | < 24h | 5 |
| CVE-2022-39274 | < 30m | 17 |