Hoedur is a firmware fuzzing implementation which utilizes a multi-stream input format that is described in our USENIX Security 2023 paper HOEDUR: Embedded Firmware Fuzzing using Multi-Stream Inputs.
Our artifact evaluation is available at hoedur-experiments including details for citing our paper.
Hoedur consists of different main components as listed below:
| Directory | Description |
|---|---|
| emulator | High-level emulator logic |
| fuzzer | Hoedur fuzzer implementation |
| hoedur | Command-line logic and runner |
| scripts | Usability and evaluation scripts |
| modeling | Integration with Fuzzware modeling |
| frametracer | Trace events |
| hoedur-analyze | Utilities to evaluate fuzzing runs |
| archive | Reading and writing fuzzing corpus archives |
| common | Configurations and common utilities |
| qemu-build | Qemu build, link, and interface code generation utility |
| qemu-rs | Low-level emulator impl |
| qemu-sys | Qemu rust bindings |
Ubuntu 18.04:
apt install -y clang curl git libfdt-dev libglib2.0-dev libpixman-1-dev libxcb-shape0-dev libxcb-xfixes0-dev ninja-build patchelf pkg-config python3-psutil zstdcargo install --path hoedur/ --bin hoedur-arm
sudo cp target/release/libqemu-system-arm.release.so /usr/lib/Run a debug build (without install):
cargo run --bin hoedur-arm -- $ARGSRun a release build (without install):
cargo run --bin hoedur-arm --release -- $ARGSBasic usage:
CONFIG=arm/Hoedur/loramac-node/CVE-2022-39274/config.yml
cargo run --bin hoedur-arm -- --config $CONFIG fuzzSee help for details:
cargo run --bin hoedur-arm -- fuzz --helpRun corpus archive:
ARCHIVE=corpus/hoedur.corpus.tar.zst
cargo run --bin hoedur-arm -- --import-config $ARCHIVE run-corpus $ARCHIVERun single input:
INPUT=corpus/input-123.bin
cargo run --bin hoedur-arm -- --import-config $ARCHIVE run $INPUTRun fuzzer with --statistics enabled.
Collect coverage report from corpus archive:
REPORT=corpus/hoedur.report.bin.zst
hoedur-arm --debug --trace --import-config $ARCHIVE run-cov $REPORT $ARCHIVE# run hoedur with a custom hook
# `--trace` enables tracing (will hook every basic block / instruction, needed for scripts)
hoedur-arm --import-config $ARCHIVE --debug --trace --hook example.rn run $INPUT