So, in practice, every new execution path discovered leads to a new sample in which fuzzing mutations will occur. The main idea is to automatically supply new inputs to the fuzzing engine in order to execute the maximum of reachable code.
Nowadays, “Fuzzing with code coverage” is the most relevant fuzzing approach to get interesting results. Without this preliminary work, it will be very unlikely to access a potentially vulnerable portion of code. Indeed, we need to understand the expected input data format of the application in order to maximise the chance of finding vulnerabilities such as the size field, some function code field, CRC and so on. To be as efficient as possible, “blind fuzzing” requires significant effort in reverse engineering. In many cases, it is the easiest approach which merely consists of sending random data to a program or an embedded device until abnormal behaviour such as a crash, a delayed response or a configuration change occurs and so on. In a nutshell, fuzzing consists of injecting “random” inputs into a program while monitoring it to detect any abnormal behaviours, like crashes or unexpected issues. In order to be more efficient in vulnerability discovery, researchers often use a fuzzing approach to highlight potentially exploitable bugs. From this new functionality, we can now implement a code coverage feature while fuzzing through external running program (for example, Ghidra emulation engine).įinally, we will describe a use case example on a xTensa (ESP32) architecture. In this context, we designed a new tool to interact with AFL++. This could be an alternative choice when it cannot be easily done using a supported emulator engine like Qemu or Unicorn. In this article, we are going to describe how we can use AFL++ and Ghidra emulation engine to fuzz programs in embedded devices running on exotic architectures. Fuzzing is a very popular and useful technique used by researchers to find vulnerabilities.