Hödur

Hoedur is a firmware fuzzing implementation which utilizes a multi-stream input format that is described in our USENIX Security 2023 paper HOEDUR: Embedded Firmware Fuzzing using Multi-Stream Inputs.

Our artifact evaluation is available at hoedur-experiments including details for citing our paper.

Repository Overview

Hoedur consists of different main components as listed below:

Directory	Description
emulator	High-level emulator logic
fuzzer	Hoedur fuzzer implementation
hoedur	Command-line logic and runner
scripts	Usability and evaluation scripts
modeling	Integration with Fuzzware modeling
frametracer	Trace events
hoedur-analyze	Utilities to evaluate fuzzing runs
archive	Reading and writing fuzzing corpus archives
common	Configurations and common utilities
qemu-build	Qemu build, link, and interface code generation utility
qemu-rs	Low-level emulator impl
qemu-sys	Qemu rust bindings

Getting Started

Dependencies

Ubuntu 18.04 / Debian 12:

apt install -y clang curl git libfdt-dev libglib2.0-dev libpixman-1-dev libxcb-shape0-dev libxcb-xfixes0-dev ninja-build patchelf pkg-config python3-psutil zstd make

Install

cargo install --path hoedur/ --bin hoedur-arm
sudo cp target/release/libqemu-system-arm.release.so /usr/lib/

Development / Debug Build

Run a debug build (without install):

cargo run --bin hoedur-arm -- $ARGS

Run a release build (without install):

cargo run --bin hoedur-arm --release -- $ARGS

Fuzzer / Runner (Hoedur)

Fuzzer

Basic usage:

CONFIG=arm/Hoedur/loramac-node/CVE-2022-39274/config.yml
cargo run --bin hoedur-arm -- --config $CONFIG fuzz

See help for details:

cargo run --bin hoedur-arm -- fuzz --help

Runner

Run corpus archive:

ARCHIVE=corpus/hoedur.corpus.tar.zst
cargo run --bin hoedur-arm -- --import-config $ARCHIVE run-corpus $ARCHIVE

Run single input:

INPUT=corpus/input-123.bin
cargo run --bin hoedur-arm -- --import-config $ARCHIVE run $INPUT

Coverage

Run fuzzer with --statistics enabled.

Collect coverage report from corpus archive:

REPORT=corpus/hoedur.report.bin.zst
hoedur-arm --debug --trace --import-config $ARCHIVE run-cov $REPORT $ARCHIVE

Tracing / Hook Scripts

# run hoedur with a custom hook
# `--trace` enables tracing (will hook every basic block / instruction, needed for scripts)
hoedur-arm --import-config $ARCHIVE --debug --trace --hook example.rn run $INPUT

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Hödur

Repository Overview

Getting Started

Dependencies

Install

Development / Debug Build

Fuzzer / Runner (Hoedur)

Fuzzer

Runner

Coverage

Tracing / Hook Scripts

About

Uh oh!

Releases

Packages

Uh oh!

Contributors 3

Uh oh!

Languages

Name		Name	Last commit message	Last commit date
Latest commit History 12 Commits
.git-hooks		.git-hooks
archive		archive
common		common
emulator		emulator
frametracer		frametracer
fuzzer		fuzzer
hoedur-analyze		hoedur-analyze
hoedur		hoedur
modeling		modeling
qemu-build		qemu-build
qemu-rs		qemu-rs
qemu-sys		qemu-sys
scripts		scripts
.gitignore		.gitignore
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
LICENSE		LICENSE
README.md		README.md
config.toml		config.toml

License

fuzzware-fuzzer/hoedur

Folders and files

Latest commit

History

Repository files navigation

Hödur

Repository Overview

Getting Started

Dependencies

Install

Development / Debug Build

Fuzzer / Runner (Hoedur)

Fuzzer

Runner

Coverage

Tracing / Hook Scripts

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors 3

Uh oh!

Languages

Packages