Fuzzware is an automated, self-configuring fuzzing framework for ARM Cortex-M firmware images. It targets security researchers and embedded systems engineers seeking to discover vulnerabilities in firmware without requiring full hardware emulation. Fuzzware automates the process of understanding and modeling Memory-Mapped I/O (MMIO) interactions, enabling efficient fuzzing by providing realistic hardware behavior to the fuzzer.

How It Works

Fuzzware integrates an instruction set emulator (Unicorn Engine) with a fuzzer (AFL++). The fuzzer supplies inputs that are used to answer MMIO accesses. The core innovation lies in its MMIO access modeling component, which uses symbolic execution to analyze firmware states and automatically generate models for MMIO accesses. This reduces the fuzzer's burden of guessing hardware behavior, focusing on code coverage and functional logic. A pipeline component orchestrates the interaction between the emulator and the modeling component, iteratively refining MMIO models and guiding the fuzzing process.

Quick Start & Requirements

• Install via Docker: ./build_docker.sh then ./run_docker.sh examples fuzzware pipeline --skip-afl-cpufreq pw-recovery/ARCH_PRO
• Local setup requires Python < 3.10 for the MMIO modeling component (angr version 8.19.10.30). Cortex-M4f targets require compilation with a softfpu.
• See fuzzware-experiments for datasets and experiment replication.

Highlighted Details

• Automated MMIO modeling using symbolic execution.
• Orchestrated pipeline for iterative model refinement and fuzzing.
• Supports custom configurations for interrupt handling, boot guidance, and code hooks.
• Detailed documentation for configuration and analysis available in subdirectories and the fuzzware-experiments repository.

Maintenance & Community

The project is associated with USENIX Security '22. Contribution opportunities are listed, including upgrading angr, improving architecture independence, and developing crash analysis tooling.

Licensing & Compatibility

The repository does not explicitly state a license in the README. Compatibility for commercial use or closed-source linking is not specified.

Limitations & Caveats

The MMIO modeling component is tied to an older version of angr, limiting Python support to versions below 3.10. The framework is primarily focused on ARM Cortex-M architectures, with ongoing work to improve architecture independence.