- An AArch64 toolchain
- Android platform tools:
adbandfastboot - Python and dependent packages:
invokeandprettytable - Go and Syzkaller packages
-
Get kernel source code and apply our patches
-
Make sure to have the following config options set
CONFIG_KCOV=y CONFIG_HWIOTRACE=y CONFIG_HWIOFUZZ=y CONFIG_KHWIO_MMIO=y CONFIG_KHWIO_STREAMING_DMA=y CONFIG_KHWIO_CONSISTENT_DMA=y -
Build the kernel and create a boot image, and flash it
make executor fuzzer
# Push executables to the target device
python host/cli.py push --executables# enable tracing
python host/cli.py monitor --enable
python host/cli.py monitor --status # should return "enabled"
# enable probes
python host/cli.py monitor --list-probes
python host/cli.py monitor --activate <CTX_ID># enable monitoring for active probes for the specified duration
python host/cli.py monitor --trace <MONITOR_SEC>
# check trace_pipe in $PWDpython host/cli.py monitor --parse trace_pipe --generate-seed <SEED_DIR>
python host/cli.py push --seed <SEED_DIR># create CONFIG_FILE for your needs (see default.cfg)
python host/manager.py --config <CONFIG_FILE>adb shell
# setup necessary dirs and provide some seed
AFL_NO_ARITH=1 AFL_FAST_CAL=1 AFL_NO_FORKSRV=1 AFL_SKIP_CPUFREQ=1 \
/data/local/tmp/fuzzer -i /data/local/tmp/seed -o /data/local/tmp/out -t 500000+ /data/local/tmp/executor @@python host/cli.py diagnose --last-crashCiting our paper
@inproceedings{song2019periscope,
title = {{PeriScope}: An Effective Probing and Fuzzing Framework for
the Hardware-{OS} Boundary},
author = {Song, Dokyung and Hetzelt, Felicitas and Das, Dipanjan and
Spensky, Chad and Na, Yeoul and Volckaert, Stijn and Vigna,
Giovanni and Kruegel, Christopher and Seifert, Jean-Pierre and
Franz, Michael},
booktitle = {Network and Distributed System Security Symposium (NDSS)},
year = {2019}
}