SA-RIOT

01

🔍

QEMU+AFL = Vulnerabilities?

1. Is it so easy to find vulnerabilities? −

• Downloading and installing AFL++

• Preparing a vulnerable VLC instance

• VLC exploit

2. Full-system fuzzing – introducing TriforceAFL −

• Understanding full-system fuzzing concepts

• Installing TriforceAFL

• Setting up the fuzzing environment

3. Final Test

4. Further reading

5. Appendix

02

⚙️

QEMU Primer

1. Adding a new CPU

2. Emulating an embedded firmware

3. Reverse engineering DMA peripherals

4. Emulating UART with Avatar2 for firmware debugging

5. Final Test

03

📱

Baseband Emulation

1. A crash course on mobile phone architecture −

• Baseband

• Baseband CPU family

• Application processor and baseband interface

• A talk with Shannon

• A note on GSM/3GPP/LTE protocol specifications

2. Setting up FirmWire for vulnerability validation −

• CVE-2020-25279 – emulator fuzzing

• CVE-2020-25279 – OTA exploitation

3. Final Test

04

🖥️

Router Emulation x86

1. OpenWrt on x86

2. Building the firmware −

• Testing the firmware in QEMU

• Extracting and preparing the kernel

3. Fuzzing the kernel

4. Post-crash core dump triaging

05

💻

Router Emulation ARM32

1. Emulating the ARM architecture to run an OpenWrt system

2. Installing TriforceAFL for ARM

3. Running TriforceAFL in OpenWrt for ARM

4. Obtaining a crash

5. Final Test

★

⭐

Bonus: Evolving to recent harnesses

1. Using a more recent version of AFL++

2. Harnessing techniques

3. libqemu

4. device trees, nand, nor

06

🍎

iOS14/16 Emulation and Fuzzing of iPhone11

1. A brief history of iOS emulation

2. iOS basics −

• What it takes to boot iOS

• Code signatures

• Plist files and entitlements

• Binaries compilation

• IPSW formats and research kernels

3. Setting up an iOS emulator −

• Preparing the environment

• Building the emulator

• Boot prepping

• Booting iOS in QEMU

4. Preparing your harness to start fuzzing

5. Triforce's driver mod for iOS

6. Final Test

07

🤖

Android Emulation and Fuzzing

1. Introducing the Android OS and its architecture −

• Android system architecture overview

• Understanding the Android stack

• Key components for fuzzing

2. Fuzzing Android libraries with Sloth −

• Setting up Sloth framework

• Targeting Android libraries

• Analysis and vulnerability discovery

3. Final Test

🎯

🏆

Certification Exam

🎯 Fuzzing

⚡ Basic Emulation

🔐 Vulnerability hunting

QEMU+AFL = Vulnerabilities?

1. Is it so easy to find vulnerabilities? −

2. Full-system fuzzing – introducing TriforceAFL −

3. Final Test

4. Further reading

5. Appendix

QEMU Primer

1. Adding a new CPU

2. Emulating an embedded firmware

3. Reverse engineering DMA peripherals

4. Emulating UART with Avatar2 for firmware debugging

5. Final Test

Baseband Emulation

1. A crash course on mobile phone architecture −

2. Setting up FirmWire for vulnerability validation −

3. Final Test

Router Emulation x86

1. OpenWrt on x86

2. Building the firmware −

3. Fuzzing the kernel

4. Post-crash core dump triaging

Router Emulation ARM32

1. Emulating the ARM architecture to run an OpenWrt system

2. Installing TriforceAFL for ARM

3. Running TriforceAFL in OpenWrt for ARM

4. Obtaining a crash

5. Final Test

Bonus: Evolving to recent harnesses

1. Using a more recent version of AFL++

2. Harnessing techniques

3. libqemu

4. device trees, nand, nor

iOS14/16 Emulation and Fuzzing of iPhone11

1. A brief history of iOS emulation

2. iOS basics −

3. Setting up an iOS emulator −

4. Preparing your harness to start fuzzing

5. Triforce's driver mod for iOS

6. Final Test

Android Emulation and Fuzzing

1. Introducing the Android OS and its architecture −

2. Fuzzing Android libraries with Sloth −

3. Final Test

Certification Exam

SA-RIOT: Security Associate Researcher IoT Available until 01/09/2025.

599€ VAT included