Skip to content

riesentoaster/fuzzing-zephyr-network-stack

Repository files navigation

Fuzzing Zephyr's Network Stack

Using LibAFL, I want to fuzz the TCP/IP stack of Zephyr.

Report

Read the report here. Its artifacts are in the report subdirectory. The report is licensed under CC BY-NC-ND 4.0.

Fuzzer

The code for the fuzzer can be found in the fuzzer subdirectory. The fuzzer is released under an MIT license.

Environment

This project relies on a default installation of Zephyr relative to this folder at ../zephyrproject/zephyr. The Python virtual environment should be placed at ../zephyrproject/.venv.

Zephyr Diff

Changes to Zephyr are stored in zephyr.diff. It is updated on each commit using pre-commit. Apply it using git apply. It is based on commit 8fda052826d.

Communication Protocol/Custom Layer 1

This project uses a custom OSI Layer 1 implementation based on shared memory to reduce performance implications on kernel interactions and make multiple parallel instances possible. Per default, the native_sim wrapper of Zephyr relies on a TUN interface, which only one process can use. With this custom implementation, only a single kernel interaction is necessary to setup the shared memory. Here is how the shared memory is used:

  • shmem[offset]: Size, negative for ready
  • shmem[offset+1..]: Data

Shared Memory is split in two such sub-buffers for the two directions, where offset:

  • 0 for the packets going from the fuzzer to the system under test
  • shmem_len/2 for packets going from the SUT to the fuzzer

The environment variables SHMEM_ETH_INTERFACE_NAME and SHMEM_ETH_INTERFACE_SIZE are used to communicate the necessary information to the SUT.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published