-
Notifications
You must be signed in to change notification settings - Fork 16
Fuzzing
efi_fuzz currently supports two modes for fuzzing: NVRAM variables and SMI handlers. These two modes correspond to known attack vectors against UEFI.
The general usage of efi_fuzz takes the following form:
python efi_fuzz.py [target] [options] [mode] [mode-specific-arguments].
where:
-
[target]is the path to the UEFI binary you wish to emulate/fuzz. -
[options]are a combination of zero or more of the following:
-e, --end address - Specify an end address for the emulation.
-t, --timeout msec - Specify a new timeout value for the emulation, in ms.
-o, --output format - Specify output format for debugging purposes. Valid values are: 'trace', 'disasm', 'debug' and 'off' (defaults to 'off').
-s, --sanitize what - Enables a particular sanitizer. Valid values are: 'memory' and 'smm' (see Sanitizers page for more information).
-t, --taint what - Keeps track of certain memory regions via Triton and taint propagation. Valid values are: 'uninitialized' and 'smm' (see Taint page for more information).
-l, --load package - Load a Python package to further customize the emulation environment (see Customization page for more information).
-v, --nvram file - Path to a pickled dictionary containing the NVRAM environment variables.
-x, --extra-modules file1, ..., fileN - A list of extra modules to load into the emulated environment.
-
[mode]can be eithernvramorswsmi.
In NVRAM mode, the fuzzer mutates the contents of one of the NVRAM variables. If this variable is later consumed or otherwise processed by a target module without proper validation, it might be a sign of a potential bug.
The NVRAM-specific fuzzing arguments are: [varname] [infile], where:
[varname] is the name of the variable to fuzz (e.g. 'SetupCpuFeatures')
[infile] is a path to the file containing the data for the variable. When running under 'afl-fuzz', set this to '@@'.
In SWSMI mode, the fuzzer mutates the values of certain CPU registers before emulating a software SMI. These registers are then saved in dedicated portion of SMRAM called the "save state", where they can fetched by the currently executing SMI handler via protocols such as EFI_SMM_CPU_PROTOCOL.
The SWSMI-specific fuzzing arguments are: [registers] [infile], where:
[registers] can be either a list of CPU registers to fuzz (e.g. rax rcx rsi) or 'ALL' to fuzz all supported registers.
[infile] is a path to the file containing the data for the selected registers. If the size of the file is not big enough to provide values for all the registers, the remaining registers will be set to zero. When running under 'afl-fuzz', set this to '@@'.