Research Project - Almiraj Embedded Fuzzing

CSE637: Software Security, Spring 2019

Course Description

In this course, students will be introduced to the foundations of software security. We will be exploring different classes of software vulnerabilities, analyzing the fundamental problems behind these vulnerabilities, and studying the methods and techniques to discover, exploit, prevent and mitigate these vulnerabilities. Topics of interest include buffer overflow, integer overflow, type confusion, use-after-free, etc. Throughout the course, we take a defense-in-depth mentality and see how systems can be protected. Students are expected to have a solid understanding of assembly language, C/C++ and operating system.


Embedded systems are hard to fuzz. Cross-platform fuzzing (e.g. using a desktop to send fuzzing inputs to an embedded device) has large performance problems. Hardware limitations in communication slow fuzzing considerably, and monitoring state information is a task unto itself due to overhead and problems with fault detection. Crashes make the system lock up which halts communication from the embedded device. If one can get to the point of reliably observing crashes and communicating, resetting the state of an embedded device will usually require a reboot, which is a massive time sink. Additionally, the various architectures and OSes reduce the portability of an embedded fuzzer. Our goal was to create a portable method for fuzzing embedded systems. We propose Almiraj as a new method of fuzzing for vulnerable embedded code. By leveraging the architecture emulation of the Unicorn Engine, we bypass many hardware limitations and performance pitfalls of previously explored hardware fuzzers. We chose to target FreeRTOS running on a BeagleBone Black (BBB) as a proof of concept because of FreeRTOS’s popularity and ubiquity as an embedded operating system. Any device that can be emulated by Unicorn should be able to be tested, allowing for a wide range of devices and their binaries to be fuzzed. We call our framework Almiraj after the mythical horned rabbit; our version is an American Fuzzy Lop with a unicorn horn.

The full paper can be found here and the open-sourced repo can be found here.