MCPcopy Index your code
hub / github.com/MultiFuzz/MultiFuzz

github.com/MultiFuzz/MultiFuzz @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
770 symbols 1,901 edges 51 files 116 documented · 15% updated 6d ago★ 43
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

MultiFuzz

Code release for MultiFuzz: A Multi-Stream Fuzzer For Testing Monolithic Firmware.

Paper preview

Quickstart

If you have yet to initialize the Ghidra submodule (required for the emulator) then this should be done before starting:

git submodule update --init ghidra

Next place the target firmware into its own folder (e.g. ./firmware) and run the fuzzer:

cargo run --release -- ./firmware

The first time the fuzzer runs it will generate an initial config file (config.yml). Some targets may need manual modifications, e.g. to add missing MCU specific memory sections. Additionally, automatic config file generation is currently only supported for ELF binaries, to fuzz other targets, the appropriate file must be created manually. Alternatively, MultiFuzz is also compatible with the configuration files generated by Fuzzware including any MMIO models.

Configuration

The fuzzer can be configure using environment variables:

  • WORKDIR=<path>: (default=workdir) Configures the directory the fuzzer uses to store information about the fuzzing session.
  • COVERAGE_MODE=<type>: Controls the coverage instrumentation used for feedback by the fuzzer (if unspecified the default mode is blocks). Where <type> is one of:
    • blocks: Store a bit whenever a block is hit.
    • edges: Store a bit whenever an edge is hit.
    • blockcounts: Increment a counter whenever a block is hit.
    • edgecounts: (AFL-style) Increment a counter whenever an edge is hit.
  • REPLAY=<path>: Instead of running the fuzzer, execute the input specified at <path>
  • GEN_BLOCK_COVERAGE=<type>: Replay all the inputs in WORKDIR/queue with additional tracing enabled to produce a json file containing information about the blocks discovered during the fuzzing campaign.
    • full: Output the newly discovered found by each input.
    • blocks: Output just the unique blocks found and the time and input the block was found at.
  • ANALYZE_CRASHES: Replay all inputs in WORKDIR/crashes and print information about unknown crashes.
  • RUN_FOR=<time>: Stop the fuzzer after the specified period of time has elapsed. e.g. (RUN_FOR=24h). Allowed suffixes are s (seconds), m (minutes), h (hours).

Debugging options

  • GDB_BIND=<socket address>: (only used when REPLAY is set) address to bind a gdb-stub instance to, waiting for gdb to connect for debugging.
  • PRINT_HOOK: Allows a hook to be injected at a symbol to print the output of string buffer.
  • One register form (e.g. PRINT_HOOK='putc(r0:char), PRINT_HOOK='puts(r0:str)): argument is treated as a character or null terminated string.
  • Two register form (e.g. PRINT_HOOK='stdio_write(r0,r1)): first argument is treated as a pointer, the second argument is treated as length.

License

MultiFuzz is dual-licensed under either:

Copyright

Copyright (c) Cyber Security Research Centre Limited 2024. This work has been supported by the Cyber Security Research Centre (CSCRC) Limited whose activities are partially funded by the Australian Government's Cooperative Research Centres Programme. We are currently tracking the impact CSCRC funded research. If you have used this code in your project, please contact us at contact@cybersecuritycrc.org.au to let us know.

Cite as:

@inproceedings{multifuzz2024,
  title     = {MultiFuzz: A Multi-Stream Fuzzer For Testing Monolithic Firmware},
  author    = {Chesser, Michael and Nepal, Surya and Ranasinghe, Damith C},
  booktitle = {{USENIX} Security Symposium},
  series    = {USENIX Security},
  year      = {2024}
}

Extension points exported contracts — how you extend this code

FuzzerStage (Interface)
(no doc) [5 implementers]
hail-fuzz/src/main.rs
Coverage (Interface)
Keeps track of the global coverage seen across the input corpus. [2 implementers]
hail-fuzz/src/coverage.rs
StageData (Interface)
(no doc) [3 implementers]
hail-fuzz/src/main.rs
InputSource (Interface)
(no doc) [1 implementers]
hail-fuzz/src/mutations.rs
InputSource (Interface)
(no doc) [1 implementers]
hail-fuzz/src/queue.rs

Core symbols most depended-on inside this repo

len
called by 149
hail-fuzz/src/i2s/finder.rs
clone
called by 72
hail-fuzz/src/input.rs
is_empty
called by 33
hail-fuzz/src/dictionary.rs
get_mut
called by 29
hail-fuzz/src/i2s/colorization.rs
get
called by 28
hail-fuzz/src/i2s/finder.rs
clone_from
called by 23
hail-fuzz/src/input.rs
error
called by 23
hail-fuzz/src/debugging/check.rs
clear
called by 20
hail-fuzz/src/input.rs

Shape

Method 321
Function 292
Class 122
Enum 26
Interface 9

Languages

Rust82%
C12%
C++6%

Modules by API surface

hail-fuzz/src/load_resizer.rs48 symbols
hail-fuzz/src/main.rs47 symbols
icicle-cortexm/src/config.rs46 symbols
icicle-cortexm/fuzzware-native/core_peripherals/cortexm_nvic.c45 symbols
hail-fuzz/src/queue.rs44 symbols
icicle-cortexm/src/lib.rs41 symbols
hail-fuzz/src/i2s/finder.rs36 symbols
hail-fuzz/src/coverage.rs35 symbols
icicle-cortexm/src/unicorn_api.rs29 symbols
hail-fuzz/src/input.rs27 symbols
hail-fuzz/src/debugging/check.rs25 symbols
icicle-cortexm/fuzzware-native/timer.c24 symbols

For agents

$ claude mcp add MultiFuzz \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact