SOSS Fusion 2024

Fuzz testing of compiled binary code is imperative when source code is not available. AFLplusplus is a popular fuzzer, responsible for discovering several vulnerabilities in open/closed source software. While fuzzing, AFLplusplus acquires code coverage feedback by emulating the target binary in QEMU usermode, thereby supporting architecture neutral fuzzing as well. There is however no native instruction hooking and memory control support in QEMU. Albeit, having such ability can greatly benefit binary fuzz testing by patching/fixing roadblock locations that lead to long-running fuzzing campaigns. The current solution is a pythonic wrapper, UNICORN, on QEMU that is understandably slow and, more importantly, requires significant configuration to avail features that are enabled by default in AFLplusplus's raw QEMU mode. In this lightning talk, we will touch upon the QEMU native hooking bridge [https://github.com/AFLplusplus/AFLplusplus/tree/stable/qemu_mode/hooking_bridge]. We will briefly go over its design and implementation. We will then describe its usage with one or more examples. Furthermore, we will demonstrate its superiority over AFLplusplus's UNICORN mode.