(DA08) (FIC) Airbus - Ghidralligator : Fuzz program running on exotic architecture

Introduction : Ghidralligator is a C++ multi-architecture emulator based on the Ghidra libsla, designed for fuzzing with AFL++. It allows performing emulation-based fuzzing while keeping interesting performances when dealing with binaries running on exotic architectures. This could be an alternative choice when it cannot be easily done using a supported emulator engine like Qemu or Unicorn. Its extensible nature makes it easy to emulate every architecture (as long as you can write the corresponding Sleigh specification file) to fuzz arbitrary piece of code. Ghidralligator will be opensourced soon (Idealy just before the Thcon 2023). What is Ghidralligator ? Ghidralligator aim to fill the gap between already existing emulator that requires a lot of setup and manual modifications to instrument, run and fuzz the binary, and the "black-box" emulators that are hardly extensible and not suitable for specific and unusual applications. Its main usage is for vulnerability research in close-source binaries, and especially when targeting embedded-devices application / firmware that runs on exotic architectures.When fuzzing, performances is a key component of how successful the fuzzing session is going to be. Ghidralligator offers the best ratio between automated memory corruption detection and execution speed. A wide variety of memory corruptions can be detected using Ghidralligator when fuzzing: Stack-based overflow, Out-of-Bounds read operations, Out-of-Bounds write operations, Instruction pointer redirection, Heap-Overflow, Use-After-Free, Double-Free, Read Access-Violations, Write Access-Violations and Exec Access-Violations. Finally, Ghidralligator is easily customizable for each target application by using a configuration file that allows to define the memory mapping layout of the emulated file (support the loading of multiple memory dumps) and the initial state of the program. This configuration file allows tuning the memory corruptions detections for better performances. A user-defined hook file is also available to register arbitrary hooks for instrumentation of the binary or external API hooking.Ghidralligator can be seen as the spiritual successor of afl_ghidra_emu (https://www.cyber.airbus.com/fuzzing-exotic-arch-with-afl-using-ghidra-emulator/). Presentation plan : Overview of fuzzer technics (code coverage, snapshot, ...) and tools (AFL, ...) ; Focus on Ghidra RE Internals and libsla ; Ghidralligator software architecture ; Demo : Fuzzing programs running on Xtensa/PowerPc/Mips/Arm CPU ; Conclusion, limitations and future features.