Fuzzing
For fuzzing, we dedicated a separate branch fuzz for this purpose. This aimed to avoid unrelated changes that might slow down the process.
AFL supplies input through stdin. In softmmu/main.c, we move it to fd 9 (avoid interference with serial console).
Our attempt to fuzz iOS USB device-mode driver is mostly contained in the hw/usb/hcd-fuzz.c file.
This is a USB host controller that simply reads a USB packet and send it to the connected device (dwc2) in most cases.
Below is our fuzzing cycle for USB.
 |
|---|
| Our USB fuzzing cycle |
 |
|---|
| AFL fuzzing USB |
Our syscall fuzzing setup includes a simple userspace program that reads input from AFL and calls socket, setsockopt, connect and disconnectx syscalls.
When sock-fuzz is launched, it stopped the CPU for the user to create a snapshot of the machine state.
When running under AFL supervision, the snapshot is restored and sock-fuzz continues. A fuzzing cycle is started.
When the end of the input file is reached, it stopped the CPU so that AFL can get the status.
sock-fuzz communicates with the outside using ARM hint syscalls. These are implemented in target/arm/helper-a64.c.
Below is our fuzzing cycle for syscall fuzzing.
 |
|---|
| Our Syscall fuzzing cycle |
 |
|---|
| AFL fuzzing socket syscalls |