Tsffs
A snapshotting, coverage-guided fuzzer for software (UEFI, Kernel, firmware, BIOS) built on SIMICS
TSFFS is a snapshotting, coverage-guided fuzzer built on the [SIMICS](https://www.intel.com/content/www/us/en/developer/articles/tool/simics-simulator.html) full system simulator. TSFFS makes it easy to fuzz and triage crashes on traditionally challenging targets including UEFI applications, bootloaders, BIOS, kernel modules, and device firmware. TSSFS can even fuzz user-space applications on Linux and Windows. See the [requirements](https://intel.github.io/tsffs/fuzzing/compatibility.html) to f... The project is written primarily in Rust, distributed under the Apache License 2.0 license, first published in 2023. Key topics include: fuzzing, rust, security, simics.
TSFFS: Target Software Fuzzer For SIMICS
TSFFS is a snapshotting, coverage-guided fuzzer built on the
SIMICS
full system simulator. TSFFS makes it easy to fuzz and triage crashes on
traditionally challenging targets including UEFI applications, bootloaders,
BIOS, kernel modules, and device firmware. TSSFS can even fuzz user-space
applications on Linux and Windows. See the
requirements to
find out if TSSFS can fuzz your code.
Quick Start
The fastest way to start using TSFFS is with our dockerfile. To set up
TSFFS locally instead, read the documentation. To start
using TSFFS right away:
shgit clone https://github.com/intel/tsffs cd tsffs docker build -t tsffs . docker run -it tsffs
Then, run the provided example target and fuzzing configuration:
sh./simics -no-gui --no-win ./fuzz.simics
Documentation & Setup
Documentation for setup & usage of this project lives online at
intel.github.io/tsffs.
Capabilities
This fuzzer is built using LibAFL and SIMICS
and takes advantage of several of the state of the art capabilities of both.
- Edge coverage guided
- Snapshotting (fully deterministic)
- Parallel fuzzing (across cores, machines soon)
- Easy to add to existing SIMICS projects
- Triage mode to reproduce and debug crashes
- Modern fuzzing methodologies:
- Redqueen/I2S taint-based mutation
- MOpt & Auto-token mutations
- More coming soon!
Use Cases
TSFFS is focused on several primary use cases:
- UEFI and BIOS code, particulary based on EDKII
- Pre- and early-silicon firmware and device drivers
- Hardware-dependent kernel and firmware code
- Fuzzing for complex error conditions
However, TSFFS is also capable of fuzzing:
- Kernel & kernel drivers on Windows Linux, and more
- User-space applications on Windows, Linux, and more
- Network applications
- Hypervisors and bare-metal systems
Contact
If you discover a non-security issue or problem, please file an
issue!
The best place to ask questions about and get help using TSFFS is in the Awesome
Fuzzing Discord server. If you prefer, you can email the
authors. Questions we receive are periodically added from both Discord and
email to the FAQ.
Please do not create issues or ask publicly about possible security issues you discover
in TSFFS. Instead, see our Security Policy and follow the linked
guidelines.
Help Wanted / Roadmap
See the
issues
for a roadmap of planned features and enhancements. Help is welcome for any features
listed here. If someone is assigned an issue you'd like to work on, please ping them to
avoid duplicating effort!
Authors
Rowan Hart
rowan.hart@intel.com
Brandon Marken Ph.D.
brandon.marken@intel.com
Robert Guenzel Ph.D.
robert.guenzel@intel.com
Contributors
Showing top 6 contributors by commit count.
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)
Related Repositories
Hack-with-Github/Awesome-Hacking
A collection of various awesome lists for hackers, pentesters and security researchers
maurosoria/dirsearch
Web path scanner
google/oss-fuzz
OSS-Fuzz - continuous fuzzing for open source software.
foundry-rs/foundry
Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.
spacejam/sled
the champagne of beta embedded databases
HypothesisWorks/hypothesis
The property-based testing library for Python