With the wide range of available methods and tools to discover vulnerabilities in embedded OS kernels, are QEMU internals still worth the investment to support emulation of a target firmware/kernel? We give our experience return on deep-diving into QEMU, implementing proprietary devices and starting booting a target OS until a point where security evaluation could begin. Thanks to the introspection power offered by such a simulation environment, fuzzing, memory analysis, scheduling properties, race conditions and so on can "easily" be explored.
#QEMU, #Security, #Embedded, #Fuzzing
Stephane Duverger is a Core Digital Security Expert at Airbus. His main areas of interest are low level system internals, OS kernel and virtualization technologies. He published on kernel exploitation, offensive and defensive virtualization approaches, and recently adapting state-of the-art fuzzing technologies to simulation environments.