fuzzemu is an instruction emulator for the Cortex-M3 ARM architecture. Its focus is on instruction emulation. It can be extended to model instruction skip attacks. fuzzemu builds on capstone and unicorn.

A working build environment is needed as well a arm-none-eabi* toolchain.

1. Run the script ./setup.sh. The script will pull in the required dependencies
2. Run the script ./compile.sh. The script will compile the dependencies.

./run-ext-lib.sh input-lib.a

The above script will recompile the emulator and start the emulation of the input-lib.a

The input-lib can use the following API to interact with the outside world:

/* initialize the uart, this function should be called before printing */ void my_uart_init(void) __attribute__((noinline)); /* blocking receive of one character */ unsigned my_uart_rx_char(void) __attribute__((noinline)); /* print one character */ void my_uart_tx_char(char c) __attribute__((noinline)); /* a way to signal the emulator */ void my_signal(unsigned) __attribute__((noinline)); /* the main function */ void my_main(void) __attribute__((noinline));

Check example/hello-word/io.h.

The stack top is specified via __stack symbol in the input library. The stack size is defined by STACK_LEN macro from main.c. If the symbol __stack is missing then a default value is used.

The uart is exposed through two named pipes: fuzzemu-pipe.{in,out}. The named pipes are created by the compile.sh script.

Check example/hello-world for a running example.

# compile the example $ cd example/hello-world $ CC="clang -O3 -target arm-none-eabi -mcpu=cortex-m3 -mfloat-abi=soft" make $ cd - $ ./run-ext-lib.sh example/hello-world/libhello-world-full.a RM ./build rm -f elf_symbols_gen.h /tmp/tmp.WYg9vSRKgn ~/code/fuzzemu ~/code/fuzzemu CC main.c LD fuzzemu please run 'LD_LIBRARY_PATH=./third_party/unicorn/:./third_party/capstone ./build/fuzzemu ./build/fake.elf' =============== Running Fuzzemu Using cortex-m3 emulation started using pipe: out:fuzzemu-pipe.out in:fuzzemu-pipe.in waiting for connection ...

Now fuzzemu waits for a connection on the two pipes.

Connect to the output pipe (new shell)

$ cat ~/code/fuzzemu/fuzzemu-pipe.out

Connect to the input pipe (new shell)

$ echo 'abcSasq' > ~/code/fuzzemu/fuzzemu-pipe.in

Now the emulator should resume execution.

got connection. Resume execution signal=0x02 signal=0x01 read(): Invalid argument read error, exit!

And output should appear at the out pipe.

Hello World! abc Sending signal 2 a Sending signal 1 Quit!

Please note that although some of the authors are (or were) employed by Google, this is not an official Google product.