Data

Tools

Indexes

Applications

Experiments

Open Source Science

tsffs

A snapshotting, coverage-guided fuzzer for software (UEFI, Kernel, firmware, BIOS) built on SIMICS

https://github.com/intel/tsffs

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (13.6%) to scientific vocabulary

Keywords

fuzzing rust security simics
Last synced: 6 months ago · JSON representation ·

Repository

A snapshotting, coverage-guided fuzzer for software (UEFI, Kernel, firmware, BIOS) built on SIMICS

Basic Info
Statistics
  • Stars: 307
  • Watchers: 9
  • Forks: 21
  • Open Issues: 24
  • Releases: 4
Topics
fuzzing rust security simics
Created over 2 years ago · Last pushed 6 months ago
Metadata Files
Readme Contributing License Code of conduct Citation Security

README.md

OpenSSF Best Practices

TSFFS: Target Software Fuzzer For SIMICS

TSFFS is a snapshotting, coverage-guided fuzzer built on the SIMICS full system simulator. TSFFS makes it easy to fuzz and triage crashes on traditionally challenging targets including UEFI applications, bootloaders, BIOS, kernel modules, and device firmware. TSSFS can even fuzz user-space applications on Linux and Windows. See the requirements to find out if TSSFS can fuzz your code.

Quick Start

The fastest way to start using TSFFS is with our dockerfile. To set up TSFFS locally instead, read the documentation. To start using TSFFS right away:

sh git clone https://github.com/intel/tsffs cd tsffs docker build -t tsffs . docker run -it tsffs

Then, run the provided example target and fuzzing configuration:

sh ./simics -no-gui --no-win ./fuzz.simics

Documentation & Setup

Documentation for setup & usage of this project lives online at intel.github.io/tsffs.

Capabilities

This fuzzer is built using LibAFL and SIMICS and takes advantage of several of the state of the art capabilities of both.

  • Edge coverage guided
  • Snapshotting (fully deterministic)
  • Parallel fuzzing (across cores, machines soon)
  • Easy to add to existing SIMICS projects
  • Triage mode to reproduce and debug crashes
  • Modern fuzzing methodologies:
    • Redqueen/I2S taint-based mutation
    • MOpt & Auto-token mutations
    • More coming soon!

Use Cases

TSFFS is focused on several primary use cases:

  • UEFI and BIOS code, particulary based on EDKII
  • Pre- and early-silicon firmware and device drivers
  • Hardware-dependent kernel and firmware code
  • Fuzzing for complex error conditions

However, TSFFS is also capable of fuzzing:

  • Kernel & kernel drivers on Windows Linux, and more
  • User-space applications on Windows, Linux, and more
  • Network applications
  • Hypervisors and bare-metal systems

Contact

If you discover a non-security issue or problem, please file an issue!

The best place to ask questions about and get help using TSFFS is in the Awesome Fuzzing Discord server. If you prefer, you can email the authors. Questions we receive are periodically added from both Discord and email to the FAQ.

Please do not create issues or ask publicly about possible security issues you discover in TSFFS. Instead, see our Security Policy and follow the linked guidelines.

Help Wanted / Roadmap

See the issues for a roadmap of planned features and enhancements. Help is welcome for any features listed here. If someone is assigned an issue you'd like to work on, please ping them to avoid duplicating effort!

Authors

Rowan Hart rowan.hart@intel.com

Brandon Marken Ph.D. brandon.marken@intel.com

Robert Guenzel Ph.D. robert.guenzel@intel.com

Owner

  • Name: Intel Corporation
  • Login: intel
  • Kind: organization
  • Email: webadmin@linux.intel.com

Citation (CITATION.cff) 

cff-version: 1.2.0
message: "A collection of fuzzing training resources."
authors:
    - family-names: "Marken"
      given-names: "Brandon"
      orcid: " https://orcid.org/0000-0001-6262-7042"
    - family-names: "Geunzel"
      given-names: "Robert"
      orcid: ""
    - family-names: "Hart"
      given-names: "Rowan"
      orcid: "https://orcid.org/0000-0001-9932-3798"

title: "Intel TSFFS -- Target Software Fuzzer For Simics"
version: 0.1.0
doi: ""
date-released: 2023-01-01
url: "https://github.com/intel/tsffs"

GitHub Events

Total
  • Issues event: 2
  • Watch event: 31
  • Delete event: 60
  • Issue comment event: 37
  • Push event: 64
  • Pull request review comment event: 12
  • Pull request review event: 49
  • Pull request event: 122
  • Fork event: 2
  • Create event: 58
Last Year
  • Issues event: 2
  • Watch event: 31
  • Delete event: 60
  • Issue comment event: 37
  • Push event: 64
  • Pull request review comment event: 12
  • Pull request review event: 49
  • Pull request event: 122
  • Fork event: 2
  • Create event: 58

Issues and Pull Requests

Last synced: 6 months ago

All Time
  • Total issues: 21
  • Total pull requests: 113
  • Average time to close issues: about 2 months
  • Average time to close pull requests: 22 days
  • Total issue authors: 12
  • Total pull request authors: 8
  • Average comments per issue: 1.24
  • Average comments per pull request: 0.4
  • Merged pull requests: 52
  • Bot issues: 1
  • Bot pull requests: 65
Past Year
  • Issues: 3
  • Pull requests: 80
  • Average time to close issues: 5 months
  • Average time to close pull requests: 23 days
  • Issue authors: 3
  • Pull request authors: 4
  • Average comments per issue: 1.33
  • Average comments per pull request: 0.36
  • Merged pull requests: 31
  • Bot issues: 1
  • Bot pull requests: 65
View more stats
Top Authors
Issue Authors
  • novafacing (8)
  • gandalf4a (3)
  • bosswnx (1)
  • 20000419 (1)
  • zodf0055980 (1)
  • lwz23 (1)
  • bakano98 (1)
  • dependabot[bot] (1)
  • mjcaisse-intel (1)
  • cglosner (1)
  • lovelxc (1)
  • kerneis-anssi (1)
Pull Request Authors
  • dependabot[bot] (65)
  • novafacing (33)
  • Wenzel (10)
  • rogue4242 (1)
  • mengmengjiang1999 (1)
  • today574 (1)
  • tklengyel (1)
  • step-security-bot (1)
Top Labels
Issue Labels
enhancement (6) low-priority (5) minor (4) major (3) bug (2) high-priority (2) dependencies (1) github_actions (1)
Pull Request Labels
dependencies (65) github_actions (51) minor (14) docker (14) major (5)

Dependencies

.github/workflows/ci.yml actions
  • actions/checkout v3 composite
  • dtolnay/rust-toolchain nightly composite
Cargo.toml cargo
.github/workflows/docs.yml actions
  • actions/checkout v4 composite
  • actions/configure-pages v3 composite
  • actions/deploy-pages v2 composite
  • actions/upload-pages-artifact v2 composite
  • dtolnay/rust-toolchain nightly composite
Dockerfile docker
  • fedora 38 build
examples/manual-example/Dockerfile docker
  • fedora 38 build
.github/workflows/scans.yml actions
  • actions/checkout v4 composite
  • aquasecurity/trivy-action master composite
  • dtolnay/rust-toolchain nightly composite
.github/builder/Dockerfile docker
  • novafacing/fedora-rustc-oldcompat 0.0.2 build
examples/tutorials/edk2-uefi/Dockerfile docker
  • ghcr.io/tianocore/containers/ubuntu-22-build a0dd931 build
examples/tutorials/risc-v-kernel/Dockerfile docker
  • ubuntu 22.04 build
examples/tutorials/edk2-simics-platform/Dockerfile docker
  • ghcr.io/tianocore/containers/fedora-37-build a0dd931 build
tests/rsrc/riscv-64/Dockerfile docker
  • ubuntu 22.04 build
tests/rsrc/x86_64-breakpoint-uefi-edk2/Dockerfile docker
  • ghcr.io/tianocore/containers/ubuntu-22-build a0dd931 build
tests/rsrc/x86_64-timeout-uefi-edk2/Dockerfile docker
  • ghcr.io/tianocore/containers/ubuntu-22-build a0dd931 build
tests/rsrc/x86_64-uefi-edk2/Dockerfile docker
  • ghcr.io/tianocore/containers/ubuntu-22-build a0dd931 build
.github/workflows/codeql.yml actions
  • actions/checkout 11bd71901bbe5b1630ceea73d27597364c9af683 composite
  • github/codeql-action/analyze 1b549b9259bda1cb5ddde3b41741a82a2d15a841 composite
  • github/codeql-action/autobuild 1b549b9259bda1cb5ddde3b41741a82a2d15a841 composite
  • github/codeql-action/init 1b549b9259bda1cb5ddde3b41741a82a2d15a841 composite
  • step-security/harden-runner 4d991eb9b905ef189e4c376166672c3f2f230481 composite
.github/workflows/dependency-review.yml actions
  • actions/checkout 11bd71901bbe5b1630ceea73d27597364c9af683 composite
  • actions/dependency-review-action 3b139cfc5fae8b618d3eae3675e383bb1769c019 composite
  • step-security/harden-runner 4d991eb9b905ef189e4c376166672c3f2f230481 composite
.github/workflows/scorecards.yml actions
  • actions/checkout 11bd71901bbe5b1630ceea73d27597364c9af683 composite
  • actions/upload-artifact ea165f8d65b6e75b540449e92b4886f43607fa02 composite
  • github/codeql-action/upload-sarif 1b549b9259bda1cb5ddde3b41741a82a2d15a841 composite
  • ossf/scorecard-action f49aabe0b5af0936a0987cfb85d86b75731b0186 composite
  • step-security/harden-runner 4d991eb9b905ef189e4c376166672c3f2f230481 composite