BaseSAFE: Baseband SAnitized Fuzzing Through Emulation

41 points by domenukk 5 years ago | 6 comments
  • monocasa 5 years ago
    Oh wow! I played around with getting a sim900 firmware running against qemu and open source tower implementations for finding exploits.

    But this goes way farther than I had even planned! Connecting it to fuzzing infrastructure is super duper neat. I was just using it as a reproducible target to manually get it into weird states.

    • ifoundthetao 5 years ago
      Would you be willing to talk about how you went about doing this? I do a good amount of fuzzing and would like to expand into fuzzing infra as well.
    • DyslexicAtheist 5 years ago
      this is focused on LTE. for telecommunications the most useful approach I have found to date was to fuzz using ASN.1[1][2]. Everything in telecoms is ASN.1 and vendors usually write their own parser generators.

      [1] this is focused on X.509/TLS but the approach is the same https://blog.doyensec.com/2020/05/14/asn1fuzz.html

      • domenukk 5 years ago
        Yes, LTE makes heavy use of ASN.1, too - the parsers are an interesting target indeed (and some of the fuzzed ones referred to in the paper are such parsers). Although these days, ASN.1 usually get auto-generated so the attack vector is not as large anymore. More interesting can be the places where parsed structs then get processed afterward.
        • dapids 5 years ago
          Another big part of that stack is CSN.1. A long long lost spec.
        • billme 5 years ago
          For those unfamiliar with the two most important terms covered in this paper, they are fuzzing [1] & baseband processor [2]:

          [1] https://en.wikipedia.org/wiki/Fuzzing

          [2] https://en.wikipedia.org/wiki/Baseband_processor