Great news! Our new approach for scalable bug finding in Linux-based firmware has been accepted to USENIX 2024. Check out our paper "Operation Mango" to pwn a local router near you!
Code and more in the 🧵1/5 wilgibbs.com/papers/mango_u…
Code and more in the 🧵1/5 wilgibbs.com/papers/mango_u…
Here's our code base (with full eval replication instructions 👀)
Ready to use out of the box. Look over the eval README if you really want to get started with firmware bug finding! 2/5github.com/sefcom/operati…
Ready to use out of the box. Look over the eval README if you really want to get started with firmware bug finding! 2/5github.com/sefcom/operati…
We really liked the front-end keyword and cross-binary approach that prior work SaTC and KARONTE took, but we thought maybe more bugs were hiding in some binaries they couldn't explore due to slow analysis.... That's where our BEEFED UP angr RDA comes in! 3/5
On top of constantly pushing angr's RDA (with extensive help from Fish) we also implemented a special sink-to-source backward analysis (to keep from overanalyzing call traces) and assumed non-execution (skipping callsites that we think are unimportant 👎👎). 4/5
We also try to rank the results from 0-10 based on what we think are real exploitable bugs (TruPoCs).
Thanks for reading, you've earned a Mango! 🥭🥭🥭🥭🥭🥭🥭🥭🥭 5/5
Thanks for reading, you've earned a Mango! 🥭🥭🥭🥭🥭🥭🥭🥭🥭 5/5
• • •
Missing some Tweet in this thread? You can try to
force a refresh
