SA-RIOT

SA-RIOT - Detailed Curriculum

🎯 Security Researcher Associate IoT - SA-RIOT

Complete Curriculum Overview based on the Fuzzing Against the Machine Book

01
🔍

QEMU+AFL = Vulnerabilities?

1. Is it so easy to find vulnerabilities?

• Downloading and installing AFL++
• Preparing a vulnerable VLC instance
• VLC exploit

2. Full-system fuzzing – introducing TriforceAFL

• Understanding full-system fuzzing concepts
• Installing TriforceAFL
• Setting up the fuzzing environment

3. Final Test

4. Further reading

5. Appendix

02
⚙️

QEMU Primer

1. Adding a new CPU

2. Emulating an embedded firmware

3. Reverse engineering DMA peripherals

4. Emulating UART with Avatar2 for firmware debugging

5. Final Test

03
📱

Baseband Emulation

1. A crash course on mobile phone architecture

• Baseband
• Baseband CPU family
• Application processor and baseband interface
• A talk with Shannon
• A note on GSM/3GPP/LTE protocol specifications

2. Setting up FirmWire for vulnerability validation

• CVE-2020-25279 – emulator fuzzing
• CVE-2020-25279 – OTA exploitation

3. Final Test

04
🖥️

Router Emulation x86

1. OpenWrt on x86

2. Building the firmware

• Testing the firmware in QEMU
• Extracting and preparing the kernel

3. Fuzzing the kernel

4. Post-crash core dump triaging

05
💻

Router Emulation ARM32

1. Emulating the ARM architecture to run an OpenWrt system

2. Installing TriforceAFL for ARM

3. Running TriforceAFL in OpenWrt for ARM

4. Obtaining a crash

5. Final Test

Bonus: Evolving to recent harnesses

1. Using a more recent version of AFL++

2. Harnessing techniques

3. libqemu

4. device trees, nand, nor

06
🍎

iOS14/16 Emulation and Fuzzing of iPhone11

1. A brief history of iOS emulation

2. iOS basics

• What it takes to boot iOS
• Code signatures
• Plist files and entitlements
• Binaries compilation
• IPSW formats and research kernels

3. Setting up an iOS emulator

• Preparing the environment
• Building the emulator
• Boot prepping
• Booting iOS in QEMU

4. Preparing your harness to start fuzzing

5. Triforce's driver mod for iOS

6. Final Test

07
🤖

Android Emulation and Fuzzing

1. Introducing the Android OS and its architecture

• Android system architecture overview
• Understanding the Android stack
• Key components for fuzzing

2. Fuzzing Android libraries with Sloth

• Setting up Sloth framework
• Targeting Android libraries
• Analysis and vulnerability discovery

3. Final Test

🎯
🏆

Certification Exam

🎯 Fuzzing
⚡ Basic Emulation
🔐 Vulnerability hunting