QEMU Internals and Fuzzing: From IoT to iPhone

ABSTRACT

In QEMU Internals and Fuzzing: From IoT to iPhone, participants will learn the fundamentals of emulation and fuzzing, how to emulate a custom device in QEMU from the ground up, and how to instrument it for fuzzing and vulnerability research.

Before diving into full-system emulation with QEMU, we will establish the foundation using Unicorn, Qiling, and Abstract Interpretation to progressively build intuition about CPU execution, memory mapping, and symbolic instrumentation.
This structured flow allows participants to understand the continuum from lightweight CPU emulation and binary instrumentation to complex multi-device emulation.

We will then dive into QEMU, one of the most powerful software tools designed for emulation and fuzzing, to gain a deep understanding of its architecture and design principles.
Topics include machine types, hardware emulation, and writing your own platform to emulate and fuzz—from IoT devices all the way up to an iPhone.

Students will use several well-known fuzzers (AFL++, Hongfuzz) and handcrafted examples to test large software systems for vulnerabilities.
We will apply persistent, mutational, and evolutionary fuzzing on real-world firmware examples, including mobile phones, fitness devices, media players, and networked RTOS-based systems, as well as peripheral and bus fuzzing techniques such as USART and UART.

The class features several hands-on exercises where participants will gain an understanding of memory vulnerabilities in IoT and embedded devices, how to write fuzzing harnesses, and how to manage responsible disclosure and vulnerability mitigation.

By the end of the course, participants will have a unique set of skills and knowledge from different fields—emulation of custom embedded systems, instrumented fuzzing, and dynamic analysis—all with a single goal: to find and understand security vulnerabilities.

KEY LEARNING OBJECTIVES

• Understand the fundamental concepts of emulation and fuzzing as essential tools in vulnerability research.
• Gain hands-on experience with Unicorn and Qiling, learning how CPU-level and binary-level emulation form the foundation for system-level fuzzing.
• Explore Abstract Interpretation as a method for reasoning about code paths, symbolic execution, and pre-fuzzing analysis.
• Comprehend QEMU architecture and design principles, including machine types, hardware emulation, instrumentation, and fuzzing harnesses.
• Analyze QEMU execution modes and performance optimization using frameworks like Panda or Avatar2.
• Learn fuzzing techniques and harness injection into proprietary firmware.
• Understand the tradeoffs between virtualized and fully emulated environments, comparing setups like native ARM™ vs QEMU-based systems.
• Apply emulation and fuzzing to real-world targets such as IoT devices, media players, fitness devices, and real-time systems.
• Master peripheral and bus fuzzing techniques (USART, UART, sensors, routers).
• Apply full-system emulation and fuzzing to closed-source devices (e.g., iPhone 11, iPod 2G) with kernel patching, device modeling, and fuzzing harnesses.
• Identify memory vulnerabilities, write and integrate harnesses, and manage responsible disclosure and vulnerability mitigation.
• Experience firsthand how fuzzing + emulation have become a game changer for vulnerability research.

COURSE AGENDA - Featuring a running CTF during the course

Part 1: Introduction

• Static analysis
• Binary lifting
• From lifting to execution
• Examples: P-Code and Intro to TCG
• Examples: Other IR representations and their meaning
• Hands-on → Unicorn: disassembly and partial execution
• Hands-on → Qiling: advanced partial execution

Part 2: Foundational Emulation Flow

• Introduction to Unicorn Engine: CPU emulation, memory mapping, hooks
• Hands-on → Unicorn: tracing, instrumentation, and instruction-level fuzzing
• Introduction to Qiling Framework: system call emulation, library loading, hybrid analysis
• Hands-on → Qiling: fuzzing user-space binaries and handling syscalls
• Abstract Interpretation: static reasoning and path exploration before fuzzing
• Hands-on → Abstract Interpretation pipeline: analyzing IR to guide fuzzing campaigns

Part 3: QEMU Internals

• TCG Internals and instruction translation
• Hands-on → Tracking code through the TCG:
  • Registers
  • Jumps
  • Code coverage
• QEMU architecture deep dive: CPUs, SoCs, and board definitions
• Hands-on → Writing a minimal QEMU device model

Part 4: QEMU Architecture and Design Principles

• Overview of QEMU components and their interactions
• Understanding machine types and hardware emulation
• Execution modes and performance optimization
• Hands-on → Building and customizing a QEMU machine type for the ST Nucleo L452RE board
• Case studies of successful emulation and fuzzing in vulnerability research (IoT, embedded, web targets)
• Hands-on → Writing a clock module for the ST Nucleo L452RE QEMU board
• Hands-on → Writing a UART module for the same target
• Hands-on → Finding and exploiting vulnerabilities in an RTOS-based firmware on the ST Nucleo L452RE board
• Hands-on → Writing a harness for a specific component

Part 5: Real-World Case Studies

Pebble Watch on QEMU (STM32)

• RebbleOS code analysis
• Board implementation analysis
• Fuzzing harness design
• Exploring unused SVC/SWI slots
• Crash triage and exploitability assessment
• The Las Vegas Tale: accidentally finding a 0-day in RebbleOS

Part 6: Closed-Source Fuzzing — iPhone 11 & iPod touch 2G

• Featuring the work of Ntrung, Visual, and Martijn de Vos
• Approaching closed-source firmware targets
• Intricacies of iOS kernel, NAND, and ROMs
• Custom legacy toolchains (for iPod touch)
• iPhone 11 restore → patch → stitch → redo
• Companion VM for restore process
• Overview of kernel patches and patching approaches
• Other approaches for closed-source fuzzing: code caves and injection
• Re-writing and adapting the AFL harness
• Fuzzing campaign results
• iPhone 11 + iOS 14 fuzzing unveiled via QEMU