Hexagon processors have been widely used on Qualcomm platforms. Almost all vital peripheral subsystems (e.g., baseband, WLAN, ADSP, NPU) are lade onto Hexagon processors.
Security researchers have to face three main challenges. First, the firmware running on Hexagon is not yet open sourced and can be very complicated, thus making firmware analyzing or reverse engineering from scratch extremely troublesome. Second, for researchers who want to fuzz these targets, there is no open-sourced emulator available for Hexagon. Also, most of these targets depend on specified hardware, which makes the known traditional fuzzing techniques inefficient.
In this talk, we will share our solution to overcome these challenges. We will introduce our Hexagon analyzing framework, which can dynamically collect information of a running target. The collected information includes running status, function call trace, and can distinguish input-awareness function from common library. Such dynamical information is essential for us to find attack surfaces and to identify vulnerable code for further analyzing or fuzzing.
Based on this framework, we have further developed our fuzzer system, which is coverage-guided, evolutionary, and intelligent. Moreover, the fuzzer is running in a real environment, which can effectively overcome the weakness of an emulator that lacks hardware support and fails to go deeper.
First, we will share some possible solutions and their tradeoffs. Then we will introduce our solution and our analyzing framework. Our key principles, overall architecture, and the implementation of vital components will be provided. We will also describe the architecture and principle of the fuzzer system, and explain how to calculate as well as improve code coverage. Finally, we will demonstrate the framework and the fuzzer running on the Qualcomm baseband subsystem.