Skip to content

Impalabs/hyperpom

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

hyperpom logo

HYPERPOM
AArch64 fuzzing library based on the Apple Silicon hypervisor


shields.io license shields.io version shields.io platform
shields.io rust version shields.io crates.io shields.io crates.io


Table of contents

Hyperpom is a coverage-guided mutation-based fuzzing framework built on top of the Apple Silicon Hypervisor. It has been designed to easily instrument and fuzz AArch64 userland binaries.

⚠️ Disclaimer

The idea behind this project was to create an efficient and fast fuzzer that would leverage Apple Silicon's features. However, at this stage, while the fuzzer works, it is still mostly a proof of concept and requires tons of enhancement to provide better features, usability and performances.

It might be enough for your use cases, but keep in mind that you might encounter limitations that weren't factored in while designing the project. In any case, feel free to open an issue and we'll try to address your problem.

Getting Started

Prerequisites

  1. Install Rust and rustup using the official guide.
  2. Install the nightly channel.
rustup toolchain install nightly
  1. To use this channel when compiling you can either:

    • set it as default using rustup default nightly;
    • or add +nightly everytime you compile a binary with cargo.
  2. Install Cmake, using brew for example:

brew install cmake

Self-Signed Binaries and Hypervisor Entitlement

To be able to reach the Hypervisor Framework, a binary executable has to have been granted the hypervisor entitlement.

You can add this entitlement to a binary located at /path/to/binary by using the entitlements.xml file found at the root of the Hyperpom repository and the following command:

codesign --sign - --entitlements entitlements.xml --deep --force /path/to/binary

Compilation Workflow

Create a Rust project and add Hyperpom as a dependency in Cargo.toml. You can either pull it from crates.io ...

# Check which version is the latest, this part of the README might not be updated
# in future releases.
hyperpom = "0.1.0"

... or directly from the GitHub repository.

hyperpom = { git="https://github.com/impalabs/hyperpom", branch="master" }

Create a file called entitlements.txt in the project's root directory and add the following:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.hypervisor</key>
    <true/>
</dict>
</plist>

Write code and then build the project.

cargo build --release

Sign the binary and grant the hypervisor entitlement.

codesign --sign - --entitlements entitlements.xml --deep --force target/release/${PROJECT_NAME}

Run the binary.

target/release/${PROJECT_NAME}

Documentation

The documentation is available online at the following address: https://docs.rs/hyperpom

Alternatively, you can generate it using cargo:

cargo doc --open

The documentation contains information on using the framework and its internals. For an in-depth guide, have a look at the Loader chapter, which provides examples on how to use the fuzzer and harness your targets.

Examples

Four examples are provided to give you a better understanding of how the framework operates and get you started:

You can also have a look at the tests.

Running the Tests

To run tests using the Makefile provided with the project, you'll first need to install jq. You can do so using brew:

brew install jq

You can then run the tests with the provided Makefile using the following command:

make tests

Authors

About

AArch64 fuzzer based on the Apple Silicon hypervisor

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages