QEMU AVR32
A QEMU AVR32 implementation. I extended QEMU to create the first working emulator that can execute AVR32 programs and firmware.
For my Master’s Thesis, I built an emulator for the AVR32 CPU architecture that is based on QEMU.
During my thesis, the emulator was used for a fuzzing-based security assessment of satellite firmware.
You can find the AVR32 implementation in my GitHub repository.
The emulator is capable of executing most of the AVR32 instruction set. For now, it does not support Java instructions or some special floating-point operations that were not needed during my thesis. However, I will continue to work on the emulator and expand its functionality. I hope that it will become a part of the mainline QEMU repository one day.
For the purpose of the security assessment in my thesis, I also expanded QEMU with a connection to the AFL++ fuzzing tool, as there is no support for a recent version of QEMU in AFL(++). The results of my thesis showed that fuzzing can be used to identify security issues in satellite firmware. Therefore, together with my supervisor, I expanded the emulator to show the exploitation of a vulnerability. Some of the details are described in this blog post.
As of July 2023, the GitHub repository contains three branches:
- avr32 with the basic architecture
- avr32-nanomind with an implementation for the A3200 Nanomind board
- opssat-sim with extensions to simulate and control the OPS-SAT firmware
If you are interested in learning more about fuzzing satellite firmware with QEMU or the exploitation, feel free to reach out to me. You can find my contact information on the home page. If you plan to use the emulator for your work and need some advice or have any questions, I am also happy to help.
In the future, I will write a series of articles on my blog in which I explain how a new architecture can be added to QEMU. So far, I published the following articles:
- Part 1: Basic hardware implementations
- Part 2: CPU Logic
- Part 3: Instruction translation
- Part 4: Branches and first testing
- Part 5: Testing Framework
- Part 6: QEMU helper functions
- Part 7: Coprocessor operations
- Part 8: Floating-point arithmetic
Testing framework
To test the implementation of the translation function, I developed a semi-automatic testing framework. The Framework was published in December 2023 on GitHub.
It is explained in an initial blog post and article 5 of my QEMU series.