TSFFS is a snapshotting, coverage-guided fuzzer built on the SIMICS full system simulator. TSFFS makes it easy to fuzz and triage crashes on traditionally challenging targets including UEFI applications, bootloaders, BIOS, kernel modules, and device firmware. TSSFS can even fuzz user-space applications on Linux and Windows. See the requirements to find out if TSSFS can fuzz your code.

• TSFFS: Target Software Fuzzer For SIMICS
  • Quick Start
  • Documentation & Setup
  • Capabilities
  • Use Cases
  • Contact
  • Help Wanted / Roadmap
  • Authors

The fastest way to start using TSFFS is with our dockerfile. To set up TSFFS locally instead, read the documentation.

git clone https://github.com/intel/tsffs
cd tsffs
docker build -t tsffs .
docker run -it tsffs

Then, run the provided example target and fuzzing configuration:

./simics -no-gui --no-win ./fuzz.simics

Documentation for setup & usage of this project lives in the docs directory of this repository.

This fuzzer is built using LibAFL and SIMICS and takes advantage of several of the state of the art capabilities of both.

• Edge coverage guided
• Snapshotting (fully deterministic)
• Parallel fuzzing (across cores, machines soon)
• Easy to add to existing SIMICS projects
• Triage mode to reproduce and debug crashes
• Modern fuzzing methodologies:
  • Redqueen/I2S taint-based mutation
  • MOpt & Auto-token mutations
  • More coming soon!

TSFFS is focused on several primary use cases:

• UEFI and BIOS code, particulary based on EDKII
• Pre- and early-silicon firmware and device drivers
• Hardware-dependent kernel and firmware code
• Fuzzing for complex error conditions

However, TSFFS is also capable of fuzzing:

• Kernel & kernel drivers on Windows Linux, and more
• User-space applications on Windows, Linux, and more
• Network applications
• Hypervisors and bare-metal systems

If you discover a non-security issue or problem, please file an issue!

The best place to ask questions about and get help using TSFFS is in the Awesome Fuzzing Discord server. If you prefer, you can email the authors. Questions we receive are periodically added from both Discord and email to the FAQ.

Please do not create issues or ask publicly about possible security issues you discover in TSFFS. Instead, see our Security Policy and follow the linked guidelines.

See the issues for a roadmap of planned features and enhancements. Help is welcome for any features listed here. If someone is assigned an issue you'd like to work on, please ping them to avoid duplicating effort!

Rowan Hart [email protected]

Brandon Marken Ph.D. [email protected]

Robert Guenzel Ph.D. [email protected]