# ? Proposal Ziqiao Kong (ziqiaokong@gmail.com) Title: Unicorn2 - Push Binary Fuzzing Towards Higher Realm Points (from most to least significant): - QEMU5 - Usermode MMU emulation (but without syscall fwd!) - Memory Snapshot - TCG opcode instrumentation -> enabling more possiblities - Native MMIO support - helper optimization ## Abstract <!-- vs qemuafl - not tied to linux, can support any architectures - fine-grained control, not limited to statically linked binaries, not even ELF - clean & simple designed API vs unicorn1 - faster, both emulation & snapshots, tcg chaining back - finer instrumentation with tcg code instrumenttation - better organization, not duplicating code vs fuzzware/Qiling/... - Tools/Frameworks based on Unicorn --> Date back to 2015, Unicorn 1.0, as the first mutli-arch cpu emulator, had shed a light and served as the build block of many impactful project across several security research areas. One of the prevailing applications is fuzzing code in a cross-architecture manner, like firmware fuzzing. While Unicorn 1.0 offers the ability to emulate the binary, its design is not well tailored for fuzzing and suffers some issues: - Slow performance because of memory access overhead - Lack support for MMIO access, which is crucial for peripheral emulation - Not able to instrument the intermediate code directly - Lack copy-on-write memory snapshots - Outdated instructions set (qemu 2.2.1) To solve this issue, we identify the obstacles and make another big step by building Unicorn 2.0. While all original features preserved and compatible, Unicorn 2.0 offer another set of amazing features: - Upgrade to QEMU 5 with many new instruction sets and cpu supported and bring back TCG chaining - 4 more architectues, PowerPC, RISCV, S390x & TriCore - Enable cross-architecture usermode MMU to minimize the overhead - Allow users to instrument TCG op codes for better flexibility. - Provide native MMIO support to facilitate peripheral emulation - Copy-on-write memory snapshots support This talk will introduce the difficulties Unicorn 1.0 faced and review several existing tools and frameworks firstly. Next, we will present our solutions and design details with a small fuzzing demo. The audience are expected to learn the research and engineering progress of Unicorn Engine in recent years and how these features build a much faster fuzzer. ## Abstract2 Title: Tailor Unicorn for Fuzzing To date, Unicorn Engine is still the state-of-art CPU emulation framework, providing the versatile programming interface and mutli-architectures support. One of the prevailing Unicorn Engine's usages is fuzzing binaries of other architectures, like router or basebind firmwares. Many previous work proves the successful application of Unicorn Engine on supporting rehosting and fuzzing these binaries. However, there are still significant flaws Unicorn faced for fuzzing since Unicorn was not specially designed for fuzzing back to 2015. For instance, Unicorn doesn't have support for firmware MMIO access, which is essential for interacting with peripherals. In addition, the thoughput of Unicorn Engine as a fuzzer harness is not ideal because of high memory transalation overhead and lack of fast memory snapshots. Therefore, bearing the needs for building a fast harness in mind, we decide to tailor Unicorn Engine for fuzzing. In this talk, we will firstly show the difficulty Unicorn Engine met when fuzzing binaries and revisit Unicorn internals to analyze the issues. Next, we will present our several solutions, including usermode MMU fork along with tcg chaining, native MMIO implementation and copy-on-write memory snapshots etc. We will share how we dry out every performance optmization chance to speed up fuzzer. Lastly, we will showcase an current fuzzer can benefit from 5x performance boost without changing any line because our work is compatible with Unicorn API.