![image 1](https://www.cyber.airbus.com/app/uploads/2023/06/image-1.png)
Fuzzing is one of the most favoured techniques used by researchers to discover vulnerabilities.
In this article, we introduce Ghidralligator, a newly designed tool. Ghidralligator is an emulator built upon Ghidra, capable of emulating a wide range of CPU architectures. Additionally, it can be integrated with AFL to enable snapshot fuzzing with code coverage functionality. Ghidralligator serves as the successor to afl_ghidra_emu.
For a comprehensive understanding of afl_ghidra_emu and fuzzing with code coverage, we recommend reading our previous article.
Ghidra Internals
Ghidra is a reverse engineering tool, developed by the NSA and released in 2019. It supports numerous CPU architectures. In afl_ghidra_emu, we utilised Ghidra’s emulation features. However, we encountered subpar performance due to Ghidra being substantial software primarily designed in Java, which is not optimised for the best possible emulation performance.
![image](https://www.cyber.airbus.com/app/uploads/2023/06/image-1024x319.png)
By delving deeper into Ghidra, we can identify two main components:
– The HMI (Human-Machine Interface), which is designed in Java.
– The decompile process, which is designed in C++.
The decompile process handles low-level tasks such as disassembly and decompilation. The HMI communicates with the decompile process through stdin/stdout.
As a result, the C++ source code for the decompile component can be re-used in another project for tasks such as disassembly, decompilation, and emulation!
In Ghidra, this C++ source code is referred to as libsla. Additional information can be found in Guillaume Valadon’s talk (in French).
Ghidralligator
Ghidralligator is developed in C++ and is based on the Ghidra libsla. Compared to afl_ghidra_emu, it offers significantly improved execution speed.
Ghidralligator leverages the intermediate language PCODE to achieve independence from CPU architectures. As a result, it can emulate any architecture supported by Ghidra.
Here are the features of Ghidralligator:
– Integration with AFL for code coverage analysis.
– Snapshot fuzzing.
– Detection of heap corruption issues such as out-of-bounds read/write operations, use-after-free, double-free, reading uninitialised memory, and read/write/execute access violations.
– CPU architecture independence.
Ghidralligator can be downloaded at https://github.com/airbus-cyber/ghidralligator.
![replay](https://www.cyber.airbus.com/app/uploads/2023/06/replay.gif)
![fuzz](https://www.cyber.airbus.com/app/uploads/2023/06/fuzz.gif)