image image

Marius Muench & Tobias Scharnowski

Fuzzing and Attacking Deeply Embedded Firmware calender

Trainer: Marius Muench & Tobias Scharnowski

Date: 30th Oct to 01st Nov 2023

Time: 9:00am to 5:00pm CEST

Venue: Marriott Hotel, The Hague, Netherlands

Training Level: Basic to Intermediate

Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Training Objectives:

This training teaches how to analyze, fuzz test, and exploit deeply embedded devices using custom embedded operating systems. These systems play a crucial role in the ever-growing Internet of Things and typically offer a lucrative attack surface with over-the-air interfaces, hardcoded secrets, and missing security protections.

During the training, we will understand the inner workings of a typical embedded system, and re-discover memory corruption vulnerabilities in real-world embedded operating systems by combining reverse engineering, emulation and fuzzing. We will then develop proof-of-concept exploits using the discovered vulnerabilities to demonstrate how an attacker can compromise the target system.

The full training is accompanied with various practical hands-on exercises and tinkering with a physical embedded training platform created for this training. After the training, we expect participants to feel comfortable to independently analyze deeply embedded systems of their choice.

What to Expect? | Key Learning Objectives:

In this training, you’ll learn about:

  • The inner workings of deeply embedded firmware
  • Fundamentals of firmware reverse engineering
  • Harnessing parsers for fuzzing
  • Fuzzing via full-system firmware rehosting
  • Overcoming typical fuzzing roadblocks
  • Triaging found crashes
  • Exploitation fundamentals for Arm Cortex-M systems

Training Detailed Description:

Day 1: Obtaining and Analyzing Firmware

  • Linux-based vs deeply embedded firmware
  • Hardware reconnaissance
  • Firmware extraction
  • Arm Thumb-v2 disassembly
  • Firmware reversing engineering with Ghidra

Day 2: Emulation and Fuzzing

  • Full-system vs selective emulation
  • Parser harnessing with unicornAFL
  • Emulating peripherals
  • Full-system rehosting and fuzzing with Fuzzware
  • Identifying and solving fuzzing roadblocks

Day 3: Exploitation and Outlook

  • Crash triaging and deduplication
  • Introduction to Cortex-M exploitation
  • Shellcoding vs Return-Oriented Programming
  • Building and debugging exploits
  • Advanced topics and training recap

Who Should Attend? | Target Audience:

  • Security Researchers
  • Firmware Developers
  • Curious Minds

What to Bring? | Software and Hardware Requirements:

  • Own laptop running Windows / Linux / macOS - Linux preferred
  • Up and running Visual Studio Code + Docker setup to work through exercises (Dockerfile and setup guide will be provided before the training)
  • Download and install Ghidra (using another RE tool is possible, but will not be discussed in class)

What to Bring? | Prerequisite Knowledge and Skills:

  • Basic knowledge in Python
  • Some background in C is a plus
  • Previous experience with firmware analysis, reverse engineering, or fuzzing is not required

Resources Provided at the Training | Deliverables:

  • lab manual
  • solutions and scripts discussed and developed during the class
  • during the lab: access to physical embedded training platform and equipment required to carry out the hands-on exercises


Marius is an assistant professor at the University of Birmingham. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM and worked as postdoctoral researcher at the Vrije Universiteit Amsterdam. He developed and maintains avatar2, a framework for analyzing embedded systems firmware, and FirmWire, an emulation platform for cellular basebands.Throughout his career, Marius publicly shared his findings and presented at venues such as Black Hat USA, REcon,, and Nullcon.

Tobias is an embedded systems security researcher at CISPA. In his academic research he focuses on the automated security testing of embedded firmware. He is the author of Fuzzware, a full-system fuzzer for monolithic firmware. Previously, he participated in countless CTFs, including the finals of Real World CTF, Hack-a-Sat, and DEF CON CTF. He also presented on Siemens PLC security and was the first to demonstrate a hack of DNP3 at Pwn2Own Miami, the protocol that powers the American electric grid.