Venus Fly Trap Software Solutions LLC
Links:

Cobralily

We use our emulator, named Cobralily (after the carnivorous plant native to Oregon), to help reverse engineer targets and find vulnerabilities in them. It allows us to research unusual targets without fiddling with physical hardware, which often requires specialized equipment and training. It also allows us to research targets without physically acquiring the targets themselves!

When we emulate a target, all we have to worry about is how bytes get in and out of the system, making it approachable by mere mortals such as ourselves. It is also more cost effective, because we don’t need specialized hardware or training just to perform tests.

Fuzzing with an emulator also scales much more effectively than with hardware. Doubling fuzzing throughput on an emulator means doubling the number of cores, which is much more tractable (and cost effective) than doubling the number of hardware devices, and that’s not to mention potential interference if the target involves some kind of radio interface.

We can use Cobralily ourselves to help perform vulnerability research on a specified device, as a service, or we can also add bespoke support to Cobralily for a specified device, and offer it as a product that you can use on your own.

Cobralily Features

  • Introspection: dump or modify any CPU register or area of main memory
  • Standard debugging features: single-stepping, breakpoints, watchpoints, etc.
  • Time traveling: stepping backwards, rewinding to the previous instruction that accessed memory
  • Memory poisoning, to support ASAN-like capabilities
  • Arbitrary data input/output, to support exotic physical interfaces
  • AFL-style code coverage
  • Totally scriptable: everything is supported with python bindings

We have a command line interface for daily usage that’s basically an interactable text interface for the python bindings. When the CLI is insufficient, scripts can be written directly in the python bindings themselves.

Supported Architectures

We currently support:

  • ARMv7
  • MIPS64
  • 2 others, redacted for OPSEC

The 2 other off-the-beaten-path architectures are used in a limited set of hardware, so we’re not publishing them here for OPSEC reasons; contact us to learn more.

We’re not scared of one-off architectures; as long as there’s documentation for the instructions, and ideally for the core and/or System-on-a-Chip, we don’t consider any architecture too exotic!

Why not QEMU/Unicorn/Qiling/<My Favorite Emulator>?

None of them quite hit the sweet spot for us. Our wishlist for an emulator:

  • Full system emulation
  • Easily scriptable (especially for writing fuzzers)
  • Quick to develop new guests in
  • Reasonably performant

Existing emulators check some or almost all of the boxes, but not quite to our liking. We didn’t like the idea of tacking missing features onto an existing emulator, because we would forever be maintaining compatibility with the upstream project that doesn’t share our priorities. This takes away time from doing what we do best (and enjoy the most): emulating new targets and finding vulnerabilities in them.

So, we decided to build our own emulator, and Cobralily is the result!