Fuzzing Linux with Xen

Presented at DEF CON 29 (2021), Aug. 8, 2021, 11 a.m. (45 minutes)

Last year we've successfully upstreamed a new feature to Xen that allows high-speed fuzzing of virtual machines (VMs) using VM-forking. Recently through collaboration with the Xen community external monitoring of VMs via Intel(r) Processor Trace has also been upstreamed. Combined with the native Virtual Machine Introspection (VMI) capability Xen now provides a unique platform for fuzzing and binary analysis. To illustrate the power of the platform we'll present the details of a real-world fuzzing operation that targeted Linux kernel-modules from an attack-vector that has previously been hard to reach: memory exposed to devices via Direct Memory Access (DMA) for fast I/O. If the input the kernel reads from DMA-exposed memory is malformed or malicious - what could happen? So far we discovered: 9 NULL-pointer dereferences; 3 array index out-of-bound accesses; 2 infinite-loops in IRQ context and 2 instances of tricking the kernel into accessing user-memory but thinking it is kernel memory. The bugs have been in Linux for many years and were found in kernel modules used by millions of devices. All bugs are now fixed upstream. This talk will walk you through how the bugs were found: what process we went through to identify the right code-locations; how we analyzed the kernel source and how we analyzed the runtime of the kernel with Xen to pinpoint the input points that read from DMA. The talk will explain the steps required to attach a debugger through the hypervisor to collect kernel crash logs and how to perform triaging of bugs via VM-fork execution-replay, a novel technique akin to time-travel debugging. Finally, we'll close with the release of a new open-source tool to perform full-VM taint analysis using Xen and Intel(r) Processor Trace. REFERENCES: https://github.com/intel/kernel-fuzzer-for-xen-project https://www.youtube.com/watch?v=3MYo8ctD_aU

Presenters:

• Tamas K Lengyel - Senior Security Researcher, Intel
  Tamas works as Senior Security Researcher at Intel. He received his PhD in Computer Science from the University of Connecticut where he built hypervisor-based malware-analysis and collection tools. In his free time he is maintainer of the Xen Project Hypervisor's VMI subsystem, LibVMI & the DRAKVUF binary analysis project. He currently serves as the Chief Research Officer at The Honeynet Project, a leading international non-profit organization that coordinates the development of open-source tools to fight against malware. Tamas gave prior talks at conferences such as BlackHat, CCC and Hacktivity. @tklengyel

Links:

• https://defcon.org/html/defcon-29/dc-29-speakers.html#lengyel
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Tamas K Lengyel - Fuzzing Linux with Xen.mp4
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 presentations/Tamas K Lengyel - Fuzzing Linux with Xen.pdf (slides)
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Tamas K Lengyel - Fuzzing Linux with Xen.srt (subtitles)
• https://www.youtube.com/watch?v=_dXC_I2ybr4

Similar Presentations:

• VB2019 / Play fuzzing machine - hunting iOS and macOS kernel vulnerabilities automatically and smartly
• Black Hat Europe 2021 / Your Trash Kernel Bug, My Precious 0-day
• Black Hat USA 2017 / Evolutionary Kernel Fuzzing