Evolutionary Kernel Fuzzing

Presented at Black Hat USA 2017, July 27, 2017, 2:30 p.m. (50 minutes)

The modern model of vulnerability mitigation includes robust sandboxing and usermode privilege separation to contain inevitable flaws in the design and implementation of software. As adoption of containment technology spreads to browsers and other software, we see the value of exploits continue to rise as multiple vulnerabilities must be chained together with extreme levels of binary artistry to achieve full system control. As such, there has recently been a high demand to identify kernel vulnerabilities that can bypass sandboxes and process isolation to successfully achieve full system compromise.

With this heightened demand, the past few years has seen a massive first wave of kernel vulnerability discovery in the graphics layer of the Windows kernel and the peripheral drivers of the Linux kernel. This first wave has proven successful even though the methods utilized tend to be using more rudimentary techniques of dumb mutational fuzzing or manual code review. This is a good indicator that it is time for investment in more advanced techniques that can be applied to kernel vulnerability research such as evolutionary fuzzing guided by code coverage.

This lecture will discuss methods for applying evolutionary coverage guided fuzzing to kernel system calls, IOCTLS, and other low level interfaces. First, to understand what makes an effective guided kernel fuzzer, we will discuss the tools available for open source drivers and kernels such as trinity and syzkaller which have found hundreds of vulnerabilities in the Linux kernel. Next we will look at using system emulators like QEMU for instrumenting kernel interfaces with code coverage to gain an understanding of the performance and limitations of this approach. Finally we will leverage our own custom driver to enable hardware branch tracing with Intel Processor Trace as a new method for evolutionary fuzzing against unmodified kernel binaries on Linux and Windows. The driver enabling this approach on Windows is authored by the presenter and available to the security community as opensource. This will be the first public lecture showing how to use highly performant modern hardware tracing engines to enable closed source kernel vulnerability research using coverage guided fuzzing.


  • Richard Johnson - Research Lead, Cisco Talos
    Richard Johnson is a computer security specialist with a focus on software vulnerability analysis. Currently the Research Lead of Talos Group for Cisco, Richard offers over 15 years of expertise and leadership in the software security industry. Current responsibilities include research and development of advanced fuzzing and crash analysis technologies facilitating the automation of the vulnerability triage and discovery process. Richard has presented annually at top-tier industry conferences worldwide for over a decade including Black Hat, Defcon, REcon, and Hack In The Box. Richard was also co-founder of the Uninformed Journal.


Similar Presentations: