Presented at
Black Hat USA 2021,
Aug. 4, 2021, 10:20 a.m.
(40 minutes)
<div><span>Fuzzers are tremendously important in the realm of vulnerability research, as they automate the process of bug discovery by rapidly feeding a target with numerous inputs. Several factors make up an efficient fuzzer. One of them is structure-awareness - leveraging knowledge of the input format to generate test-cases. Another important property is coverage-guidance - the ability to mutate inputs based on previously visited execution paths. Sophisticated fuzzers have been developed and used to find critical vulnerabilities in all types of software.</span></div><div><span><br></span></div><div><span>Targeting Hyper-V with existing fuzzers is highly challenging. Hyper-V does not trivially support Intel-PT, and therefore when run on top of kAFL, the latter loses one of its strongest features - coverage-guidance. Other complexities arise from sending fuzzing inputs to Hyper-V virtualization service providers (VSPs). VSPs receive data through the VMBus interface, which is proprietary and undocumented. Moreover, data comes in specific formats depending on the protocol used on top of the VMBus channel.</span></div><div><span><br></span></div><div><span>To tackle these challenges we developed hAFL1, a kAFL-based fuzzing infrastructure for Hyper-V devices, of which vmswitch is a particular case. hAFL1's novel approach is that it sends fuzzing inputs from the host level. It mimics a child-partition by initializing necessary data structures in vmswitch and sending inputs to the target as if it were over VMBus. By doing that, hAFL1 leverages Intel-PT to obtain coverage feedback. hAFL1 allows structure-aware fuzzing of RNDIS packets, and also provides detailed crash reports.</span></div><div><span><br></span></div><div><span>In this session, we present hAFL1 and provide the implementation bits required to write a Hyper-V fuzzer. We uncover a critical 0-day in Hyper-V vmswitch which was found using our fuzzer - an arbitrary read vulnerability. Finally, we show a live demo of exploiting this vulnerability, which until only a few weeks ago could take down big portions of Azure cloud infrastructure.</span></div>
Presenters:
-
Ophir Harpaz
- Senior Security Researcher, Guardicore
Ophir Harpaz is a security researcher in Guardicore Labs. She enjoys reverse engineering, fighting with Cybercriminals and playing CTFs. As an active member in Baot - a community for women developers, researchers and data scientists - she co-manages the tech-blogging program. Ophir has spoken in various security conferences including Botconf, SEC-T, HackFest and more. She has taught a reverse-engineering workshop and published an online version of it at https://begin.re to share her enthusiasm for reversing. Ophir has entered Forbes' list of 30-under-30 and won the Rising Star category of SC Magazine's Reboot awards for her achievements and contribution to the Cyber security industry. You can follow Ophir on Twitter @OphirHarpaz
-
Peleg Hadar
- Senior Security Researcher, SafeBreach Labs
Peleg Hadar (@peleghd) is a security researcher, having 8+ years of unique experience in the sec field. Currently, he is doing research at SafeBreach Labs after serving in various sec positions at IDF. His experience involved security from many angles: starting with network research, and now mostly software research. Peleg likes to investigate mostly Microsoft Windows components. He spoke in multiple infosec conferences such as Black Hat USA, DEF CON, TorSec, iSecCon, etc. Peleg was chosen for the 2021 Forbes 30UNDER30 list.
Links:
Similar Presentations: