Coverage Guided Kernel Fuzzing

Presented at REcon 2017, June 17, 2017, 6 p.m. (Unknown duration)

The modern model of vulnerability mitigation includes robustsandboxing and usermode privilege separation to contain inevitableflaws in the design and implementation of software. As adoption ofcontainment technology spreads to browsers and other software, we seethe value of exploits continue to rise as multiple vulnerabilitiesmust be chained together with extreme levels of binary artistry toachieve full system control. As such, there has recently been a highdemand to identify kernel vulnerabilities that can bypass sandboxesand process isolation to successfully achieve full system compromise.With this heightened demand, the past few years has seen a massivefirst wave of kernel vulnerability discovery in the graphics layer ofthe Windows kernel and the peripheral drivers of the Linux kernel.This first wave has proven successful even though the methods utilizedtend to be using more rudimentary techniques of dumb mutationalfuzzing or manual code review. This is a good indicator that it istime for investment in more advanced techniques that can be applied tokernel vulnerability research such as evolutionary fuzzing guided bycode coverage.This lecture will discuss methods for applying coverage guided fuzzingto kernel system calls, IOCTLs, and other low level interfaces. First,to understand what makes an effective guided kernel fuzzer, we willdiscuss the tools available for open source drivers and kernels suchas trinity and syzkaller which have found hundreds of vulnerabilitiesin the Linux kernel. Next we will look at using system emulators likeQEMU for instrumenting kernel interfaces with code coverage to gain anunderstanding of the performance and limitations of this approach.Finally we will leverage our own custom driver to enable hardwarebranch tracing with Intel Processor Trace as a new method forevolutionary fuzzing against unmodified kernel binaries on Linux andWindows. The driver enabling this approach on Windows is authored bythe presenter and available to the security community as opensource.This will be the first public lecture showing how to use highlyperformant modern hardware tracing engines to enable closed sourcekernel vulnerability research using coverage guided fuzzing.



Similar Presentations: