The modern model of vulnerability mitigation includes robust
sandboxing and usermode privilege separation to contain inevitable
flaws in the design and implementation of software. As adoption of
containment technology spreads to browsers and other software, we see
the value of exploits continue to rise as multiple vulnerabilities
must be chained together with extreme levels of binary artistry to
achieve full system control. As such, there has recently been a high
demand to identify kernel vulnerabilities that can bypass sandboxes
and process isolation to successfully achieve full system compromise.With this heightened demand, the past few years has seen a massive
first wave of kernel vulnerability discovery in the graphics layer of
the Windows kernel and the peripheral drivers of the Linux kernel.
This first wave has proven successful even though the methods utilized
tend to be using more rudimentary techniques of dumb mutational
fuzzing or manual code review. This is a good indicator that it is
time for investment in more advanced techniques that can be applied to
kernel vulnerability research such as evolutionary fuzzing guided by
code coverage.This lecture will discuss methods for applying coverage guided fuzzing
to kernel system calls, IOCTLs, and other low level interfaces. First,
to understand what makes an effective guided kernel fuzzer, we will
discuss the tools available for open source drivers and kernels such
as trinity and syzkaller which have found hundreds of vulnerabilities
in the Linux kernel. Next we will look at using system emulators like
QEMU for instrumenting kernel interfaces with code coverage to gain an
understanding of the performance and limitations of this approach.
Finally we will leverage our own custom driver to enable hardware
branch tracing with Intel Processor Trace as a new method for
evolutionary fuzzing against unmodified kernel binaries on Linux and
Windows. The driver enabling this approach on Windows is authored by
the presenter and available to the security community as opensource.
This will be the first public lecture showing how to use highly
performant modern hardware tracing engines to enable closed source
kernel vulnerability research using coverage guided fuzzing.