Windows Kernel Fuzzing

Recommendations

Info

Introduction - Motivation • Local Privilege Escalation – Part of any serious in-the-wild attack – e.g. Sandbox breakout • We used a win32k buffer overflow at pwn2own 2013 – Wrote a fuzzer to find this – Many limitations (e.g. no repros) • Google Project Zero provided funding: – Further develop the fuzzer – Run it at scale Labs.mwrinfosecurity.com | © MWR Labs 4
Introduction - Goals Labs.mwrinfosecurity.com | © MWR Labs 5
Page 1 and 2: Windows Kernel Fuzzing Nils T2 Info
Page 3: Introduction - About me • Nils (@
Page 7 and 8: What are we trying to find? • CVE
Page 9 and 10: Fuzzer Design and Implementation La
Page 11 and 12: Implementation • Everything imple
Page 13 and 14: Test Catalog - Implementation • E
Page 15 and 16: Test Catalog - Example - Short Form
Page 17 and 18: Handle DB Handles are references to
Page 19 and 20: Procedures • Execution of tests i
Page 21 and 22: Procedures - User Mode Callbacks
Page 23 and 24: Logging t0:main:SC_NtGdiCreateMetaf
Page 25 and 26: Reproducing Testcases • We get: t
Page 27 and 28: Repro Run 1. Fuzzer selects current
Page 29 and 30: Architecture - Manager Labs.mwrinfo
Page 31 and 32: Manager - Scaling it up • First O
Page 33 and 34: Manager - Scaling it up Labs.mwrinf
Page 35 and 36: Cloud - Costs ¯\_(ツ)_/¯ Example
Page 37 and 38: Minimising Testcases - Divide & Con
Page 39 and 40: Distributed Minimising • Divide a
Page 41 and 42: Special Pool • Page heap or Addre
Page 43 and 44: Exception Handlers - DISCLAIMER •
Page 45 and 46: Fuzzing with Minidumps • Configur
Page 47 and 48: Results - 26 Bugs reported so far 1
Page 49 and 50: Future Work • Open source the fuz

Windows Kernel Fuzzing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?