Windows Kernel Fuzzing

Recommendations

Info

The Plan: To implement a <strong>Windows</strong> <strong>Kernel</strong> Fuzzer • Fuzzes on the current state • Logs testcases – Reproducible and minimisable • Extensible and modular – Core kernel, win32k and other drivers • Is able to run automated at a large scale • And most importantly finds a lot of vulns • Many implementation ideas borrowed from browser fuzzing Labs.mwrinfosecurity.com | © MWR Labs 8
Fuzzer Design and Implementation Labs.mwrinfosecurity.com | © MWR Labs 9
Page 1 and 2: Windows Kernel Fuzzing Nils T2 Info
Page 3 and 4: Introduction - About me • Nils (@
Page 5 and 6: Introduction - Goals Labs.mwrinfose
Page 7: What are we trying to find? • CVE
Page 11 and 12: Implementation • Everything imple
Page 13 and 14: Test Catalog - Implementation • E
Page 15 and 16: Test Catalog - Example - Short Form
Page 17 and 18: Handle DB Handles are references to
Page 19 and 20: Procedures • Execution of tests i
Page 21 and 22: Procedures - User Mode Callbacks
Page 23 and 24: Logging t0:main:SC_NtGdiCreateMetaf
Page 25 and 26: Reproducing Testcases • We get: t
Page 27 and 28: Repro Run 1. Fuzzer selects current
Page 29 and 30: Architecture - Manager Labs.mwrinfo
Page 31 and 32: Manager - Scaling it up • First O
Page 33 and 34: Manager - Scaling it up Labs.mwrinf
Page 35 and 36: Cloud - Costs ¯\_(ツ)_/¯ Example
Page 37 and 38: Minimising Testcases - Divide & Con
Page 39 and 40: Distributed Minimising • Divide a
Page 41 and 42: Special Pool • Page heap or Addre
Page 43 and 44: Exception Handlers - DISCLAIMER •
Page 45 and 46: Fuzzing with Minidumps • Configur
Page 47 and 48: Results - 26 Bugs reported so far 1
Page 49 and 50: Future Work • Open source the fuz

Windows Kernel Fuzzing

Create successful ePaper yourself

Delete template?

Save as template?