Talos Vulndev

Recommendations

Info

• Implemented entirely in hardware • No over-head (I lied, very little overhead) • Works at a very low level • You can trace all software that the CPU runs (except for SGX secure containers) • Suppose you have to analyze an hypervisor or an evil SVM handler • With Intel PT you can do that! • Performance • Logs directly to physical memory, bypassing TLB and eliminating cache pollution • Minimal log format takes little time to record • One bit per conditional branch • Only indirect branches log dest address
• Different kinds of trace filtering: 1. Current Privilege Level (CPL) – used to trace kernel drivers 2. PML4 Page Table – used to trace a single process 3. Instruction Pointer – used to trace a particular slice of code (or module) • Two types of output logging: 1. Single Range 2. Table of Physical Addresses
Page 3: • Research Manager • Cisco Talo
Page 8 and 9: • CPUID with leaf 0x7 can detect
Page 10 and 11: EAX = 0x14 - Intel Processor Trace
Page 14 and 15: • OS should allocate a contiguous
Page 19 and 20: • We have decided to write a Wind
Page 21 and 22: • Processor Trace works with phys
Page 24 and 25: Vulnerability Discovery • Now we
Page 26 and 27: Evolutionary Fuzzing • Incrementa
Page 28 and 29: Amercian Fuzzy Lop • Michal Zalew
Page 30 and 31: • Trace Logging - Each block gets
Page 32 and 33: WinAFL • Ivan Fratric 2016 - Firs
Page 34 and 35: WinAFL • Ivan Fratric 2016 - Firs
Page 36 and 37: WinAFL IntelPT • Richard Johnson
Page 38 and 39: • Performance - Trace enabled - N
Page 41 and 42: • Tracing is used very often in f

Talos Vulndev

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?