Talos Vulndev

Recommendations

Info

• OS should allocate a contiguous physical memory buffer (MmAllocateContiguousMemory is a good fit) • This mode is best suited for 1. Tracing of single application with sufficient size of buffer 2. Redirect the output to a MMIO port or some JTAG controllers • To enable: • Set the proper MSRs • MSR_IA32_RTIT_OUTPUT_BASE and MSR_IA32_RTIT_OUTPUT_MASK_PTRS • Start the Tracing by setting the “TraceEn” flag in the control register • The buffer will be filled by the processor in a circular-manner
• Table of Physical Addresses (aka ToPA) is a list of tables that describes each physical address used for storing the trace • A well-known data-structure definition (see the Intel Manual) • This allows the processor to write data even to non-contiguous memory regions • Binary compatibility with the “MDL” data structure of Windows kernel (important) * • Modality best suited for: 1. Tracing big code areas and/or dump the results in a user-mode file 2. Supporting pause/resume of a application and on-the-fly analyze the dump • Very powerful – an Interrupt could be generated by the processor at a certain point if the buffer is going to be full, or STOP signal
Page 3: • Research Manager • Cisco Talo
Page 8 and 9: • CPUID with leaf 0x7 can detect
Page 10 and 11: EAX = 0x14 - Intel Processor Trace
Page 12 and 13: • Implemented entirely in hardwar
Page 19 and 20: • We have decided to write a Wind
Page 21 and 22: • Processor Trace works with phys
Page 24 and 25: Vulnerability Discovery • Now we
Page 26 and 27: Evolutionary Fuzzing • Incrementa
Page 28 and 29: Amercian Fuzzy Lop • Michal Zalew
Page 30 and 31: • Trace Logging - Each block gets
Page 32 and 33: WinAFL • Ivan Fratric 2016 - Firs
Page 34 and 35: WinAFL • Ivan Fratric 2016 - Firs
Page 36 and 37: WinAFL IntelPT • Richard Johnson
Page 38 and 39: • Performance - Trace enabled - N
Page 41 and 42: • Tracing is used very often in f

Talos Vulndev

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?