Talos Vulndev

Recommendations

Info

• Trace Logging – Each block gets a unique ID – Traversed edges are indexed into a bloom filter map – Create a hash from the src and dst block IDs – Increment map for each time an edge is traversed Amercian Fuzzy Lop – Each trace is easily comparable to the entire session history
Windows Evolutionary Fuzzing • Started research into this area in 2015 – High Performance Fuzzing – Go Speed Tracer • Windows Software primarily distributed as binaries – High speed binary code coverage required • Seemed like a good opportunity to use Intel Processor Trace – First prototyped on Linux using perf subsystem – Demoed at Ruxcon 2015 • Lack of a usable driver lead to partnership with Andrea
Page 3: • Research Manager • Cisco Talo
Page 8 and 9: • CPUID with leaf 0x7 can detect
Page 10 and 11: EAX = 0x14 - Intel Processor Trace
Page 12 and 13: • Implemented entirely in hardwar
Page 14 and 15: • OS should allocate a contiguous
Page 19 and 20: • We have decided to write a Wind
Page 21 and 22: • Processor Trace works with phys
Page 24 and 25: Vulnerability Discovery • Now we
Page 26 and 27: Evolutionary Fuzzing • Incrementa
Page 28 and 29: Amercian Fuzzy Lop • Michal Zalew
Page 32 and 33: WinAFL • Ivan Fratric 2016 - Firs
Page 34 and 35: WinAFL • Ivan Fratric 2016 - Firs
Page 36 and 37: WinAFL IntelPT • Richard Johnson
Page 38 and 39: • Performance - Trace enabled - N
Page 41 and 42: • Tracing is used very often in f

Talos Vulndev

Create successful ePaper yourself

Delete template?

Save as template?