Forked from richinseattle/gist:69affc0f05fae0c60ca612d3e078dd2d
Created
May 25, 2019 11:57
-
-
Save fuzzamos/4e423640a9e1aa1b2a49e739c4f59016 to your computer and use it in GitHub Desktop.
Revisions
-
richinseattle revised this gist
Jan 11, 2017 . 1 changed file with 1 addition and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -54,9 +54,7 @@ NOTES FOR REVIEWER ================== New content in this talk compared to the slide deck is the addition of kernel module tracing support, an ida plugin to parse the traces, and an update to the winafl-intelpt code to do persistent mode and complete edge coverage instead of previous hack of only using the long jump targets. This required a technical solution of creating a JIT cache of branch targets as -
Jan 11, 2017 . 1 changed file with 3 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -45,10 +45,9 @@ execution. To keep performance as the highest priority, we have also created new methods for efficiently encoding weighted graphs into an efficiently comparable bytemap. New to this version of the talk is full support for kernel tracing, and an IDA plugin for visualization, and a JIT disassembly engine with cache for the winafl intelpt trace parsing. NOTES FOR REVIEWER -
Jan 11, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,66 @@ Harnessing Intel Processor Trace on Windows for Vulnerability Discovery Richard Johnson Biography Richard Johnson is a computer security specialist with a focus on software vulnerability analysis. Currently the Research Technical Lead of Talos Group for Cisco, Richard offers 15 years of expertise and leadership in the software security industry. Current responsibilities include research and development of advanced fuzzing and crash analysis technologies facilitating the automation of the vulnerability triage and discovery process. Richard has presented annually at top-tier industry conferences worldwide for over a decade and was co-founder of the Uninformed Journal. Abstract This talk will explore Intel Processor Trace, the new hardware branch tracing feature included in Intel Skylake processors. We will explain the design of Intel Processor trace and detail how the current generation implementation works including the various filtering modes and output configurations. This year we designed and developed the first opensource Intel PT driver for the Microsoft Windows operating system. We will discuss the architecture of the driver and the large number of low level programming hurdles we had to overcome throughout the development of the driver to program the PMU, including registering Performance Montering Interrupts (PMI), locating the Local Vector Table (LVT) Performance Monitor timer register, bypassing the TLB and cache through managing physical memory, and more. We will demonstrate the usage of Intel PT in Windows environments for diagnostic and debugging purposes, demonstrate an IDA plugin that can render coverage and loop information against user and kernel targets, and then discuss how weve harnessed this branch tracing engine for guided fuzzing. This year we have added the Intel PT tracing mode as an engine for targeting Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop. This fuzzer is capable of using random mutation fuzzing with a code coverage feedback loop to explore new areas. Using our new Intel PT driver for Windows, we provide the fastest hardware supported engine for targeting binaries with evolutionary fuzzing. In addition we have added new functionality to AFL for guided fuzzing, which allows users to specify targeted areas on a program control flow graph that are of interest. This can be combined with static analysis results or known-vulnerable locations to help automate the creation of trigger inputs to reproduce a vulnerability without the limits of symbolic execution. To keep performance as the highest priority, we have also created new methods for efficiently encoding weighted graphs into an efficiently comparable bytemap. New to this version of the talk is full support for kernel tracing, multi-core support, using Windows ETW for hooking thread context switching and module loads/unloads, an IDA plugin for visualization, and a JIT disassembly engine with cache for the winafl intelpt trace parsing. NOTES FOR REVIEWER ================== New content in this talk compared to the slide deck is the addition of kernel module tracing support, multi-core support, an ida plugin to parse the traces, usage of Windows ETW for hooking thread context switches and module load/unload, implementation of the directed fuzzing mentioned in the abstract, and an update to the winafl-intelpt code to do persistent mode and complete edge coverage instead of previous hack of only using the long jump targets. This required a technical solution of creating a JIT cache of branch targets as the graph is explored for efficient lookup, making a truly effective and fast winafl-backend with parity of accuracy and better performance than winafl with dynamorio.