SlideShare una empresa de Scribd logo

Make static instrumentation great again, High performance fuzzing for Windows system

L
Lucas Leong

BlueHat IL 2019

Ingeniería
1 de 41
Descargar para leer sin conexión
Make static instrumentation great again High performance fuzzing for Windows system Lucas Leong (@_wmliang_) 1
#whoami • Security researcher from Trend Micro • Interested in • vulnerability discovery • binary exploitation • reverse engineering • symbolic execution • MSRC TOP 100 • HITCON CTF team 2
Agenda • Motivation • Related works • AFL 101 • Implementation • Benchmark • Demo • Case study CLFS, CNG, Registry • Conclusion 3
Motivation • 2014 Nov, AFL is released • I want to fuzz windows target 4
Motivation • 2014 Nov, AFL is released • I want to fuzz windows target • 2016 Jul, WinAFL is committed • I want a better performance, support kernel 5
Motivation • 2014 Nov, AFL is released • I want to fuzz windows target • 2016 Jul, WinAFL is committed • I want a better performance, support kernel • 2017 Jul, Static binary instrumentation via syzygy is merged • I don’t have full PDB • And I want more, scale up, etc 6
Motivation 7
Related works – static • WinAFL • Use dynamic binary instrumentation via DynamoRIO • Support static binary instrumentation via syzygy • Require full PDB 8
Related works – dynamic • DARKO • Static analysis via Capstone • Dynamic binary rewriting via Keystone • Cross platforms and architectures • KFUZZ • Focus on windows kernel driver • Dynamic binary rewriting • Use interrupt instead of hook to solve the tiny basic block problem 9
Related works – hardware • winafl-intelpt • Use the built-in Intel PT driver (ipt.sys) in RS5 • kAFL • Combine QEMU/KVM and Intel PT • Scale-up and cross platform fuzzing • Filter with vCPU/Supervisor/CR3/IP-Range 10
Related works – virtualization • applepie • Combine Bochs and WHVP API • Get code coverage at the hypervisor level • Restore snapshot with the modified pages only 11
AFL 101 12 initialize mutate input choose input from queue new coverage ? crash ? run targetsave in queue save Yes No Yes No
AFL 101 • Instrument each basic block on compile-time (afl-gcc) • Record code coverage on execution-time (afl-fuzz) 13 instrumented lea rsp,[rsp-0x98] mov QWORD PTR [rsp],rdx mov QWORD PTR [rsp+0x8],rcx mov QWORD PTR [rsp+0x10],rax mov rcx,0x5c80 call 4009a8 <__afl_maybe_log> mov rax,QWORD PTR [rsp+0x10] mov rcx,QWORD PTR [rsp+0x8] mov rdx,QWORD PTR [rsp] lea rsp,[rsp+0x98]
Implementation – pe-afl • Do the similar thing statically 14 coverage bitmap instrumented
Implementation – pe-afl • Expand code and update jump • short jump to long jump 15 jmp loc_123 loc_456: … [Instrumented code] … jmp loc_456 loc_123: + size of instrumented code - size of instrumented code
Implementation – pe-afl • Duplicate executable section • Some DATA still remains on the original section • Append .coverage for coverage bitmap • Update • PE header • section table • export table • SEH handle table • relocation table 16 HEADER .text .data PAGE INIT .reloc HEADER .text .data PAGE INIT .text2 PAGE2 INIT2 .coverage .reloc Before instrument After instrument
Implementation – pe-afl • All the static information is from IDA pro • basic block • branch • target address • op code • operand • stack frame • … 17
Implementation – pe-afl • Reason to collect stack frame information 18 Before stack frame poisoning After stack frame poisoning
Implementation – pe-afl 19 • Oops
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Take care of DATA in executable section • 2-byte alignment for unicode string argument in WIN32 API • 4-byte alignment for SEHandlerTable 20
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Assume DATA as CODE, DATA may be corrupted eg. CreateFile(“ABC”) -> CreateFile(“[instrumented code]ABC”) • Assume CODE as DATA, coverage is missed or the execution may fail eg. jmp [old loc] -> jmp [old loc] 21
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Assume DATA as CODE, DATA may be corrupted • Assume CODE as DATA, the execution may fail 22
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Public symbol can solve 23
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Public symbol can solve, otherwise … • IDA pro is improving 24
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Public symbol can solve, otherwise … • IDA pro is improving, otherwise … • Assume DATA as CODE, DATA may be corrupted • Instrument before branch instead of basic block • Validate the branch, otherwise alert it • Assume CODE as DATA, the execution may fail • Look for valid branch in suspicious data • Filter with known data type and alert it 25
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Workaround 26 Instrumenting mspaint.exe without PDB
Implementation – pe-afl • Fuzz on user-mode 27 kernel user test_wrapper.exe afl-fuzz.exe afl_shm_XXX afl_shm_XXX mapped target.dll .coverage pipe
Implementation – pe-afl • Fuzz on kernel-mode 28 kernel user target.sys .coverage test_wrapper.exe .coverage mapped afl-fuzz.exe afl_shm_XXX afl_shm_XXX mapped helper.sys pipe
Implementation – pe-afl • Type of instrument on fuzzing • PID filtering • multi-thread different afl_prev_loc for each thread • inline-mode in assembly vs. callback-mode in C 29
Benchmark • Test on gdiplus.dll • Win10, 1 vm, 4GB ram, i7-7600, 1 core • WINAFL states that “This approach has been found to introduce an overhead about 2x compared to the native execution speed” 30 pe-afl (w/o instrument) 522 exec/s pe-afl 508 exec/s winafl (edge mode) 236 exec/s
Demo 31
Case study (1) • CLFS • First try on kernel driver • Well-known attack vector • Btw, it was sandboxed • Parsing un-document BLF binary format in kernel • Entry point CreateTransactionManager(“input.blf”) • Patch checksum • 2 weeks, 8 vms • 2 CVE + won’t fix case • CVE-2018-0844, pool overflow • CVE-2018-0846, UAF 32
Case study (2) • CNG • Entry point IOCTL • Applicable on any kind of IOCTL fuzzing • Coverage is stuck at the beginning • Try to figure out the root cause 33
Case study (2) • CNG • Entry point IOCTL • Applicable on any kind of IOCTL fuzzing • Coverage is stuck at the beginning • Benefit from SBI, it is easy to dump execution trace 34 Import into lighthouse
Case study (2) • CNG • Entry point IOCTL • Applicable on any kind of IOCTL fuzzing • Coverage is stuck at the beginning • Benefit from SBI, it is easy to dump execution trace • It needs valid object eg. CreateEvent() • It needs magic header eg. 0x1a2b3c4d • 1 week, 8 vms • 1 CVE • CVE-2018-8207, pool OOB read 35
Case study (3) • Registry Hive • Parsing un-document registry hive format in ntoskrnl.exe • Entry point RegLoadAppKey(“input.dat”) • Have to instrument around 7MB ntoskrnl.exe • Support and use partial instrument here 36
Case study (3) • Registry Hive • Parsing un-document registry hive format in ntoskrnl.exe • Entry point RegLoadAppKey(“input.dat”) • Have to instrument around 7MB ntoskrnl.exe • Support and use partial instrument here RE = ’_?Cm|_Hv[^il]’ • No CVE • Global state in registry brings the non-deterministic on fuzzing 37
Case study (3) – post story • Full instrumentation on ntoskrnl.exe • Everything works except one • Self-modifying branch  38
Case study (3) – post story • Full instrumentation on ntoskrnl.exe • Everything works except one • Self-modifying branch  • Detectable • Skip with partial instrumentation • Workaround 39
Conclusion • Show the possibility and limitation of SBI on PE file and fuzzing • Not so reliable and elegant, but it works and high performance • Benefit from SBI • Not only feedback code coverage, but also data, stack depth … • Not only for fuzzing, but also for bug detection, tracing … • Open source • https://github.com/wmliang/pe-afl 40
Thanks • Thanks • AFL, WINAFL • Lays, Steward Fu, Serena Lin • Bluehat IL conference team • Contact • https://twitter.com/_wmliang_ • lucas_leong@trendmicro.com 41

Recomendados

DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
WSL Reloaded
WSL ReloadedWSL Reloaded
WSL ReloadedAnthony LAOU-HINE TSUEI
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCanSecWest
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Android 逆向工程心得分享
Android 逆向工程心得分享Android 逆向工程心得分享
Android 逆向工程心得分享EnPing Eric Hsieh
 

Recomendados

DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
WSL Reloaded
WSL ReloadedWSL Reloaded
WSL ReloadedAnthony LAOU-HINE TSUEI
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCanSecWest
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Android 逆向工程心得分享
Android 逆向工程心得分享Android 逆向工程心得分享
Android 逆向工程心得分享EnPing Eric Hsieh
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
ret2dl resolve
ret2dl resolveret2dl resolve
ret2dl resolvesounakano
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Ömer Çıtak
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Build a Micro HTTP Server for Embedded System
Build a Micro HTTP Server for Embedded SystemBuild a Micro HTTP Server for Embedded System
Build a Micro HTTP Server for Embedded SystemJian-Hong Pan
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin LongCODE BLUE
 
Sisteme de Operare: Analiza executabilelor și proceselor
Sisteme de Operare: Analiza executabilelor și proceselorSisteme de Operare: Analiza executabilelor și proceselor
Sisteme de Operare: Analiza executabilelor și proceselorAlexandru Radovici
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
Visual Studio를 이용한 어셈블리어 학습 part 1
Visual Studio를 이용한 어셈블리어 학습 part 1Visual Studio를 이용한 어셈블리어 학습 part 1
Visual Studio를 이용한 어셈블리어 학습 part 1YEONG-CHEON YOU
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
 
CNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeCNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeSam Bowne
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
송창규, unity build로 빌드타임 반토막내기, NDC2010
송창규, unity build로 빌드타임 반토막내기, NDC2010송창규, unity build로 빌드타임 반토막내기, NDC2010
송창규, unity build로 빌드타임 반토막내기, NDC2010devCAT Studio, NEXON
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the CloudJim Driscoll
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksAnne Nicolas
 

Más contenido relacionado

La actualidad más candente

Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
ret2dl resolve
ret2dl resolveret2dl resolve
ret2dl resolvesounakano
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Ömer Çıtak
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Build a Micro HTTP Server for Embedded System
Build a Micro HTTP Server for Embedded SystemBuild a Micro HTTP Server for Embedded System
Build a Micro HTTP Server for Embedded SystemJian-Hong Pan
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin LongCODE BLUE
 
Sisteme de Operare: Analiza executabilelor și proceselor
Sisteme de Operare: Analiza executabilelor și proceselorSisteme de Operare: Analiza executabilelor și proceselor
Sisteme de Operare: Analiza executabilelor și proceselorAlexandru Radovici
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
Visual Studio를 이용한 어셈블리어 학습 part 1
Visual Studio를 이용한 어셈블리어 학습 part 1Visual Studio를 이용한 어셈블리어 학습 part 1
Visual Studio를 이용한 어셈블리어 학습 part 1YEONG-CHEON YOU
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
 
CNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeCNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeSam Bowne
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
송창규, unity build로 빌드타임 반토막내기, NDC2010
송창규, unity build로 빌드타임 반토막내기, NDC2010송창규, unity build로 빌드타임 반토막내기, NDC2010
송창규, unity build로 빌드타임 반토막내기, NDC2010devCAT Studio, NEXON
 

La actualidad más candente (20)

Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 
ret2dl resolve
ret2dl resolveret2dl resolve
ret2dl resolve
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Build a Micro HTTP Server for Embedded System
Build a Micro HTTP Server for Embedded SystemBuild a Micro HTTP Server for Embedded System
Build a Micro HTTP Server for Embedded System
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
 
Sisteme de Operare: Analiza executabilelor și proceselor
Sisteme de Operare: Analiza executabilelor și proceselorSisteme de Operare: Analiza executabilelor și proceselor
Sisteme de Operare: Analiza executabilelor și proceselor
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
 
Visual Studio를 이용한 어셈블리어 학습 part 1
Visual Studio를 이용한 어셈블리어 학습 part 1Visual Studio를 이용한 어셈블리어 학습 part 1
Visual Studio를 이용한 어셈블리어 학습 part 1
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 Disassembly
 
CNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeCNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: Shellcode
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
 
송창규, unity build로 빌드타임 반토막내기, NDC2010
송창규, unity build로 빌드타임 반토막내기, NDC2010송창규, unity build로 빌드타임 반토막내기, NDC2010
송창규, unity build로 빌드타임 반토막내기, NDC2010
 

Similar a Make static instrumentation great again, High performance fuzzing for Windows system

Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the CloudJim Driscoll
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksAnne Nicolas
 
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017OpenEBS
 
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)Tim Bunce
 
Performance Benchmarking: Tips, Tricks, and Lessons Learned
Performance Benchmarking: Tips, Tricks, and Lessons LearnedPerformance Benchmarking: Tips, Tricks, and Lessons Learned
Performance Benchmarking: Tips, Tricks, and Lessons LearnedTim Callaghan
 
Non equilibrium Molecular Simulations of Polymers under Flow Saving Energy th...
Non equilibrium Molecular Simulations of Polymers under Flow Saving Energy th...Non equilibrium Molecular Simulations of Polymers under Flow Saving Energy th...
Non equilibrium Molecular Simulations of Polymers under Flow Saving Energy th...ORAU
 
What to expect from Java 9
What to expect from Java 9What to expect from Java 9
What to expect from Java 9Ivan Krylov
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Tim Bunce
 
Coverage Solutions on Emulators
Coverage Solutions on EmulatorsCoverage Solutions on Emulators
Coverage Solutions on EmulatorsDVClub
 
What’s eating python performance
What’s eating python performanceWhat’s eating python performance
What’s eating python performancePiotr Przymus
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceESUG
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...Ihor Banadiga
 

Similar a Make static instrumentation great again, High performance fuzzing for Windows system (20)

Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
 
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
 
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
 
Performance Benchmarking: Tips, Tricks, and Lessons Learned
Performance Benchmarking: Tips, Tricks, and Lessons LearnedPerformance Benchmarking: Tips, Tricks, and Lessons Learned
Performance Benchmarking: Tips, Tricks, and Lessons Learned
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
Non equilibrium Molecular Simulations of Polymers under Flow Saving Energy th...
Non equilibrium Molecular Simulations of Polymers under Flow Saving Energy th...Non equilibrium Molecular Simulations of Polymers under Flow Saving Energy th...
Non equilibrium Molecular Simulations of Polymers under Flow Saving Energy th...
 
HotSpotコトハジメ
HotSpotコトハジメHotSpotコトハジメ
HotSpotコトハジメ
 
What to expect from Java 9
What to expect from Java 9What to expect from Java 9
What to expect from Java 9
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
HDFS Erasure Coding in Action
HDFS Erasure Coding in Action HDFS Erasure Coding in Action
HDFS Erasure Coding in Action
 
RISC V in Spacer
RISC V in SpacerRISC V in Spacer
RISC V in Spacer
 
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
 
Coverage Solutions on Emulators
Coverage Solutions on EmulatorsCoverage Solutions on Emulators
Coverage Solutions on Emulators
 
What’s eating python performance
What’s eating python performanceWhat’s eating python performance
What’s eating python performance
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performance
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
 
SDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLSSDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLS
 

Último

School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdfKamal Acharya
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"mphochane1998
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Servicemeghakumariji156
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationBhangaleSonal
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityMorshed Ahmed Rahath
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxmaisarahman1
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilVinayVitekari
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayEpec Engineered Technologies
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startQuintin Balsdon
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdfKamal Acharya
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxSCMS School of Architecture
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiessarkmank1
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 

Último (20)

School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech Civil
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 

Make static instrumentation great again, High performance fuzzing for Windows system

  • 1. Make static instrumentation great again High performance fuzzing for Windows system Lucas Leong (@_wmliang_) 1
  • 2. #whoami • Security researcher from Trend Micro • Interested in • vulnerability discovery • binary exploitation • reverse engineering • symbolic execution • MSRC TOP 100 • HITCON CTF team 2
  • 3. Agenda • Motivation • Related works • AFL 101 • Implementation • Benchmark • Demo • Case study CLFS, CNG, Registry • Conclusion 3
  • 4. Motivation • 2014 Nov, AFL is released • I want to fuzz windows target 4
  • 5. Motivation • 2014 Nov, AFL is released • I want to fuzz windows target • 2016 Jul, WinAFL is committed • I want a better performance, support kernel 5
  • 6. Motivation • 2014 Nov, AFL is released • I want to fuzz windows target • 2016 Jul, WinAFL is committed • I want a better performance, support kernel • 2017 Jul, Static binary instrumentation via syzygy is merged • I don’t have full PDB • And I want more, scale up, etc 6
  • 8. Related works – static • WinAFL • Use dynamic binary instrumentation via DynamoRIO • Support static binary instrumentation via syzygy • Require full PDB 8
  • 9. Related works – dynamic • DARKO • Static analysis via Capstone • Dynamic binary rewriting via Keystone • Cross platforms and architectures • KFUZZ • Focus on windows kernel driver • Dynamic binary rewriting • Use interrupt instead of hook to solve the tiny basic block problem 9
  • 10. Related works – hardware • winafl-intelpt • Use the built-in Intel PT driver (ipt.sys) in RS5 • kAFL • Combine QEMU/KVM and Intel PT • Scale-up and cross platform fuzzing • Filter with vCPU/Supervisor/CR3/IP-Range 10
  • 11. Related works – virtualization • applepie • Combine Bochs and WHVP API • Get code coverage at the hypervisor level • Restore snapshot with the modified pages only 11
  • 12. AFL 101 12 initialize mutate input choose input from queue new coverage ? crash ? run targetsave in queue save Yes No Yes No
  • 13. AFL 101 • Instrument each basic block on compile-time (afl-gcc) • Record code coverage on execution-time (afl-fuzz) 13 instrumented lea rsp,[rsp-0x98] mov QWORD PTR [rsp],rdx mov QWORD PTR [rsp+0x8],rcx mov QWORD PTR [rsp+0x10],rax mov rcx,0x5c80 call 4009a8 <__afl_maybe_log> mov rax,QWORD PTR [rsp+0x10] mov rcx,QWORD PTR [rsp+0x8] mov rdx,QWORD PTR [rsp] lea rsp,[rsp+0x98]
  • 14. Implementation – pe-afl • Do the similar thing statically 14 coverage bitmap instrumented
  • 15. Implementation – pe-afl • Expand code and update jump • short jump to long jump 15 jmp loc_123 loc_456: … [Instrumented code] … jmp loc_456 loc_123: + size of instrumented code - size of instrumented code
  • 16. Implementation – pe-afl • Duplicate executable section • Some DATA still remains on the original section • Append .coverage for coverage bitmap • Update • PE header • section table • export table • SEH handle table • relocation table 16 HEADER .text .data PAGE INIT .reloc HEADER .text .data PAGE INIT .text2 PAGE2 INIT2 .coverage .reloc Before instrument After instrument
  • 17. Implementation – pe-afl • All the static information is from IDA pro • basic block • branch • target address • op code • operand • stack frame • … 17
  • 18. Implementation – pe-afl • Reason to collect stack frame information 18 Before stack frame poisoning After stack frame poisoning
  • 20. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Take care of DATA in executable section • 2-byte alignment for unicode string argument in WIN32 API • 4-byte alignment for SEHandlerTable 20
  • 21. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Assume DATA as CODE, DATA may be corrupted eg. CreateFile(“ABC”) -> CreateFile(“[instrumented code]ABC”) • Assume CODE as DATA, coverage is missed or the execution may fail eg. jmp [old loc] -> jmp [old loc] 21
  • 22. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Assume DATA as CODE, DATA may be corrupted • Assume CODE as DATA, the execution may fail 22
  • 23. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Public symbol can solve 23
  • 24. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Public symbol can solve, otherwise … • IDA pro is improving 24
  • 25. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Public symbol can solve, otherwise … • IDA pro is improving, otherwise … • Assume DATA as CODE, DATA may be corrupted • Instrument before branch instead of basic block • Validate the branch, otherwise alert it • Assume CODE as DATA, the execution may fail • Look for valid branch in suspicious data • Filter with known data type and alert it 25
  • 26. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Workaround 26 Instrumenting mspaint.exe without PDB
  • 27. Implementation – pe-afl • Fuzz on user-mode 27 kernel user test_wrapper.exe afl-fuzz.exe afl_shm_XXX afl_shm_XXX mapped target.dll .coverage pipe
  • 28. Implementation – pe-afl • Fuzz on kernel-mode 28 kernel user target.sys .coverage test_wrapper.exe .coverage mapped afl-fuzz.exe afl_shm_XXX afl_shm_XXX mapped helper.sys pipe
  • 29. Implementation – pe-afl • Type of instrument on fuzzing • PID filtering • multi-thread different afl_prev_loc for each thread • inline-mode in assembly vs. callback-mode in C 29
  • 30. Benchmark • Test on gdiplus.dll • Win10, 1 vm, 4GB ram, i7-7600, 1 core • WINAFL states that “This approach has been found to introduce an overhead about 2x compared to the native execution speed” 30 pe-afl (w/o instrument) 522 exec/s pe-afl 508 exec/s winafl (edge mode) 236 exec/s
  • 32. Case study (1) • CLFS • First try on kernel driver • Well-known attack vector • Btw, it was sandboxed • Parsing un-document BLF binary format in kernel • Entry point CreateTransactionManager(“input.blf”) • Patch checksum • 2 weeks, 8 vms • 2 CVE + won’t fix case • CVE-2018-0844, pool overflow • CVE-2018-0846, UAF 32
  • 33. Case study (2) • CNG • Entry point IOCTL • Applicable on any kind of IOCTL fuzzing • Coverage is stuck at the beginning • Try to figure out the root cause 33
  • 34. Case study (2) • CNG • Entry point IOCTL • Applicable on any kind of IOCTL fuzzing • Coverage is stuck at the beginning • Benefit from SBI, it is easy to dump execution trace 34 Import into lighthouse
  • 35. Case study (2) • CNG • Entry point IOCTL • Applicable on any kind of IOCTL fuzzing • Coverage is stuck at the beginning • Benefit from SBI, it is easy to dump execution trace • It needs valid object eg. CreateEvent() • It needs magic header eg. 0x1a2b3c4d • 1 week, 8 vms • 1 CVE • CVE-2018-8207, pool OOB read 35
  • 36. Case study (3) • Registry Hive • Parsing un-document registry hive format in ntoskrnl.exe • Entry point RegLoadAppKey(“input.dat”) • Have to instrument around 7MB ntoskrnl.exe • Support and use partial instrument here 36
  • 37. Case study (3) • Registry Hive • Parsing un-document registry hive format in ntoskrnl.exe • Entry point RegLoadAppKey(“input.dat”) • Have to instrument around 7MB ntoskrnl.exe • Support and use partial instrument here RE = ’_?Cm|_Hv[^il]’ • No CVE • Global state in registry brings the non-deterministic on fuzzing 37
  • 38. Case study (3) – post story • Full instrumentation on ntoskrnl.exe • Everything works except one • Self-modifying branch  38
  • 39. Case study (3) – post story • Full instrumentation on ntoskrnl.exe • Everything works except one • Self-modifying branch  • Detectable • Skip with partial instrumentation • Workaround 39
  • 40. Conclusion • Show the possibility and limitation of SBI on PE file and fuzzing • Not so reliable and elegant, but it works and high performance • Benefit from SBI • Not only feedback code coverage, but also data, stack depth … • Not only for fuzzing, but also for bug detection, tracing … • Open source • https://github.com/wmliang/pe-afl 40
  • 41. Thanks • Thanks • AFL, WINAFL • Lays, Steward Fu, Serena Lin • Bluehat IL conference team • Contact • https://twitter.com/_wmliang_ • lucas_leong@trendmicro.com 41