SlideShare a Scribd company logo

Make static instrumentation great again, High performance fuzzing for Windows system

L
Lucas Leong

This document discusses making static binary instrumentation great again for high performance fuzzing on Windows systems. It motivates static instrumentation as an alternative to dynamic approaches, describes the implementation of static instrumentation using IDA Pro and modifying PE files, benchmarks showing comparable performance to WinAFL, and case studies finding vulnerabilities through fuzzing kernel drivers and libraries.

Engineering
1 of 41
Downloaded 69 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Make static instrumentation great again High performance fuzzing for Windows system Lucas Leong (@_wmliang_) 1
#whoami • Security researcher from Trend Micro • Interested in • vulnerability discovery • binary exploitation • reverse engineering • symbolic execution • MSRC TOP 100 • HITCON CTF team 2
Agenda • Motivation • Related works • AFL 101 • Implementation • Benchmark • Demo • Case study CLFS, CNG, Registry • Conclusion 3
Motivation • 2014 Nov, AFL is released • I want to fuzz windows target 4
Motivation • 2014 Nov, AFL is released • I want to fuzz windows target • 2016 Jul, WinAFL is committed • I want a better performance, support kernel 5
Motivation • 2014 Nov, AFL is released • I want to fuzz windows target • 2016 Jul, WinAFL is committed • I want a better performance, support kernel • 2017 Jul, Static binary instrumentation via syzygy is merged • I don’t have full PDB • And I want more, scale up, etc 6
Motivation 7
Related works – static • WinAFL • Use dynamic binary instrumentation via DynamoRIO • Support static binary instrumentation via syzygy • Require full PDB 8
Related works – dynamic • DARKO • Static analysis via Capstone • Dynamic binary rewriting via Keystone • Cross platforms and architectures • KFUZZ • Focus on windows kernel driver • Dynamic binary rewriting • Use interrupt instead of hook to solve the tiny basic block problem 9
Related works – hardware • winafl-intelpt • Use the built-in Intel PT driver (ipt.sys) in RS5 • kAFL • Combine QEMU/KVM and Intel PT • Scale-up and cross platform fuzzing • Filter with vCPU/Supervisor/CR3/IP-Range 10
Related works – virtualization • applepie • Combine Bochs and WHVP API • Get code coverage at the hypervisor level • Restore snapshot with the modified pages only 11
AFL 101 12 initialize mutate input choose input from queue new coverage ? crash ? run targetsave in queue save Yes No Yes No
AFL 101 • Instrument each basic block on compile-time (afl-gcc) • Record code coverage on execution-time (afl-fuzz) 13 instrumented lea rsp,[rsp-0x98] mov QWORD PTR [rsp],rdx mov QWORD PTR [rsp+0x8],rcx mov QWORD PTR [rsp+0x10],rax mov rcx,0x5c80 call 4009a8 <__afl_maybe_log> mov rax,QWORD PTR [rsp+0x10] mov rcx,QWORD PTR [rsp+0x8] mov rdx,QWORD PTR [rsp] lea rsp,[rsp+0x98]
Implementation – pe-afl • Do the similar thing statically 14 coverage bitmap instrumented
Implementation – pe-afl • Expand code and update jump • short jump to long jump 15 jmp loc_123 loc_456: … [Instrumented code] … jmp loc_456 loc_123: + size of instrumented code - size of instrumented code
Implementation – pe-afl • Duplicate executable section • Some DATA still remains on the original section • Append .coverage for coverage bitmap • Update • PE header • section table • export table • SEH handle table • relocation table 16 HEADER .text .data PAGE INIT .reloc HEADER .text .data PAGE INIT .text2 PAGE2 INIT2 .coverage .reloc Before instrument After instrument
Implementation – pe-afl • All the static information is from IDA pro • basic block • branch • target address • op code • operand • stack frame • … 17
Implementation – pe-afl • Reason to collect stack frame information 18 Before stack frame poisoning After stack frame poisoning
Implementation – pe-afl 19 • Oops
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Take care of DATA in executable section • 2-byte alignment for unicode string argument in WIN32 API • 4-byte alignment for SEHandlerTable 20
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Assume DATA as CODE, DATA may be corrupted eg. CreateFile(“ABC”) -> CreateFile(“[instrumented code]ABC”) • Assume CODE as DATA, coverage is missed or the execution may fail eg. jmp [old loc] -> jmp [old loc] 21
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Assume DATA as CODE, DATA may be corrupted • Assume CODE as DATA, the execution may fail 22
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Public symbol can solve 23
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Public symbol can solve, otherwise … • IDA pro is improving 24
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Public symbol can solve, otherwise … • IDA pro is improving, otherwise … • Assume DATA as CODE, DATA may be corrupted • Instrument before branch instead of basic block • Validate the branch, otherwise alert it • Assume CODE as DATA, the execution may fail • Look for valid branch in suspicious data • Filter with known data type and alert it 25
Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Workaround 26 Instrumenting mspaint.exe without PDB
Implementation – pe-afl • Fuzz on user-mode 27 kernel user test_wrapper.exe afl-fuzz.exe afl_shm_XXX afl_shm_XXX mapped target.dll .coverage pipe
Implementation – pe-afl • Fuzz on kernel-mode 28 kernel user target.sys .coverage test_wrapper.exe .coverage mapped afl-fuzz.exe afl_shm_XXX afl_shm_XXX mapped helper.sys pipe
Implementation – pe-afl • Type of instrument on fuzzing • PID filtering • multi-thread different afl_prev_loc for each thread • inline-mode in assembly vs. callback-mode in C 29
Benchmark • Test on gdiplus.dll • Win10, 1 vm, 4GB ram, i7-7600, 1 core • WINAFL states that “This approach has been found to introduce an overhead about 2x compared to the native execution speed” 30 pe-afl (w/o instrument) 522 exec/s pe-afl 508 exec/s winafl (edge mode) 236 exec/s
Demo 31
Case study (1) • CLFS • First try on kernel driver • Well-known attack vector • Btw, it was sandboxed • Parsing un-document BLF binary format in kernel • Entry point CreateTransactionManager(“input.blf”) • Patch checksum • 2 weeks, 8 vms • 2 CVE + won’t fix case • CVE-2018-0844, pool overflow • CVE-2018-0846, UAF 32
Case study (2) • CNG • Entry point IOCTL • Applicable on any kind of IOCTL fuzzing • Coverage is stuck at the beginning • Try to figure out the root cause 33
Case study (2) • CNG • Entry point IOCTL • Applicable on any kind of IOCTL fuzzing • Coverage is stuck at the beginning • Benefit from SBI, it is easy to dump execution trace 34 Import into lighthouse
Case study (2) • CNG • Entry point IOCTL • Applicable on any kind of IOCTL fuzzing • Coverage is stuck at the beginning • Benefit from SBI, it is easy to dump execution trace • It needs valid object eg. CreateEvent() • It needs magic header eg. 0x1a2b3c4d • 1 week, 8 vms • 1 CVE • CVE-2018-8207, pool OOB read 35
Case study (3) • Registry Hive • Parsing un-document registry hive format in ntoskrnl.exe • Entry point RegLoadAppKey(“input.dat”) • Have to instrument around 7MB ntoskrnl.exe • Support and use partial instrument here 36
Case study (3) • Registry Hive • Parsing un-document registry hive format in ntoskrnl.exe • Entry point RegLoadAppKey(“input.dat”) • Have to instrument around 7MB ntoskrnl.exe • Support and use partial instrument here RE = ’_?Cm|_Hv[^il]’ • No CVE • Global state in registry brings the non-deterministic on fuzzing 37
Case study (3) – post story • Full instrumentation on ntoskrnl.exe • Everything works except one • Self-modifying branch  38
Case study (3) – post story • Full instrumentation on ntoskrnl.exe • Everything works except one • Self-modifying branch  • Detectable • Skip with partial instrumentation • Workaround 39
Conclusion • Show the possibility and limitation of SBI on PE file and fuzzing • Not so reliable and elegant, but it works and high performance • Benefit from SBI • Not only feedback code coverage, but also data, stack depth … • Not only for fuzzing, but also for bug detection, tracing … • Open source • https://github.com/wmliang/pe-afl 40
Thanks • Thanks • AFL, WINAFL • Lays, Steward Fu, Serena Lin • Bluehat IL conference team • Contact • https://twitter.com/_wmliang_ • lucas_leong@trendmicro.com 41

More Related Content

PDF
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
PPTX
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
CODE BLUE
 
PPTX
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
PDF
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
PDF
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CanSecWest
 
PDF
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
PPT
Reliable Windows Heap Exploits
amiable_indian
 
PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
CODE BLUE
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CanSecWest
 
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
Reliable Windows Heap Exploits
amiable_indian
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 

What's hot (20)

PDF
Block Drivers
Anil Kumar Pugalia
 
PDF
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
PDF
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
PDF
WSL Reloaded
Anthony LAOU-HINE TSUEI
 
PDF
Monitoring Kafka without instrumentation using eBPF with Antón Rodríguez | Ka...
HostedbyConfluent
 
PPTX
HTTP/2 Introduction
Walter Liu
 
PDF
Real-time Data Ingestion from Kafka to ClickHouse with Deterministic Re-tries...
HostedbyConfluent
 
PDF
Linux fundamental - Chap 15 Job Scheduling
Kenny (netman)
 
PDF
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
PPTX
VMs All the Way Down (BSides Delaware 2016)
John Hubbard
 
PDF
Hive tuning
Michael Zhang
 
PPTX
Practical Windows Kernel Exploitation
zeroSteiner
 
PPTX
CoAP Talk
Basuke Suzuki
 
PDF
CDC Stream Processing with Apache Flink
Timo Walther
 
PDF
Architecture Of The Linux Kernel
guest547d74
 
PDF
CNIT 126 6: Recognizing C Code Constructs in Assembly
Sam Bowne
 
PDF
syzkaller: the next gen kernel fuzzer
Dmitry Vyukov
 
PDF
Binary exploitation - AIS3
Angel Boy
 
PDF
SyScan 2015 - iOS 678 Security - A Study in Fail
Stefan Esser
 
PPTX
Beneath the Linux Interrupt handling
Bhoomil Chavda
 
Block Drivers
Anil Kumar Pugalia
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
WSL Reloaded
Anthony LAOU-HINE TSUEI
 
Monitoring Kafka without instrumentation using eBPF with Antón Rodríguez | Ka...
HostedbyConfluent
 
HTTP/2 Introduction
Walter Liu
 
Real-time Data Ingestion from Kafka to ClickHouse with Deterministic Re-tries...
HostedbyConfluent
 
Linux fundamental - Chap 15 Job Scheduling
Kenny (netman)
 
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
VMs All the Way Down (BSides Delaware 2016)
John Hubbard
 
Hive tuning
Michael Zhang
 
Practical Windows Kernel Exploitation
zeroSteiner
 
CoAP Talk
Basuke Suzuki
 
CDC Stream Processing with Apache Flink
Timo Walther
 
Architecture Of The Linux Kernel
guest547d74
 
CNIT 126 6: Recognizing C Code Constructs in Assembly
Sam Bowne
 
syzkaller: the next gen kernel fuzzer
Dmitry Vyukov
 
Binary exploitation - AIS3
Angel Boy
 
SyScan 2015 - iOS 678 Security - A Study in Fail
Stefan Esser
 
Beneath the Linux Interrupt handling
Bhoomil Chavda
 
Ad

Similar to Make static instrumentation great again, High performance fuzzing for Windows system (20)

ODP
Groovy In the Cloud
Jim Driscoll
 
PDF
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Anne Nicolas
 
PDF
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
OpenEBS
 
PDF
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
Tim Bunce
 
PPTX
Performance Benchmarking: Tips, Tricks, and Lessons Learned
Tim Callaghan
 
PDF
Introduction to DevOps
OCTO Technology
 
PDF
Non equilibrium Molecular Simulations of Polymers under Flow Saving Energy th...
ORAU
 
PPTX
HotSpotコトハジメ
Yasumasa Suenaga
 
PDF
What to expect from Java 9
Ivan Krylov
 
PDF
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
PPTX
HDFS Erasure Coding in Action
DataWorks Summit/Hadoop Summit
 
PDF
RISC V in Spacer
klepsydratechnologie
 
PDF
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Tim Bunce
 
PPT
Coverage Solutions on Emulators
DVClub
 
PDF
What’s eating python performance
Piotr Przymus
 
PDF
Sista: Improving Cog’s JIT performance
ESUG
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PDF
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
Ihor Banadiga
 
PDF
SDAccel Design Contest: Vivado HLS
NECST Lab @ Politecnico di Milano
 
PPTX
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
Groovy In the Cloud
Jim Driscoll
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Anne Nicolas
 
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
OpenEBS
 
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
Tim Bunce
 
Performance Benchmarking: Tips, Tricks, and Lessons Learned
Tim Callaghan
 
Introduction to DevOps
OCTO Technology
 
Non equilibrium Molecular Simulations of Polymers under Flow Saving Energy th...
ORAU
 
HotSpotコトハジメ
Yasumasa Suenaga
 
What to expect from Java 9
Ivan Krylov
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
HDFS Erasure Coding in Action
DataWorks Summit/Hadoop Summit
 
RISC V in Spacer
klepsydratechnologie
 
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Tim Bunce
 
Coverage Solutions on Emulators
DVClub
 
What’s eating python performance
Piotr Przymus
 
Sista: Improving Cog’s JIT performance
ESUG
 
Security research over Windows #defcon china
Peter Hlavaty
 
Ansible for Configuration Management for Lohika DevOps training 2018 @ Lohika...
Ihor Banadiga
 
SDAccel Design Contest: Vivado HLS
NECST Lab @ Politecnico di Milano
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
Ad

Recently uploaded (20)

PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPTX
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
PPTX
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PPTX
web development for engineering and engineering
keshriji700
 
PDF
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PDF
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
web development for engineering and engineering
keshriji700
 
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
Construction Project Organization Group 2.pptx
vj5agdales
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PPT on Performance Review to get promotions
prashant593122
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
Sustainable Sites - Green Building Construction
mhdumerali
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
Project quality management in manufacturing
BarMusaTetik
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 

Make static instrumentation great again, High performance fuzzing for Windows system

  • 1. Make static instrumentation great again High performance fuzzing for Windows system Lucas Leong (@_wmliang_) 1
  • 2. #whoami • Security researcher from Trend Micro • Interested in • vulnerability discovery • binary exploitation • reverse engineering • symbolic execution • MSRC TOP 100 • HITCON CTF team 2
  • 3. Agenda • Motivation • Related works • AFL 101 • Implementation • Benchmark • Demo • Case study CLFS, CNG, Registry • Conclusion 3
  • 4. Motivation • 2014 Nov, AFL is released • I want to fuzz windows target 4
  • 5. Motivation • 2014 Nov, AFL is released • I want to fuzz windows target • 2016 Jul, WinAFL is committed • I want a better performance, support kernel 5
  • 6. Motivation • 2014 Nov, AFL is released • I want to fuzz windows target • 2016 Jul, WinAFL is committed • I want a better performance, support kernel • 2017 Jul, Static binary instrumentation via syzygy is merged • I don’t have full PDB • And I want more, scale up, etc 6
  • 8. Related works – static • WinAFL • Use dynamic binary instrumentation via DynamoRIO • Support static binary instrumentation via syzygy • Require full PDB 8
  • 9. Related works – dynamic • DARKO • Static analysis via Capstone • Dynamic binary rewriting via Keystone • Cross platforms and architectures • KFUZZ • Focus on windows kernel driver • Dynamic binary rewriting • Use interrupt instead of hook to solve the tiny basic block problem 9
  • 10. Related works – hardware • winafl-intelpt • Use the built-in Intel PT driver (ipt.sys) in RS5 • kAFL • Combine QEMU/KVM and Intel PT • Scale-up and cross platform fuzzing • Filter with vCPU/Supervisor/CR3/IP-Range 10
  • 11. Related works – virtualization • applepie • Combine Bochs and WHVP API • Get code coverage at the hypervisor level • Restore snapshot with the modified pages only 11
  • 12. AFL 101 12 initialize mutate input choose input from queue new coverage ? crash ? run targetsave in queue save Yes No Yes No
  • 13. AFL 101 • Instrument each basic block on compile-time (afl-gcc) • Record code coverage on execution-time (afl-fuzz) 13 instrumented lea rsp,[rsp-0x98] mov QWORD PTR [rsp],rdx mov QWORD PTR [rsp+0x8],rcx mov QWORD PTR [rsp+0x10],rax mov rcx,0x5c80 call 4009a8 <__afl_maybe_log> mov rax,QWORD PTR [rsp+0x10] mov rcx,QWORD PTR [rsp+0x8] mov rdx,QWORD PTR [rsp] lea rsp,[rsp+0x98]
  • 14. Implementation – pe-afl • Do the similar thing statically 14 coverage bitmap instrumented
  • 15. Implementation – pe-afl • Expand code and update jump • short jump to long jump 15 jmp loc_123 loc_456: … [Instrumented code] … jmp loc_456 loc_123: + size of instrumented code - size of instrumented code
  • 16. Implementation – pe-afl • Duplicate executable section • Some DATA still remains on the original section • Append .coverage for coverage bitmap • Update • PE header • section table • export table • SEH handle table • relocation table 16 HEADER .text .data PAGE INIT .reloc HEADER .text .data PAGE INIT .text2 PAGE2 INIT2 .coverage .reloc Before instrument After instrument
  • 17. Implementation – pe-afl • All the static information is from IDA pro • basic block • branch • target address • op code • operand • stack frame • … 17
  • 18. Implementation – pe-afl • Reason to collect stack frame information 18 Before stack frame poisoning After stack frame poisoning
  • 20. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Take care of DATA in executable section • 2-byte alignment for unicode string argument in WIN32 API • 4-byte alignment for SEHandlerTable 20
  • 21. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Assume DATA as CODE, DATA may be corrupted eg. CreateFile(“ABC”) -> CreateFile(“[instrumented code]ABC”) • Assume CODE as DATA, coverage is missed or the execution may fail eg. jmp [old loc] -> jmp [old loc] 21
  • 22. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Assume DATA as CODE, DATA may be corrupted • Assume CODE as DATA, the execution may fail 22
  • 23. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Public symbol can solve 23
  • 24. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Public symbol can solve, otherwise … • IDA pro is improving 24
  • 25. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Public symbol can solve, otherwise … • IDA pro is improving, otherwise … • Assume DATA as CODE, DATA may be corrupted • Instrument before branch instead of basic block • Validate the branch, otherwise alert it • Assume CODE as DATA, the execution may fail • Look for valid branch in suspicious data • Filter with known data type and alert it 25
  • 26. Challenge for SBI • The mix of DATA and CODE in executable section is the source of problems • Confuse between DATA and CODE • Workaround 26 Instrumenting mspaint.exe without PDB
  • 27. Implementation – pe-afl • Fuzz on user-mode 27 kernel user test_wrapper.exe afl-fuzz.exe afl_shm_XXX afl_shm_XXX mapped target.dll .coverage pipe
  • 28. Implementation – pe-afl • Fuzz on kernel-mode 28 kernel user target.sys .coverage test_wrapper.exe .coverage mapped afl-fuzz.exe afl_shm_XXX afl_shm_XXX mapped helper.sys pipe
  • 29. Implementation – pe-afl • Type of instrument on fuzzing • PID filtering • multi-thread different afl_prev_loc for each thread • inline-mode in assembly vs. callback-mode in C 29
  • 30. Benchmark • Test on gdiplus.dll • Win10, 1 vm, 4GB ram, i7-7600, 1 core • WINAFL states that “This approach has been found to introduce an overhead about 2x compared to the native execution speed” 30 pe-afl (w/o instrument) 522 exec/s pe-afl 508 exec/s winafl (edge mode) 236 exec/s
  • 32. Case study (1) • CLFS • First try on kernel driver • Well-known attack vector • Btw, it was sandboxed • Parsing un-document BLF binary format in kernel • Entry point CreateTransactionManager(“input.blf”) • Patch checksum • 2 weeks, 8 vms • 2 CVE + won’t fix case • CVE-2018-0844, pool overflow • CVE-2018-0846, UAF 32
  • 33. Case study (2) • CNG • Entry point IOCTL • Applicable on any kind of IOCTL fuzzing • Coverage is stuck at the beginning • Try to figure out the root cause 33
  • 34. Case study (2) • CNG • Entry point IOCTL • Applicable on any kind of IOCTL fuzzing • Coverage is stuck at the beginning • Benefit from SBI, it is easy to dump execution trace 34 Import into lighthouse
  • 35. Case study (2) • CNG • Entry point IOCTL • Applicable on any kind of IOCTL fuzzing • Coverage is stuck at the beginning • Benefit from SBI, it is easy to dump execution trace • It needs valid object eg. CreateEvent() • It needs magic header eg. 0x1a2b3c4d • 1 week, 8 vms • 1 CVE • CVE-2018-8207, pool OOB read 35
  • 36. Case study (3) • Registry Hive • Parsing un-document registry hive format in ntoskrnl.exe • Entry point RegLoadAppKey(“input.dat”) • Have to instrument around 7MB ntoskrnl.exe • Support and use partial instrument here 36
  • 37. Case study (3) • Registry Hive • Parsing un-document registry hive format in ntoskrnl.exe • Entry point RegLoadAppKey(“input.dat”) • Have to instrument around 7MB ntoskrnl.exe • Support and use partial instrument here RE = ’_?Cm|_Hv[^il]’ • No CVE • Global state in registry brings the non-deterministic on fuzzing 37
  • 38. Case study (3) – post story • Full instrumentation on ntoskrnl.exe • Everything works except one • Self-modifying branch  38
  • 39. Case study (3) – post story • Full instrumentation on ntoskrnl.exe • Everything works except one • Self-modifying branch  • Detectable • Skip with partial instrumentation • Workaround 39
  • 40. Conclusion • Show the possibility and limitation of SBI on PE file and fuzzing • Not so reliable and elegant, but it works and high performance • Benefit from SBI • Not only feedback code coverage, but also data, stack depth … • Not only for fuzzing, but also for bug detection, tracing … • Open source • https://github.com/wmliang/pe-afl 40
  • 41. Thanks • Thanks • AFL, WINAFL • Lays, Steward Fu, Serena Lin • Bluehat IL conference team • Contact • https://twitter.com/_wmliang_ • lucas_leong@trendmicro.com 41