SlideShare a Scribd company logo

OffensiveCon2022: Case Studies of Fuzzing with Xen

Tamas K Lengyel
Tamas K Lengyel

OffensiveCon2022: Case Studies of Fuzzing with Xen

Engineering
1 of 39
Download to read offline
Case Studies of Fuzzing with Xen Tamas K Lengyel @tklengyel Balint Varga-Perke @buherator
2 Disclaimers Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex​. Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available ​updates. See backup for configuration details. No product or component can be absolutely secure. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. Intel does not control or audit third-party data. You should consult other sources to evaluate accuracy. Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. Your costs and results may vary. Intel technologies may require enabled hardware, software or service activation. © Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others. ​
3 TL;DR KF/x: https://github.com/intel/kernel-fuzzer-for-xen-project Full-VM snapshot fuzzer Open-source (MIT) Integrates with AFL/AFL++ In this talk – the tale of two vastly different targets - Linux Virtio - Symantec Endpoint Protection
4 Xen VM forking Copy-on-write memory in VM forks Reset vCPU registers and free dirty pages Parent VM … Page X Page Y Page Z … Fork VM … Shared Page X Copied Page Y Shared Page Z … R W X
5 Can run multiple forks & multiple fuzzing loops concurrently Fuzzing with KF/x Parent VM Magic CPUID Fork Sink VM panic() kasan_report() ubsan_prologue() … Fuzz VM Add 0xCC Read input from AFL Write it to VM’s mem Reset Catch a breakpoint Report crash Catch Magic CPUID Report no-crash Neither: timeout Analyze Decode IPT log Report coverage Fork Run Fuzz Compile & run target code with CPUID harness in place. No custom compiler needed! Any error-handling function can be a designated sink point. Easy to override with custom list (symbol name, VA or PA).
6 Design principles behind KF/x Stable foundation - All hypervisor components upstream (VM forking, introspection, IPT) Reduced complexity - No in-guest agent necessary Flexible - Components should be reusable to target any code running in the VM Extendable - Integrate with other fuzzers, use different harness mechanism, etc.
7 Limitations No I/O in fork VMs - No disk, no network, no screen, no console, no MMIO, no interrupts - Single vCPU only Bug enrichment features need to be compiled-in (ASAN, UBSAN) Target needs to execute normally in a Xen VM
8 Fuzzing Virtio Part of a larger kernel hardening project in preparation for TDX See Linux Security Summit ‘21 talk by Elena Reshetova Attacking guest from the host via shared memory (“DMA”) Xen doesn’t support Virtio – can’t use KF/x - Unless .. !
9 VM transplantation! The idea is simple: 1. Capture system state on KVM 2. Transfer it to Xen 3. Load 4. Fuzz!
10 Capturing the system state During fuzzing we are running the VM forks with only: - Memory - CPU We are in luck! QEMU QMP command dump-guest-memory - Creates and ELF file detailing the memory map & memory contents - Surprise undocumented feature: an ELF note has the CPU register state We also need the magic CPUID pausing on KVM
11 KVM patch to exit on magic CPUID QEMU patch to pause VM
12 Loading state on Xen 1. Create “empty” VM 2. Load memory according to memory map 3. Load CPU register state - Fix mismatch between segment attribute byte format in ELF vs Xen
13 It’s alive!
14 Back to Virtio We have a way to save, transplant & fuzz Just have to figure out what to fuzz.. Virtio will be used for all I/O on TDX 1.0 - Disk, network, console That’s a lot of different code-paths to cover - Does anyone even know all the different ways Virtio code is reached?
15 Retargeting existing code Had a similar challenge while fuzzing xHCI Made a tool (dmamonitor) that can hook Linux’s DMA API - Hook dma_alloc_attrs with VMI - Remove EPT permission from DMA pages - Log RIP when EPT fault triggers with read-violation Could really use it here too.. - We are in luck: https://github.com/KVM-VMI/kvm-vmi
16 Boot Linux with DMA debug patched to have dummy API for easier hooking & force Virtio to go through DMA API DMA hook triggers for DMA page use Change EPT permission KVM Setup DMA page Linux VM boot & runtime DMA monitor E P T Handle EPT read-fault Unwind stack & hash return pointers If hash is new, snapshot EPT fault triggers when Virtio is fetching data from page 1. 3. 2. 4.
17 1 2 3 4
18 No end-harness We don’t need any! 1. Transplant snapshot 2. Fork 3. Singlestep up to 300k 4. Check which of the stack return pointers was reached 5. Inject breakpoint to transplant 6. Fuzz!
19 Results with hardened 5.15-rc6 126,061 DMA accesses observed during boot and basic functioning 13 unique DMA access sites 738 unique call-chains lead to DMA access 70 snapshots fuzzed based on top-5 stack frame uniqueness 7,567,463,809 fuzzing cycles completed (in 2 weeks) 0 issues found (no KASAN/UBSAN/panic/oops) 13 snapshots were found to have hangs when fuzzed 54 snapshots had less then 5 paths discovered
20 No bugs? We weren’t the first - Check out VIA: Analyzing Device Interfaces of Protected Virtual Machines - They fuzzed 5.10 and already reported the sanitizer bugs & got them fixed - We were able to catch some of the same bugs they found when we targeted 5.10 I still consider this a win - Tools & techniques all open-sourced & anyone is welcome to replicate - KF/x target setup & fuzzing can now happen at different systems - No longer need to setup your target on Xen (can use QEMU/KVM/Simics) Thanks to the whole lot of folks! Andrew Cooper, Sundaram Arumugasundaram, Mostafa Elsaid, Andi Kleen, Neelima Krishnan, Sathyanarayanan Kuppuswamy, Lukasz Odzioba, Sebastian Osterlund, Elena Reshetova, Carlos Villavicencio Sanchez, Casey Schaufler, Steffen Schulz, Mathieu Tarral
21 Antivirus fuzzing • Widespread technology • Complex parsers implemented in C/C++ • Remotely reachable attack surface • High privileges • Prior work: Antivirus (in)Security, Attacking Antivirus, P0 massacre, Sophail, Nightmare, The AV Hacker’s Handbook, REing Defender, tons of privescs, blackhats, and many others (sry if I missed yours!)
22 Antivirus fuzzing • Complex software • Binary-only (mostly) • Performance • Inspectability • State • Diversity • Products • Formats
23 KF/x vs. AV • Reusable harness • Full inspectability • Full-system fuzzing • Written documentation + well-known platform
24 Symantec Endpoint Protection
25 Symantec Endpoint Protection • Tamper protection • Can be disabled, some memory still not accessible • COM-like architecture • Complex inter-module dependencies (writeup soon) • COM is obfuscation: No export symbols, no typelib, indirect calls … • OS interference
26 Proof-of-Concept • Multiple bugs discovered by Tavis Ormandy in 2016. • “Decomposers” • Unrar, dec2lha, libmspack, … -> ccScanW.dll • Try to rediscover #823 – “PowerPoint misaligned stream-cache remote stack buffer overflow” • Easy to modify nasm PoC • /GS still not applied to all (non-trivial) functions #YOLO
27 Proof-of-Concept • #823 allowed quick identification of the relevant parser function and I/O functions • KF/x tuning • Interrupt masking • sinks.h -> “KiDispatchException” (resolved by Volatility) • if (addr & 0x80000000) return; • Large test case • SEP reads data in 8k chunks • 6 reads necessary before the bug triggers (no disk in KF/x!)
28 Rediscovering CVE-2016-2209 with KF/x
29 Handling large inputs • Large inputs are not ideal for fuzzing in general • Performance • Process state • Mocking I/O • Tried it, wouldn’t recommend… • RAM disk works (on Windows too) • Chained fuzzing stages • Other traps: swapping, console output, network, …
30 Other parsers? • Rabbit Hole Ghidra extension • Per-function cumulative cyclomatic complexity • Ghidra Cpp Class Analyzer • RTTI info • Magic numbers • New target: 7zip decomposer • Magic number + high complexity + reachable from C7zEngine class members
31 “While this fuzzer runs, I will…”1 • Corpus: 1 file, some txt 7z’d with default options • AFL++, no knowledge about the file format • Coverage tracking with Intel PT • Single core • < 24h runtime • ~9M execs ~400-500 exec/s (not a perf talk sry) • No hang elimination (“loose paths”, timeout optimization, …) 1 How to FAIL at Fuzzing, Prospector
32 Fuzzing Symantec Endpoint Protection's 7z parser with KF/x
33 7z bug • Controlled heap overflow • Detection can be improved by enabling page heap • Silently fixed? • Symantec->Broadcom didn’t make investigation easy Mandatory AFL graph
34 Using REVEN to triage the 7z parsing heap overflow discovered with KF/x
35 Modularity • KF/x follows the Unix philosophy • AFL’s SHMAP became a de-facto standard • Forkserver-based intergration with LibAFL was trivial • Timeout/signal handling needed improvement (I/O fail -> hang) • Independent development of generators, mutators, etc. • In-memory input passing needs little more work
36 LibAFL
37 Other use-cases • AV • Kernel components • Memory scanners • DPI/DLP/IPS features • Games / Anti-cheat • Sandbox escapes • Nyx Fuzzer, Fuzzy Snapshots of Firefox IPC
38 Summary • Trivial vulnerabilities could remain hidden due to the lack of proper tools • VM Introspection is a game changer in vulnerability discovery/analysis • KF/x is an easy to integrate VMI-based fuzzing harness
39 Thanks! KF/x: https://github.com/intel/kernel-fuzzer-for-xen-project Tamas K Lengyel @tklengyel Balint Varga-Perke @buherator

Recommended

HKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRMHKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRMLinaro
 
Learning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessLearning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessNanik Tolaram
 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security InternalsOpersys inc.
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsSecuRing
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEELinaro
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Linaro
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewLinaro
 
SFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEESFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEELinaro
 

Recommended

HKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRMHKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRMLinaro
 
Learning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessLearning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessNanik Tolaram
 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security InternalsOpersys inc.
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsSecuRing
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEELinaro
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Linaro
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewLinaro
 
SFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEESFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEELinaro
 
Rules to Hack By - Offensivecon 2022 keynote
Rules to Hack By - Offensivecon 2022 keynoteRules to Hack By - Offensivecon 2022 keynote
Rules to Hack By - Offensivecon 2022 keynoteMarkDowd13
 
Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu IntroductionChiawei Wang
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Metasploitable
MetasploitableMetasploitable
MetasploitableSri Manakula Vinayagar Engineering College
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLinaro
 
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMSFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMLinaro
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting SequenceJayanta Ghoshal
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELinaro
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Ömer Çıtak
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
SEH overwrite and its exploitability
SEH overwrite and its exploitabilitySEH overwrite and its exploitability
SEH overwrite and its exploitabilityFFRI, Inc.
 
Tuning Android for low RAM
Tuning Android for low RAMTuning Android for low RAM
Tuning Android for low RAMChris Simmonds
 
LCA13: Xen on ARM
LCA13: Xen on ARMLCA13: Xen on ARM
LCA13: Xen on ARMLinaro
 
Elk with Openstack
Elk with OpenstackElk with Openstack
Elk with OpenstackArun prasath
 
Android power management
Android power managementAndroid power management
Android power managementJerrin George
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityLinaro
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
MongoDB Management & Ansible
MongoDB Management & AnsibleMongoDB Management & Ansible
MongoDB Management & AnsibleMongoDB
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
 

More Related Content

What's hot

Rules to Hack By - Offensivecon 2022 keynote
Rules to Hack By - Offensivecon 2022 keynoteRules to Hack By - Offensivecon 2022 keynote
Rules to Hack By - Offensivecon 2022 keynoteMarkDowd13
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLinaro
 
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMSFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMLinaro
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting SequenceJayanta Ghoshal
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELinaro
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Ömer Çıtak
 
SEH overwrite and its exploitability
SEH overwrite and its exploitabilitySEH overwrite and its exploitability
SEH overwrite and its exploitabilityFFRI, Inc.
 
Tuning Android for low RAM
Tuning Android for low RAMTuning Android for low RAM
Tuning Android for low RAMChris Simmonds
 
LCA13: Xen on ARM
LCA13: Xen on ARMLCA13: Xen on ARM
LCA13: Xen on ARMLinaro
 
Elk with Openstack
Elk with OpenstackElk with Openstack
Elk with OpenstackArun prasath
 
Android power management
Android power managementAndroid power management
Android power managementJerrin George
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityLinaro
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
MongoDB Management & Ansible
MongoDB Management & AnsibleMongoDB Management & Ansible
MongoDB Management & AnsibleMongoDB
 

What's hot (20)

Rules to Hack By - Offensivecon 2022 keynote
Rules to Hack By - Offensivecon 2022 keynoteRules to Hack By - Offensivecon 2022 keynote
Rules to Hack By - Offensivecon 2022 keynote
 
Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu Introduction
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solution
 
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMSFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting Sequence
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEE
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 
SEH overwrite and its exploitability
SEH overwrite and its exploitabilitySEH overwrite and its exploitability
SEH overwrite and its exploitability
 
Tuning Android for low RAM
Tuning Android for low RAMTuning Android for low RAM
Tuning Android for low RAM
 
LCA13: Xen on ARM
LCA13: Xen on ARMLCA13: Xen on ARM
LCA13: Xen on ARM
 
Elk with Openstack
Elk with OpenstackElk with Openstack
Elk with Openstack
 
Android power management
Android power managementAndroid power management
Android power management
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source security
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
MongoDB Management & Ansible
MongoDB Management & AnsibleMongoDB Management & Ansible
MongoDB Management & Ansible
 

Similar to OffensiveCon2022: Case Studies of Fuzzing with Xen

Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
 
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSDEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSFelipe Prado
 
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...The Linux Foundation
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingTamas K Lengyel
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesPriyanka Aash
 
the NML project
the NML projectthe NML project
the NML projectLei Yang
 
Securing Your Linux System
Securing Your Linux SystemSecuring Your Linux System
Securing Your Linux SystemNovell
 
Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0guest72e8c1
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red HatShawn Wells
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware
 
Develop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsDevelop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsNational Cheng Kung University
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine IntrospectionTamas K Lengyel
 
4 implementation
4 implementation4 implementation
4 implementationhanmya
 

Similar to OffensiveCon2022: Case Studies of Fuzzing with Xen (20)

Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
 
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSDEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
 
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
 
the NML project
the NML projectthe NML project
the NML project
 
Securing Your Linux System
Securing Your Linux SystemSecuring Your Linux System
Securing Your Linux System
 
RMLL / LSM 2009
RMLL / LSM 2009RMLL / LSM 2009
RMLL / LSM 2009
 
Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor
 
Develop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsDevelop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM Boards
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
 
4 implementation
4 implementation4 implementation
4 implementation
 

More from Tamas K Lengyel

Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningTamas K Lengyel
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenTamas K Lengyel
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisTamas K Lengyel
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisTamas K Lengyel
 
Anti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenAnti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenTamas K Lengyel
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with XenTamas K Lengyel
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMITamas K Lengyel
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTamas K Lengyel
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareTamas K Lengyel
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMTamas K Lengyel
 
Pitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwareTamas K Lengyel
 
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningTamas K Lengyel
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureTamas K Lengyel
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 

More from Tamas K Lengyel (19)

Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository Mining
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
 
Anti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenAnti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and Xen
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with Xen
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMI
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARM
 
Pitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardware
 
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot Architecture
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 

Recently uploaded

Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxvipinkmenon1
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 

Recently uploaded (20)

Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptx
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 

OffensiveCon2022: Case Studies of Fuzzing with Xen

  • 1. Case Studies of Fuzzing with Xen Tamas K Lengyel @tklengyel Balint Varga-Perke @buherator
  • 2. 2 Disclaimers Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex​. Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available ​updates. See backup for configuration details. No product or component can be absolutely secure. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. Intel does not control or audit third-party data. You should consult other sources to evaluate accuracy. Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. Your costs and results may vary. Intel technologies may require enabled hardware, software or service activation. © Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others. ​
  • 3. 3 TL;DR KF/x: https://github.com/intel/kernel-fuzzer-for-xen-project Full-VM snapshot fuzzer Open-source (MIT) Integrates with AFL/AFL++ In this talk – the tale of two vastly different targets - Linux Virtio - Symantec Endpoint Protection
  • 4. 4 Xen VM forking Copy-on-write memory in VM forks Reset vCPU registers and free dirty pages Parent VM … Page X Page Y Page Z … Fork VM … Shared Page X Copied Page Y Shared Page Z … R W X
  • 5. 5 Can run multiple forks & multiple fuzzing loops concurrently Fuzzing with KF/x Parent VM Magic CPUID Fork Sink VM panic() kasan_report() ubsan_prologue() … Fuzz VM Add 0xCC Read input from AFL Write it to VM’s mem Reset Catch a breakpoint Report crash Catch Magic CPUID Report no-crash Neither: timeout Analyze Decode IPT log Report coverage Fork Run Fuzz Compile & run target code with CPUID harness in place. No custom compiler needed! Any error-handling function can be a designated sink point. Easy to override with custom list (symbol name, VA or PA).
  • 6. 6 Design principles behind KF/x Stable foundation - All hypervisor components upstream (VM forking, introspection, IPT) Reduced complexity - No in-guest agent necessary Flexible - Components should be reusable to target any code running in the VM Extendable - Integrate with other fuzzers, use different harness mechanism, etc.
  • 7. 7 Limitations No I/O in fork VMs - No disk, no network, no screen, no console, no MMIO, no interrupts - Single vCPU only Bug enrichment features need to be compiled-in (ASAN, UBSAN) Target needs to execute normally in a Xen VM
  • 8. 8 Fuzzing Virtio Part of a larger kernel hardening project in preparation for TDX See Linux Security Summit ‘21 talk by Elena Reshetova Attacking guest from the host via shared memory (“DMA”) Xen doesn’t support Virtio – can’t use KF/x - Unless .. !
  • 9. 9 VM transplantation! The idea is simple: 1. Capture system state on KVM 2. Transfer it to Xen 3. Load 4. Fuzz!
  • 10. 10 Capturing the system state During fuzzing we are running the VM forks with only: - Memory - CPU We are in luck! QEMU QMP command dump-guest-memory - Creates and ELF file detailing the memory map & memory contents - Surprise undocumented feature: an ELF note has the CPU register state We also need the magic CPUID pausing on KVM
  • 11. 11 KVM patch to exit on magic CPUID QEMU patch to pause VM
  • 12. 12 Loading state on Xen 1. Create “empty” VM 2. Load memory according to memory map 3. Load CPU register state - Fix mismatch between segment attribute byte format in ELF vs Xen
  • 14. 14 Back to Virtio We have a way to save, transplant & fuzz Just have to figure out what to fuzz.. Virtio will be used for all I/O on TDX 1.0 - Disk, network, console That’s a lot of different code-paths to cover - Does anyone even know all the different ways Virtio code is reached?
  • 15. 15 Retargeting existing code Had a similar challenge while fuzzing xHCI Made a tool (dmamonitor) that can hook Linux’s DMA API - Hook dma_alloc_attrs with VMI - Remove EPT permission from DMA pages - Log RIP when EPT fault triggers with read-violation Could really use it here too.. - We are in luck: https://github.com/KVM-VMI/kvm-vmi
  • 16. 16 Boot Linux with DMA debug patched to have dummy API for easier hooking & force Virtio to go through DMA API DMA hook triggers for DMA page use Change EPT permission KVM Setup DMA page Linux VM boot & runtime DMA monitor E P T Handle EPT read-fault Unwind stack & hash return pointers If hash is new, snapshot EPT fault triggers when Virtio is fetching data from page 1. 3. 2. 4.
  • 18. 18 No end-harness We don’t need any! 1. Transplant snapshot 2. Fork 3. Singlestep up to 300k 4. Check which of the stack return pointers was reached 5. Inject breakpoint to transplant 6. Fuzz!
  • 19. 19 Results with hardened 5.15-rc6 126,061 DMA accesses observed during boot and basic functioning 13 unique DMA access sites 738 unique call-chains lead to DMA access 70 snapshots fuzzed based on top-5 stack frame uniqueness 7,567,463,809 fuzzing cycles completed (in 2 weeks) 0 issues found (no KASAN/UBSAN/panic/oops) 13 snapshots were found to have hangs when fuzzed 54 snapshots had less then 5 paths discovered
  • 20. 20 No bugs? We weren’t the first - Check out VIA: Analyzing Device Interfaces of Protected Virtual Machines - They fuzzed 5.10 and already reported the sanitizer bugs & got them fixed - We were able to catch some of the same bugs they found when we targeted 5.10 I still consider this a win - Tools & techniques all open-sourced & anyone is welcome to replicate - KF/x target setup & fuzzing can now happen at different systems - No longer need to setup your target on Xen (can use QEMU/KVM/Simics) Thanks to the whole lot of folks! Andrew Cooper, Sundaram Arumugasundaram, Mostafa Elsaid, Andi Kleen, Neelima Krishnan, Sathyanarayanan Kuppuswamy, Lukasz Odzioba, Sebastian Osterlund, Elena Reshetova, Carlos Villavicencio Sanchez, Casey Schaufler, Steffen Schulz, Mathieu Tarral
  • 21. 21 Antivirus fuzzing • Widespread technology • Complex parsers implemented in C/C++ • Remotely reachable attack surface • High privileges • Prior work: Antivirus (in)Security, Attacking Antivirus, P0 massacre, Sophail, Nightmare, The AV Hacker’s Handbook, REing Defender, tons of privescs, blackhats, and many others (sry if I missed yours!)
  • 22. 22 Antivirus fuzzing • Complex software • Binary-only (mostly) • Performance • Inspectability • State • Diversity • Products • Formats
  • 23. 23 KF/x vs. AV • Reusable harness • Full inspectability • Full-system fuzzing • Written documentation + well-known platform
  • 25. 25 Symantec Endpoint Protection • Tamper protection • Can be disabled, some memory still not accessible • COM-like architecture • Complex inter-module dependencies (writeup soon) • COM is obfuscation: No export symbols, no typelib, indirect calls … • OS interference
  • 26. 26 Proof-of-Concept • Multiple bugs discovered by Tavis Ormandy in 2016. • “Decomposers” • Unrar, dec2lha, libmspack, … -> ccScanW.dll • Try to rediscover #823 – “PowerPoint misaligned stream-cache remote stack buffer overflow” • Easy to modify nasm PoC • /GS still not applied to all (non-trivial) functions #YOLO
  • 27. 27 Proof-of-Concept • #823 allowed quick identification of the relevant parser function and I/O functions • KF/x tuning • Interrupt masking • sinks.h -> “KiDispatchException” (resolved by Volatility) • if (addr & 0x80000000) return; • Large test case • SEP reads data in 8k chunks • 6 reads necessary before the bug triggers (no disk in KF/x!)
  • 29. 29 Handling large inputs • Large inputs are not ideal for fuzzing in general • Performance • Process state • Mocking I/O • Tried it, wouldn’t recommend… • RAM disk works (on Windows too) • Chained fuzzing stages • Other traps: swapping, console output, network, …
  • 30. 30 Other parsers? • Rabbit Hole Ghidra extension • Per-function cumulative cyclomatic complexity • Ghidra Cpp Class Analyzer • RTTI info • Magic numbers • New target: 7zip decomposer • Magic number + high complexity + reachable from C7zEngine class members
  • 31. 31 “While this fuzzer runs, I will…”1 • Corpus: 1 file, some txt 7z’d with default options • AFL++, no knowledge about the file format • Coverage tracking with Intel PT • Single core • < 24h runtime • ~9M execs ~400-500 exec/s (not a perf talk sry) • No hang elimination (“loose paths”, timeout optimization, …) 1 How to FAIL at Fuzzing, Prospector
  • 32. 32 Fuzzing Symantec Endpoint Protection's 7z parser with KF/x
  • 33. 33 7z bug • Controlled heap overflow • Detection can be improved by enabling page heap • Silently fixed? • Symantec->Broadcom didn’t make investigation easy Mandatory AFL graph
  • 34. 34 Using REVEN to triage the 7z parsing heap overflow discovered with KF/x
  • 35. 35 Modularity • KF/x follows the Unix philosophy • AFL’s SHMAP became a de-facto standard • Forkserver-based intergration with LibAFL was trivial • Timeout/signal handling needed improvement (I/O fail -> hang) • Independent development of generators, mutators, etc. • In-memory input passing needs little more work
  • 37. 37 Other use-cases • AV • Kernel components • Memory scanners • DPI/DLP/IPS features • Games / Anti-cheat • Sandbox escapes • Nyx Fuzzer, Fuzzy Snapshots of Firefox IPC
  • 38. 38 Summary • Trivial vulnerabilities could remain hidden due to the lack of proper tools • VM Introspection is a game changer in vulnerability discovery/analysis • KF/x is an easy to integrate VMI-based fuzzing harness