SlideShare a Scribd company logo

When virtualization encounters afl blackhat eu2016--1.4

Download as PPTX, PDF
月锋 李

When virtualization encounters afl moony li , jack tang BlackHat Europe 2016, London

Internet
1 of 43
When virtualization encounters AFL Jack Tang, @jacktang310 Moony Li, @Flyic
What We Will Cover • Who We Are • Approach • Implementation • Case Study • CVE-2015-3456, Venom • Demo
Jack Tang - @jacktang310 - 10+ years security - Browser - Document - Mac/Windows Kernel - Virtualization Vulnerability
Moony Li - @Flyic - 7 years security - Sandcastle - Deep Discovery - Exploit Detection - Mac/Windows Kernel - Android Vulnerability
Approaches Comparison Approach Notes Pros Cons Fuzz in guest OS 1.Capture 2.Replay & Fuzz 1.Simple 2.Ignorance of I/O protocol 1.No code coverage 2.Incomplete by design Conformance fuzzing test 1.Symbol Execution 1.Fuzz deeper 1.No code coverage 2.Acdemical Code Review 1.Fexible 1.Cost effort 2.No scalable
Target: Virtual Devices Hypervisor Guest OS Virtual Devices Hardware Devices Guest OS Virtual Devices Kernel Driver Kernel Driver
• Portable • Customized BIOS as common format Virtual Disk • Serial port • Performance • sizeof(BIOS)<sizeof(OS). • Direct • Bypass device driver layer • Code coverage feedback & control • AFL integration Our Approach
Implementation • Architecture • Modules • Work Flow • AFL Tips
Architecture Overview Virtualization Software Process (VSP) Customized BIOS System (CBS) Instrumented Target Virtual Device X (e.g. USB) Memory / IO space Host OS Device Control Client (DCC) Virtual Serial Port Memory and IO space Operation Proxy Server (MIOPS ) afl-fuzz Device control data (DCD) Virtual Device1 (e.g. NIC, e1000) Virtual Device2 (e.g. SCSI) Virtual Device3 (e.g. Printer) Virtual Device4 (e.g. Audio Card) AFL Target Processes (ATP) Memory/IO Access request (MIOA request) Commands entry [1] instrument target device [2] afl-fuzz loop [3] DCC read in DCD [4] MIOPS execute request
Fuzzing UI
• Customized BIOS System(Seabios) • Decision principle: • Portability • Contains MIOPS(Memory and IO space Operation Proxy Server) • VSP (Virtual Software Process) is its runtime instance • Virtual serial port • Communication bridge Modules-CBS 1/3
Modules- How To Customize CBS 2/3 POST phase (Power On Self Test) Boot phase (Boot Operating System) BIOS runtime service phase (BIOS service for runtime OS) • Traditional BIOS vs Customized BIOS
Modules- How To Customize CBS 3/3 POST phase (Power On Self Test) • Detect physical memory • Platform hardware setup (for example: PCI bus, clock…) • Necessary device hardware setup (for example: serial port device for communication) • Recognize the devices • Start to run MIOPS (Memory and IO space Operation Proxy Server) handle loop.
• Memory and IO space Operation Proxy Server • MIOA Request- (Memory I/O Access) request • Tips: • Remove interruption in CBS • MIOPS polls virtual device result of request with timeout Modules-MIOPS 1/2
• Job: • Receive MIOA • Execution it Modules-MIOPS 2/2 MIOA example: “inb <address>” “inw <address>” “inl <address>” “outb <address> <value>” “outw <address> <value>” “outl <address> <value>” “write <address> <value> <length>” “read <address> <length>”
• Device Control Client • DCD – Device Control Data • Formatted suitable for AFL • Steps in Job: • 1. Launch VSP to load CBS • 2. Ping MIOPS in CBS Modules-DCC 1/2 mkfifo jack_pipe mkfifo jack_pipe1 qemu-system-x86_64 -bios out/bios.bin -serial pipe:jack_pipe -serial pipe:jack_pipe1
• Steps in Job: • 3. Initialize target virtual device • e.g. USB XHCI device initialization • 4. Parse DCD to MIOA Requests Modules-DCC 2/2
Workflow Overview Virtualization Software Process (VSP) Customized BIOS System (CBS) Instrumented Target Virtual Device X (e.g. USB) Memory / IO space Host OS Device Control Client (DCC) Virtual Serial Port Memory and IO space Operation Proxy Server (MIOPS ) afl-fuzz Device control data (DCD) Virtual Device1 (e.g. NIC, e1000) Virtual Device2 (e.g. SCSI) Virtual Device3 (e.g. Printer) Virtual Device4 (e.g. Audio Card) AFL Target Processes (ATP) Memory/IO Access request (MIOA request) Commands entry [1] instrument target device [2] afl-fuzz loop [3] DCC read in DCD [4] MIOPS execute request [5] afl-fuzz caculate code coverage and mutate
• Step1:Instrument the target devices • source code is available • Afl-gcc compile source code in part • source code NOT available • Instrument executable file statically + restricted instrumentation range Work Flow- Setup instrumentation-Step1/4
Workflow Overview- Step 1 Virtualization Software Process (VSP) Customized BIOS System (CBS) Instrumented Target Virtual Device X (e.g. USB) Memory / IO space Host OS Device Control Client (DCC) Virtual Serial Port Memory and IO space Operation Proxy Server (MIOPS ) afl-fuzz Device control data (DCD) Virtual Device1 (e.g. NIC, e1000) Virtual Device2 (e.g. SCSI) Virtual Device3 (e.g. Printer) Virtual Device4 (e.g. Audio Card) AFL Target Processes (ATP) Memory/IO Access request (MIOA request) Commands entry [1] instrument target device [2] afl-fuzz loop [3] DCC read in DCD [4] MIOPS execute request [5] afl-fuzz caculate code coverage and mutate
• Step2:Launch Afl-fuzz loop • afl-fuzz -t 90 -m 2048 -i ${test_root}/IN/ -o ${test_root}/OUT/ ${DCC} @@ • Afl-fuzll will automatically mutate DCD and calculate code coverage in the loop Work Flow- Setup Trace & Feedback – Step 2/4
Workflow Overview- Step 2 Virtualization Software Process (VSP) Customized BIOS System (CBS) Instrumented Target Virtual Device X (e.g. USB) Memory / IO space Host OS Device Control Client (DCC) Virtual Serial Port Memory and IO space Operation Proxy Server (MIOPS ) afl-fuzz Device control data (DCD) Virtual Device1 (e.g. NIC, e1000) Virtual Device2 (e.g. SCSI) Virtual Device3 (e.g. Printer) Virtual Device4 (e.g. Audio Card) AFL Target Processes (ATP) Memory/IO Access request (MIOA request) Commands entry [1] instrument target device [2] afl-fuzz loop [3] DCC read in DCD [4] MIOPS execute request [5] afl-fuzz caculate code coverage and mutate
• Step3:Encode MIOA Requests to DCD and read into DCC Work Flow- Encode DCD and read in – Step 3 typedef struct _command_entry { u32 _slotid; u32 _command_id; void* _inctx; u8 _input_buf[32]; }command_entry_t;
Workflow Overview – Step3 Virtualization Software Process (VSP) Customized BIOS System (CBS) Instrumented Target Virtual Device X (e.g. USB) Memory / IO space Host OS Device Control Client (DCC) Virtual Serial Port Memory and IO space Operation Proxy Server (MIOPS ) afl-fuzz Device control data (DCD) Virtual Device1 (e.g. NIC, e1000) Virtual Device2 (e.g. SCSI) Virtual Device3 (e.g. Printer) Virtual Device4 (e.g. Audio Card) AFL Target Processes (ATP) Memory/IO Access request (MIOA request) Commands entry [1] instrument target device [2] afl-fuzz loop [3] DCC read in DCD [4] MIOPS execute request [5] afl-fuzz caculate code coverage and mutate
Work Flow- Control Devices Communicate –Step 4/4 VSP CBS Instrumented Target Virtual Device X Memory / IO space DCC MIOPS DCD Initialize Finalize Communicate Initialize Communicate Finalize In/out/DMA
• Step4: Communication Loop • CBS starts up • Start & discover devices • Start MIOPS in it • MIOPS starts up • Initiate target devices • E.g. doorbell/command/event address of USB XHCI device • Communicate between MIOPS and DCC until crash • DCC read in DCD • MIOPS execute data Work Flow- Control Devices Communicate - Step 4/4
Workflow Overview – Step 4 Virtualization Software Process (VSP) Customized BIOS System (CBS) Instrumented Target Virtual Device X (e.g. USB) Memory / IO space Host OS Device Control Client (DCC) Virtual Serial Port Memory and IO space Operation Proxy Server (MIOPS ) afl-fuzz Device control data (DCD) Virtual Device1 (e.g. NIC, e1000) Virtual Device2 (e.g. SCSI) Virtual Device3 (e.g. Printer) Virtual Device4 (e.g. Audio Card) AFL Target Processes (ATP) Memory/IO Access request (MIOA request) Commands entry [1] instrument target device [2] afl-fuzz loop [3] DCC read in DCD [4] MIOPS execute request [5] afl-fuzz caculate code coverage and mutate
Work Flow- In view of AFL Virtualization Software Process (VSP) AFL Instrumented Target Virtual Device X Device Control Client (DCC) afl-fuzz Device control data (DCD) AFL Target Processes (ATP) [2] Remove afl instrument existence check in afl-fuzz and launch afl-fuzz DCC [3] DCC read in DCD [8] afl-fuzz caculates code coverage (of VSP) and mutate DCD and record crash (of VSP) [1]AFL instrument device parts in VSP (e.g.QEMU) [4] DCC communicate to VSP with Qtest and wait for VSP [5] VSP crashes [6] waitpid() returns [7] DCC Checks returned crash status(WIFSIGNALED) and crash itself
Tips: Compile the source code in part using afl-gcc, for example: Makefile: %.o: %.c $(call quiet-command, if [ $@ = "hw/usb/hcd-xhci.o" -o $@ = "hw/usb/dev-storage.o" ] ; AFL Tips- Part Instrumentation - Compile Source1/2
Tips: Instrument the executable file for close-source software AFL Tips- Part Instrumentation – Instrument PE 2/2 Data Segment Code Segment PE Header Segment Table Target Code Range Entry Point Trampoline SegmentInitialization static const u8* trampoline_f ".align 4n" "leal -16(%%esp), %%espn" "movl %%edi, 0(%%esp)n" "movl %%edx, 4(%%esp)n" "movl %%ecx, 8(%%esp)n" "movl %%eax, 12(%%esp)n" "movl $0x%08x, %%ecxn" "call __afl_maybe_logn" "movl 12(%%esp), %%eaxn" "movl 8(%%esp), %%ecxn" "movl 4(%%esp), %%edxn" "movl 0(%%esp), %%edin" "leal 16(%%esp), %%espn"
AFL Tips- Multiple Processes 1/3 Target Process (e.g. VSP) AFL Instrument Launcher (e.g. DCC) afl-fuzz Input Data (e.g.DCD)
• Trace info is shared across processes in nature • static inline void afl_maybe_log(abi_ulong cur_loc) AFL Tips- Multiple Processes 2/3
AFL Tips- Multiple Processes 3/3
• Adjust parameter for afl-fuzz to avoid start failure • -t, set more time for fuzz cycle • -m, set more memory for virtual machine • E.g. afl-fuzz -t 9 -m 2048 -i ${test_root}/IN/ -o ${test_root}/OUT/ ${DCC} @@ • … AFL Tips- Misc
What We Will Cover • Case Study • Fuzz FDC and Reproduce Venom Vulnerability(CVE-2015-3456) • Demo
1. afl-gcc fdc.c 2. Designing input case file(i.e. DCD) format struct fdc_command { unsigned char cid; unsigned int args_count; unsigned int args[0]; }; Case Study 1/3
3. Prepare 30 input case file • each case for one floppy disk controller command • For example: FD_CMD_READ, FD_CMD_WRITE, FD_CMD_SEEK… 4. Preparing DCC • Parsing input case file and translating to MIOA requests Case Study 2/3
5. Using commands to start testing afl-fuzz -t 99000 -m 2048 -i IN/ -o OUT/ <DCC command> @@ Case Study 3/3
Demo
Demo
• http://venom.crowdstrike.com/ • http://www.slideshare.net/CanSecWest/csw2016-tang-virtualizationdevice-emulator- testing-technology • http://lcamtuf.coredump.cx/AFL/ • https://www.youtube.com/watch?v=O9P7kXm5WSg • Filesystem Fuzzing with American Fuzzy Lop https://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%2 0fuzzing,%20Vault%202016_0.pdf • Triforce-run-afl-on-everything https://www.nccgroup.trust/us/about-us/newsroom-and- events/blog/2016/june/project-triforce-run-afl-on-everything/ • https://www.seabios.org/SeaBIOS • https://www.seabios.org/Execution_and_code_flow • http://wiki.qemu.org/Features/QTest • http://www.intel.com/content/www/us/en/io/universal-serial-bus/extensible-host- controler-interface-usb-xhci.html • http://wiki.osdev.org/Floppy_Disk_Controller Reference
Thanks very much

Recommended

[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016Kuniyasu Suzaki
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelSUSE Labs Taipei
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFFRI, Inc.
 
101 3.5 create, monitor and kill processes v2
101 3.5 create, monitor and kill processes v2101 3.5 create, monitor and kill processes v2
101 3.5 create, monitor and kill processes v2Acácio Oliveira
 
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...Yan Vugenfirer
 

Recommended

[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016Kuniyasu Suzaki
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelSUSE Labs Taipei
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFFRI, Inc.
 
101 3.5 create, monitor and kill processes v2
101 3.5 create, monitor and kill processes v2101 3.5 create, monitor and kill processes v2
101 3.5 create, monitor and kill processes v2Acácio Oliveira
 
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...Yan Vugenfirer
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted CoreDi Shen
 
QEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded DevelopmentQEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded DevelopmentGlobalLogic Ukraine
 
Embedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 PresentationEmbedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 PresentationManish Jaggi
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0GlobalLogic Ukraine
 
Understanding and Improving Device Access Complexity
Understanding and Improving Device Access ComplexityUnderstanding and Improving Device Access Complexity
Understanding and Improving Device Access Complexityasimkadav
 
Linux Audio Drivers. ALSA
Linux Audio Drivers. ALSALinux Audio Drivers. ALSA
Linux Audio Drivers. ALSAGlobalLogic Ukraine
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technologySZ Lin
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyLinaro
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN
 
Back to the Future: A Radical Insecure Design of KVM on ARM
Back to the Future: A Radical Insecure Design of KVM on ARMBack to the Future: A Radical Insecure Design of KVM on ARM
Back to the Future: A Radical Insecure Design of KVM on ARMPriyanka Aash
 
Project ACRN USB mediator introduction
Project ACRN USB mediator introductionProject ACRN USB mediator introduction
Project ACRN USB mediator introductionProject ACRN
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLinaro
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Kernel Recipes 2013 - Overview display in the Linux kernel
Kernel Recipes 2013 - Overview display in the Linux kernelKernel Recipes 2013 - Overview display in the Linux kernel
Kernel Recipes 2013 - Overview display in the Linux kernelAnne Nicolas
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Linaro
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
KazooCon 2014 - Playing Kazoo Dudka Style
KazooCon 2014 - Playing Kazoo Dudka StyleKazooCon 2014 - Playing Kazoo Dudka Style
KazooCon 2014 - Playing Kazoo Dudka Style2600Hz
 

More Related Content

What's hot

Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted CoreDi Shen
 
QEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded DevelopmentQEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded DevelopmentGlobalLogic Ukraine
 
Embedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 PresentationEmbedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 PresentationManish Jaggi
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0GlobalLogic Ukraine
 
Understanding and Improving Device Access Complexity
Understanding and Improving Device Access ComplexityUnderstanding and Improving Device Access Complexity
Understanding and Improving Device Access Complexityasimkadav
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technologySZ Lin
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyLinaro
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN
 
Back to the Future: A Radical Insecure Design of KVM on ARM
Back to the Future: A Radical Insecure Design of KVM on ARMBack to the Future: A Radical Insecure Design of KVM on ARM
Back to the Future: A Radical Insecure Design of KVM on ARMPriyanka Aash
 
Project ACRN USB mediator introduction
Project ACRN USB mediator introductionProject ACRN USB mediator introduction
Project ACRN USB mediator introductionProject ACRN
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLinaro
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Kernel Recipes 2013 - Overview display in the Linux kernel
Kernel Recipes 2013 - Overview display in the Linux kernelKernel Recipes 2013 - Overview display in the Linux kernel
Kernel Recipes 2013 - Overview display in the Linux kernelAnne Nicolas
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Linaro
 

What's hot (20)

Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted Core
 
QEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded DevelopmentQEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded Development
 
Embedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 PresentationEmbedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 Presentation
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by Suzaki
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0
 
Understanding and Improving Device Access Complexity
Understanding and Improving Device Access ComplexityUnderstanding and Improving Device Access Complexity
Understanding and Improving Device Access Complexity
 
Linux Audio Drivers. ALSA
Linux Audio Drivers. ALSALinux Audio Drivers. ALSA
Linux Audio Drivers. ALSA
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technology
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
HKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case studyHKG15-409: ARM Hibernation enablement on SoCs - a case study
HKG15-409: ARM Hibernation enablement on SoCs - a case study
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
 
Back to the Future: A Radical Insecure Design of KVM on ARM
Back to the Future: A Radical Insecure Design of KVM on ARMBack to the Future: A Radical Insecure Design of KVM on ARM
Back to the Future: A Radical Insecure Design of KVM on ARM
 
Project ACRN USB mediator introduction
Project ACRN USB mediator introductionProject ACRN USB mediator introduction
Project ACRN USB mediator introduction
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platform
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Kernel Recipes 2013 - Overview display in the Linux kernel
Kernel Recipes 2013 - Overview display in the Linux kernelKernel Recipes 2013 - Overview display in the Linux kernel
Kernel Recipes 2013 - Overview display in the Linux kernel
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_
 

Similar to When virtualization encounters afl blackhat eu2016--1.4

[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
KazooCon 2014 - Playing Kazoo Dudka Style
KazooCon 2014 - Playing Kazoo Dudka StyleKazooCon 2014 - Playing Kazoo Dudka Style
KazooCon 2014 - Playing Kazoo Dudka Style2600Hz
 
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorAsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorDave Voutila
 
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...Hackito Ergo Sum
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiTakuya ASADA
 
[Advantech] PAC SW Multiprog Tutorial step by step
[Advantech] PAC SW Multiprog Tutorial step by step [Advantech] PAC SW Multiprog Tutorial step by step
[Advantech] PAC SW Multiprog Tutorial step by step Ming-Hung Hseih
 
Web Template Mechanisms in SOC Verification - DVCon.pdf
Web Template Mechanisms in SOC Verification - DVCon.pdfWeb Template Mechanisms in SOC Verification - DVCon.pdf
Web Template Mechanisms in SOC Verification - DVCon.pdfSamHoney6
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornmentAsif
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 10
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 10CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 10
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 10Waqas Ahmed Nawaz
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010wremes
 
2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANLdgoodell
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -evechiportal
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Free OpManager training Part3- Network performance monitoring
Free OpManager training Part3- Network performance monitoringFree OpManager training Part3- Network performance monitoring
Free OpManager training Part3- Network performance monitoringManageEngine, Zoho Corporation
 

Similar to When virtualization encounters afl blackhat eu2016--1.4 (20)

[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
KazooCon 2014 - Playing Kazoo Dudka Style
KazooCon 2014 - Playing Kazoo Dudka StyleKazooCon 2014 - Playing Kazoo Dudka Style
KazooCon 2014 - Playing Kazoo Dudka Style
 
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorAsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
 
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
[Advantech] PAC SW Multiprog Tutorial step by step
[Advantech] PAC SW Multiprog Tutorial step by step [Advantech] PAC SW Multiprog Tutorial step by step
[Advantech] PAC SW Multiprog Tutorial step by step
 
Web Template Mechanisms in SOC Verification - DVCon.pdf
Web Template Mechanisms in SOC Verification - DVCon.pdfWeb Template Mechanisms in SOC Verification - DVCon.pdf
Web Template Mechanisms in SOC Verification - DVCon.pdf
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornment
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 10
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 10CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 10
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 10
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
 
2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat Defense
 
UNIT-III ES.ppt
UNIT-III ES.pptUNIT-III ES.ppt
UNIT-III ES.ppt
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
ucOS
ucOSucOS
ucOS
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
Free OpManager training Part3- Network performance monitoring
Free OpManager training Part3- Network performance monitoringFree OpManager training Part3- Network performance monitoring
Free OpManager training Part3- Network performance monitoring
 

Recently uploaded

VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 

Recently uploaded (20)

VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 

When virtualization encounters afl blackhat eu2016--1.4

  • 1. When virtualization encounters AFL Jack Tang, @jacktang310 Moony Li, @Flyic
  • 2. What We Will Cover • Who We Are • Approach • Implementation • Case Study • CVE-2015-3456, Venom • Demo
  • 3.
  • 4. Jack Tang - @jacktang310 - 10+ years security - Browser - Document - Mac/Windows Kernel - Virtualization Vulnerability
  • 5. Moony Li - @Flyic - 7 years security - Sandcastle - Deep Discovery - Exploit Detection - Mac/Windows Kernel - Android Vulnerability
  • 6. Approaches Comparison Approach Notes Pros Cons Fuzz in guest OS 1.Capture 2.Replay & Fuzz 1.Simple 2.Ignorance of I/O protocol 1.No code coverage 2.Incomplete by design Conformance fuzzing test 1.Symbol Execution 1.Fuzz deeper 1.No code coverage 2.Acdemical Code Review 1.Fexible 1.Cost effort 2.No scalable
  • 7. Target: Virtual Devices Hypervisor Guest OS Virtual Devices Hardware Devices Guest OS Virtual Devices Kernel Driver Kernel Driver
  • 8. • Portable • Customized BIOS as common format Virtual Disk • Serial port • Performance • sizeof(BIOS)<sizeof(OS). • Direct • Bypass device driver layer • Code coverage feedback & control • AFL integration Our Approach
  • 10. Architecture Overview Virtualization Software Process (VSP) Customized BIOS System (CBS) Instrumented Target Virtual Device X (e.g. USB) Memory / IO space Host OS Device Control Client (DCC) Virtual Serial Port Memory and IO space Operation Proxy Server (MIOPS ) afl-fuzz Device control data (DCD) Virtual Device1 (e.g. NIC, e1000) Virtual Device2 (e.g. SCSI) Virtual Device3 (e.g. Printer) Virtual Device4 (e.g. Audio Card) AFL Target Processes (ATP) Memory/IO Access request (MIOA request) Commands entry [1] instrument target device [2] afl-fuzz loop [3] DCC read in DCD [4] MIOPS execute request
  • 12. • Customized BIOS System(Seabios) • Decision principle: • Portability • Contains MIOPS(Memory and IO space Operation Proxy Server) • VSP (Virtual Software Process) is its runtime instance • Virtual serial port • Communication bridge Modules-CBS 1/3
  • 13. Modules- How To Customize CBS 2/3 POST phase (Power On Self Test) Boot phase (Boot Operating System) BIOS runtime service phase (BIOS service for runtime OS) • Traditional BIOS vs Customized BIOS
  • 14. Modules- How To Customize CBS 3/3 POST phase (Power On Self Test) • Detect physical memory • Platform hardware setup (for example: PCI bus, clock…) • Necessary device hardware setup (for example: serial port device for communication) • Recognize the devices • Start to run MIOPS (Memory and IO space Operation Proxy Server) handle loop.
  • 15. • Memory and IO space Operation Proxy Server • MIOA Request- (Memory I/O Access) request • Tips: • Remove interruption in CBS • MIOPS polls virtual device result of request with timeout Modules-MIOPS 1/2
  • 16. • Job: • Receive MIOA • Execution it Modules-MIOPS 2/2 MIOA example: “inb <address>” “inw <address>” “inl <address>” “outb <address> <value>” “outw <address> <value>” “outl <address> <value>” “write <address> <value> <length>” “read <address> <length>”
  • 17. • Device Control Client • DCD – Device Control Data • Formatted suitable for AFL • Steps in Job: • 1. Launch VSP to load CBS • 2. Ping MIOPS in CBS Modules-DCC 1/2 mkfifo jack_pipe mkfifo jack_pipe1 qemu-system-x86_64 -bios out/bios.bin -serial pipe:jack_pipe -serial pipe:jack_pipe1
  • 18. • Steps in Job: • 3. Initialize target virtual device • e.g. USB XHCI device initialization • 4. Parse DCD to MIOA Requests Modules-DCC 2/2
  • 19. Workflow Overview Virtualization Software Process (VSP) Customized BIOS System (CBS) Instrumented Target Virtual Device X (e.g. USB) Memory / IO space Host OS Device Control Client (DCC) Virtual Serial Port Memory and IO space Operation Proxy Server (MIOPS ) afl-fuzz Device control data (DCD) Virtual Device1 (e.g. NIC, e1000) Virtual Device2 (e.g. SCSI) Virtual Device3 (e.g. Printer) Virtual Device4 (e.g. Audio Card) AFL Target Processes (ATP) Memory/IO Access request (MIOA request) Commands entry [1] instrument target device [2] afl-fuzz loop [3] DCC read in DCD [4] MIOPS execute request [5] afl-fuzz caculate code coverage and mutate
  • 20. • Step1:Instrument the target devices • source code is available • Afl-gcc compile source code in part • source code NOT available • Instrument executable file statically + restricted instrumentation range Work Flow- Setup instrumentation-Step1/4
  • 21. Workflow Overview- Step 1 Virtualization Software Process (VSP) Customized BIOS System (CBS) Instrumented Target Virtual Device X (e.g. USB) Memory / IO space Host OS Device Control Client (DCC) Virtual Serial Port Memory and IO space Operation Proxy Server (MIOPS ) afl-fuzz Device control data (DCD) Virtual Device1 (e.g. NIC, e1000) Virtual Device2 (e.g. SCSI) Virtual Device3 (e.g. Printer) Virtual Device4 (e.g. Audio Card) AFL Target Processes (ATP) Memory/IO Access request (MIOA request) Commands entry [1] instrument target device [2] afl-fuzz loop [3] DCC read in DCD [4] MIOPS execute request [5] afl-fuzz caculate code coverage and mutate
  • 22. • Step2:Launch Afl-fuzz loop • afl-fuzz -t 90 -m 2048 -i ${test_root}/IN/ -o ${test_root}/OUT/ ${DCC} @@ • Afl-fuzll will automatically mutate DCD and calculate code coverage in the loop Work Flow- Setup Trace & Feedback – Step 2/4
  • 23. Workflow Overview- Step 2 Virtualization Software Process (VSP) Customized BIOS System (CBS) Instrumented Target Virtual Device X (e.g. USB) Memory / IO space Host OS Device Control Client (DCC) Virtual Serial Port Memory and IO space Operation Proxy Server (MIOPS ) afl-fuzz Device control data (DCD) Virtual Device1 (e.g. NIC, e1000) Virtual Device2 (e.g. SCSI) Virtual Device3 (e.g. Printer) Virtual Device4 (e.g. Audio Card) AFL Target Processes (ATP) Memory/IO Access request (MIOA request) Commands entry [1] instrument target device [2] afl-fuzz loop [3] DCC read in DCD [4] MIOPS execute request [5] afl-fuzz caculate code coverage and mutate
  • 24. • Step3:Encode MIOA Requests to DCD and read into DCC Work Flow- Encode DCD and read in – Step 3 typedef struct _command_entry { u32 _slotid; u32 _command_id; void* _inctx; u8 _input_buf[32]; }command_entry_t;
  • 25. Workflow Overview – Step3 Virtualization Software Process (VSP) Customized BIOS System (CBS) Instrumented Target Virtual Device X (e.g. USB) Memory / IO space Host OS Device Control Client (DCC) Virtual Serial Port Memory and IO space Operation Proxy Server (MIOPS ) afl-fuzz Device control data (DCD) Virtual Device1 (e.g. NIC, e1000) Virtual Device2 (e.g. SCSI) Virtual Device3 (e.g. Printer) Virtual Device4 (e.g. Audio Card) AFL Target Processes (ATP) Memory/IO Access request (MIOA request) Commands entry [1] instrument target device [2] afl-fuzz loop [3] DCC read in DCD [4] MIOPS execute request [5] afl-fuzz caculate code coverage and mutate
  • 26. Work Flow- Control Devices Communicate –Step 4/4 VSP CBS Instrumented Target Virtual Device X Memory / IO space DCC MIOPS DCD Initialize Finalize Communicate Initialize Communicate Finalize In/out/DMA
  • 27. • Step4: Communication Loop • CBS starts up • Start & discover devices • Start MIOPS in it • MIOPS starts up • Initiate target devices • E.g. doorbell/command/event address of USB XHCI device • Communicate between MIOPS and DCC until crash • DCC read in DCD • MIOPS execute data Work Flow- Control Devices Communicate - Step 4/4
  • 28. Workflow Overview – Step 4 Virtualization Software Process (VSP) Customized BIOS System (CBS) Instrumented Target Virtual Device X (e.g. USB) Memory / IO space Host OS Device Control Client (DCC) Virtual Serial Port Memory and IO space Operation Proxy Server (MIOPS ) afl-fuzz Device control data (DCD) Virtual Device1 (e.g. NIC, e1000) Virtual Device2 (e.g. SCSI) Virtual Device3 (e.g. Printer) Virtual Device4 (e.g. Audio Card) AFL Target Processes (ATP) Memory/IO Access request (MIOA request) Commands entry [1] instrument target device [2] afl-fuzz loop [3] DCC read in DCD [4] MIOPS execute request [5] afl-fuzz caculate code coverage and mutate
  • 29. Work Flow- In view of AFL Virtualization Software Process (VSP) AFL Instrumented Target Virtual Device X Device Control Client (DCC) afl-fuzz Device control data (DCD) AFL Target Processes (ATP) [2] Remove afl instrument existence check in afl-fuzz and launch afl-fuzz DCC [3] DCC read in DCD [8] afl-fuzz caculates code coverage (of VSP) and mutate DCD and record crash (of VSP) [1]AFL instrument device parts in VSP (e.g.QEMU) [4] DCC communicate to VSP with Qtest and wait for VSP [5] VSP crashes [6] waitpid() returns [7] DCC Checks returned crash status(WIFSIGNALED) and crash itself
  • 30. Tips: Compile the source code in part using afl-gcc, for example: Makefile: %.o: %.c $(call quiet-command, if [ $@ = "hw/usb/hcd-xhci.o" -o $@ = "hw/usb/dev-storage.o" ] ; AFL Tips- Part Instrumentation - Compile Source1/2
  • 31. Tips: Instrument the executable file for close-source software AFL Tips- Part Instrumentation – Instrument PE 2/2 Data Segment Code Segment PE Header Segment Table Target Code Range Entry Point Trampoline SegmentInitialization static const u8* trampoline_f ".align 4n" "leal -16(%%esp), %%espn" "movl %%edi, 0(%%esp)n" "movl %%edx, 4(%%esp)n" "movl %%ecx, 8(%%esp)n" "movl %%eax, 12(%%esp)n" "movl $0x%08x, %%ecxn" "call __afl_maybe_logn" "movl 12(%%esp), %%eaxn" "movl 8(%%esp), %%ecxn" "movl 4(%%esp), %%edxn" "movl 0(%%esp), %%edin" "leal 16(%%esp), %%espn"
  • 32. AFL Tips- Multiple Processes 1/3 Target Process (e.g. VSP) AFL Instrument Launcher (e.g. DCC) afl-fuzz Input Data (e.g.DCD)
  • 33. • Trace info is shared across processes in nature • static inline void afl_maybe_log(abi_ulong cur_loc) AFL Tips- Multiple Processes 2/3
  • 35. • Adjust parameter for afl-fuzz to avoid start failure • -t, set more time for fuzz cycle • -m, set more memory for virtual machine • E.g. afl-fuzz -t 9 -m 2048 -i ${test_root}/IN/ -o ${test_root}/OUT/ ${DCC} @@ • … AFL Tips- Misc
  • 36. What We Will Cover • Case Study • Fuzz FDC and Reproduce Venom Vulnerability(CVE-2015-3456) • Demo
  • 37. 1. afl-gcc fdc.c 2. Designing input case file(i.e. DCD) format struct fdc_command { unsigned char cid; unsigned int args_count; unsigned int args[0]; }; Case Study 1/3
  • 38. 3. Prepare 30 input case file • each case for one floppy disk controller command • For example: FD_CMD_READ, FD_CMD_WRITE, FD_CMD_SEEK… 4. Preparing DCC • Parsing input case file and translating to MIOA requests Case Study 2/3
  • 39. 5. Using commands to start testing afl-fuzz -t 99000 -m 2048 -i IN/ -o OUT/ <DCC command> @@ Case Study 3/3
  • 40. Demo
  • 41. Demo
  • 42. • http://venom.crowdstrike.com/ • http://www.slideshare.net/CanSecWest/csw2016-tang-virtualizationdevice-emulator- testing-technology • http://lcamtuf.coredump.cx/AFL/ • https://www.youtube.com/watch?v=O9P7kXm5WSg • Filesystem Fuzzing with American Fuzzy Lop https://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%2 0fuzzing,%20Vault%202016_0.pdf • Triforce-run-afl-on-everything https://www.nccgroup.trust/us/about-us/newsroom-and- events/blog/2016/june/project-triforce-run-afl-on-everything/ • https://www.seabios.org/SeaBIOS • https://www.seabios.org/Execution_and_code_flow • http://wiki.qemu.org/Features/QTest • http://www.intel.com/content/www/us/en/io/universal-serial-bus/extensible-host- controler-interface-usb-xhci.html • http://wiki.osdev.org/Floppy_Disk_Controller Reference

Editor's Notes

  1. Welcome everyone I’m very happy to be presenting here today at the BLACKHAT conference. My name is Moony and I will be presenting today on the topic of virtualization fuzzing with AFL….
  2. Today I will cover several key areas 1. First I’ll tell you a little about me and my partner I’ll then walk you through - how we designed our approach to fuzz virtual devices integrated with AFL - and how we implemented our design 3. Following this I will present to you a case study to show how we fuzz and reproduce a floppy vulnerability step by step 4. Finally I will give you a video demo.
  3. My partners name is Jack Jack has worked in security for 10 years His focus has been on browser and document vulnerabilities as well as Mac – Windows and virtualization vulnerabilities. Jack can’t be with us today. He has broken his leg and cannot travel.
  4. My name is Moony I’ve worked for 7 years in security. My role has been developing sandbox systems. Focusing on Mac - Windows and Android Kernel vulnerabilities.
  5. Here I will compare several approaches about hunting virtualization vulnerabilities. The first approach is to fuzz IO communication from the guest Os. The basic procedure includes capturing the traffic first, replaying it, then fuzzing it. This is a very simple process and requires no knowledge of i/o protocol. The Con is that there is no code coverage and feedback. This means the fuzz is incomplete by design. Conformance fuzz testing is the second approach. The main principle is to introduce Symbolic Execution to IO communication leading to a deeper fuzz scope. Again there is no code coverage and this approach is mainly academic. Finally we look at Code review. This approach is more flexible for the researcher however, it takes more effort and is not scalable.
  6. Actually there are many attacking interfaces in the virtual machine, however, we only focus on the area relating to virtual devices.
  7. Our approach has several advantages – it is portable, it performs well, it is direct and has code coverage feedback and control. The main part of our solution is customized BIOS which is a common format. The performance is good because the size of the BIOS is usually much smaller than guest OS. Because we communicated directly with the virtual devices, fuzzing could bypass the interference from the device’s driver layer Because we have AFL integration we can get code coverage, feedback and can control fuzzing. 1. Portable Our solution has few requirements to target virtualization software. The only requirement is the target virtualization software can start customized BIOS in a guest with a serial port device. So our approach can support a number of virtualization software. 2. Good performance The fuzzing part of our solution do not depend on guest operation system which is usually time-consuming to bootstrap and run. Because the customized BIOS system does almost nothing but direct I/O with devices, the speed to launch the BIOS system is very fast. 3. Direct The solution directly communicates with virtual device without communicating with device drivers. In most case, device driver’s code is much complex and vulnerable than virtual device code. By communicating directly with virtual device, we can avoid interference from the device driver. Code coverage feedback & control This is why we introduce AFL. AFL’s function let our solution get the capabilities.
  8. So I would now like to introduce our implementation in detail. We will look at the architecture of the solution first and show the solution modules. I will then introduce the solution’s work flow and provide some AFL tips for integration.
  9. This is the architecture overview. The architecture can be divided into 4 parts – CBS | DCC | DCD and AFL The CBS is the customised BIOS system which is loaded through a virtualisation software process. The DCC will read in the DCD and communicate with the CBS. We have integrated AFL into the DCC and CBS There are five key stages in the workflow. First we will instrument target device with AFL in VSP. AFLfuzz will then launch DCC and VSP. The DCC will then read the DCD and communicate with the CBS. MIOPs in the CBS will execute the request until the CBS crashes. AFLfuzz will calculate the code coverage and mutate the DCD during the whole process
  10. The is a glance at the fuzzing UI.
  11. CBS is the main module in the entire solution. Actually it is a customised BIOS system which is named SEABIOS. The CBS contains MIOPS (Memory, IO Space, Operation Proxy Server) The VSP is the runtime instance of CBS We have also introduced the Virtual Serial Port which is the communication bridge between CBS and DCC
  12. The MIOPS main job is to receive the MIOA request first from the DCC and then execute the request until the CBS crashes. The MIOA request looks like this … The parse function in MIOPS is like this ...
  13. The MIOPS main job is to receive the MIOA request first from the DCC and then execute the request until the CBS crashes. The MIOA request looks like this … The parse function in MIOPS is like this ...
  14. The DCC will read in the DCD formatted specifically for AFL. It’s main job is to launch the VSP to CBS, then ping MIOPS in CBS. IN several cases the DCC will initialize the target virtual device and will then parse DCD to MIOA.
  15. This is the architecture overview. The architecture can be divided into 4 parts – CBS | DCC | DCD and AFL The CBS is the customised BIOS system which is loaded through a virtualisation software process. The DCC will read in the DCD and communicate with the CBS. We have integrated AFL into the DCC and CBS There are five key stages in the workflow. First we will instrument target device with AFL in VSP. AFLfuzz will then launch DCC and VSP. The DCC will then read the DCD and communicate with the CBS. MIOPs in the CBS will execute the request until the CBS crashes. AFLfuzz will calculate the code coverage and mutate the DCD during the whole process
  16. To set up the AFL trace we should instrument the target devices first. If the virtual machine is open source, it will compare the source code with AFL-GCC If the source code is not open source, we should instrument the PE file with a restricted range. The command line for AFL fuzz is like this …
  17. To set up the AFL trace we should instrument the target devices first. If the virtual machine is open source, it will compare the source code with AFL-GCC If the source code is not open source, we should instrument the PE file with a restricted range. The command line for AFL fuzz is like this …
  18. Because we have integrated AFL to virtual device fuzz we should encode the MIOA request to DCD which is formatted especially for AFL. This is a sample of the DCD format about USB device
  19. This is the architecture overview. The architecture can be divided into 4 parts – CBS | DCC | DCD and AFL The CBS is the customised BIOS system which is loaded through a virtualisation software process. The DCC will read in the DCD and communicate with the CBS. We have integrated AFL into the DCC and CBS There are five key stages in the workflow. First we will instrument target device with AFL in VSP. AFLfuzz will then launch DCC and VSP. The DCC will then read the DCD and communicate with the CBS. MIOPs in the CBS will execute the request until the CBS crashes. AFLfuzz will calculate the code coverage and mutate the DCD during the whole process
  20. About the control device communication the DCC would communicate with CBS just like this…
  21. In the first instance CBS will start up, discover the devices and begin the long job of MIOPS. After the MIOPS starts up it will initialize the target devices and receive requests from DCC. The DCC will read in DCD and communicate with the MIOPS until the CBS crashes. Step 1: AFL target processes start up VSP would load up CBS as its guest VM which is relatively light weight. CBS in guest VM would start and discover the attached device, then start MIOPS. Step 2: After MIOPS is ready, DCC would communicate with MIOPS to initialize the target devices. For example: target virtual device is USB XHCI device, the basic information include doorbell address, command ring address, event address .   Step 3: After target device is ready, DCC will read in DCD as sequence of commands and analysis the command into MIOA request. Step 4: MIOPS would receive the MIOA request through virtual serial port, will execute corresponding request. For example, if MIOPS receives request “out 0xf000 0x8” in MIOA request, it will use out instruction to access port address 0xf000 with data 0x8.
  22. This is the architecture overview. The architecture can be divided into 4 parts – CBS | DCC | DCD and AFL The CBS is the customised BIOS system which is loaded through a virtualisation software process. The DCC will read in the DCD and communicate with the CBS. We have integrated AFL into the DCC and CBS There are five key stages in the workflow. First we will instrument target device with AFL in VSP. AFLfuzz will then launch DCC and VSP. The DCC will then read the DCD and communicate with the CBS. MIOPs in the CBS will execute the request until the CBS crashes. AFLfuzz will calculate the code coverage and mutate the DCD during the whole process
  23. Let me now introduce the workflow from an AFL view First the AFL will instrument the devices in VSP (e.g. QEMU) – the AFL Fuzz will launch the DCC. The DCC will read in the DCD and will communicate with the VSP in a large loop. If the VSP crashes waitpid will return. IN that case the DCC will be notified and it will crash itself. Finally the AFL Fuzz will be notified because of the DCC crash. It will calculate mutated DCD and record the crash (of the VSP)
  24. Here are tips for AFL integration. The first is how we compare part of the source code using AFL, This is an example … %.o: %.c $(call quiet-command,\ if [ $@ = "hw/usb/hcd-xhci.o" -o $@ = "hw/usb/dev-storage.o" ] ;\ then \ echo afl-gcc... $< $@ ;\ afl-gcc $(QEMU_INCLUDES) $(QEMU_CFLAGS) $(QEMU_DGFLAGS) $(CFLAGS) $($@-cflags) -c -o $@ $< ;\ else \ echo cc... $< $@ ; \ $(CC) $(QEMU_INCLUDES) $(QEMU_CFLAGS) $(QEMU_DGFLAGS) $(CFLAGS) $($@-cflags) -c -o $@ $< ;\
  25. Another tip is how to launch multiple processes using AFL . The scenario would look like this in our solution.
  26. Actually AFL supports multiple process traces because he trace information is located in shared memory. You should remove the instrumentation check in Al Fuzz, because the launcher contains no AFL code. The launcher must crash itself if the target process crashes and the AFL Fuzz will be notified.
  27. The pseudo code for AFL fuzz towards multiple processes will look like this fpid = fork(); if (fpid == 0) { //In child process launchVSP(argv); exit(0); } else { //In parent process (DCC) waitpid(fpid, &status, 0); if (WIFEXITED(status)) { //Child process normal exit, bypass } else if (WIFSIGNALED(status)) { //Child process crash signal, crash self crashMyself(); } }
  28. There are also miscellaneous tips for example: To avoid start up failure, you should adjust the parameters for AFL Fuzz.
  29. In this final part we will introduce a case study and show you a demo
  30. The case is about floppy disc vulnerability. Hunt and reproduction using AFL. First we will compare the FDC source code. The FDC command will be encoded like this… Initially in the DCC module several pipes will be made and the DCC will launch the QEMU process. The process will launch bios.bin which contains CBS. Finally we start up AFL Fuzz like this … Step 1: Using AFL-gcc to compile fdc.c [moony add real command] Step 2: Designing input case file format One input case file contains several commands struct fdc_command { unsigned char cid; unsigned int args_count; unsigned int args[0]; }; The field cid is the floppy disk controller command ID. As I mentioned above , the structures will be translated to MIOA requests. Step 3. We prepare 30 input case file (one case input file for each floppy disk control command) Step 4: Preparing DCC Parsing input case file and translating to MIOA requests. Fork VSP , using following commands: mkfifo jack_pipe mkfifo jack_pipe1 qemu-system-x86_64 -bios out/bios.bin -serial pipe:jack_pipe -serial pipe:jack_pipe1 The bios.bin is CBS . Open pipe, and write MIOA requests to pipe and read response from pipe. Wait the VSP ‘s pid. Step 4: Using commands to start testing. afl-fuzz -t 99000 -m 2048 -i IN/ -o OUT/ <DCC command> In our testing environment (8G ram, 4 cores CPU), running the solution about 1.5 hours, we reproduce the Venom vulnerability on the QEMU 2.3.
  31. The case is about floppy disc vulnerability. Hunt and reproduction using AFL. First we will compare the FDC source code. The FDC command will be encoded like this… Initially in the DCC module several pipes will be made and the DCC will launch the QEMU process. The process will launch bios.bin which contains CBS. Finally we start up AFL Fuzz like this … Step 1: Using AFL-gcc to compile fdc.c [moony add real command] Step 2: Designing input case file format One input case file contains several commands struct fdc_command { unsigned char cid; unsigned int args_count; unsigned int args[0]; }; The field cid is the floppy disk controller command ID. As I mentioned above , the structures will be translated to MIOA requests. Step 3. We prepare 30 input case file (one case input file for each floppy disk control command) Step 4: Preparing DCC Parsing input case file and translating to MIOA requests. Fork VSP , using following commands: mkfifo jack_pipe mkfifo jack_pipe1 qemu-system-x86_64 -bios out/bios.bin -serial pipe:jack_pipe -serial pipe:jack_pipe1 The bios.bin is CBS . Open pipe, and write MIOA requests to pipe and read response from pipe. Wait the VSP ‘s pid. Step 4: Using commands to start testing. afl-fuzz -t 99000 -m 2048 -i IN/ -o OUT/ <DCC command> In our testing environment (8G ram, 4 cores CPU), running the solution about 1.5 hours, we reproduce the Venom vulnerability on the QEMU 2.3.
  32. The case is about floppy disc vulnerability. Hunt and reproduction using AFL. First we will compare the FDC source code. The FDC command will be encoded like this… Initially in the DCC module several pipes will be made and the DCC will launch the QEMU process. The process will launch bios.bin which contains CBS. Finally we start up AFL Fuzz like this … Step 1: Using AFL-gcc to compile fdc.c [moony add real command] Step 2: Designing input case file format One input case file contains several commands struct fdc_command { unsigned char cid; unsigned int args_count; unsigned int args[0]; }; The field cid is the floppy disk controller command ID. As I mentioned above , the structures will be translated to MIOA requests. Step 3. We prepare 30 input case file (one case input file for each floppy disk control command) Step 4: Preparing DCC Parsing input case file and translating to MIOA requests. Fork VSP , using following commands: mkfifo jack_pipe mkfifo jack_pipe1 qemu-system-x86_64 -bios out/bios.bin -serial pipe:jack_pipe -serial pipe:jack_pipe1 The bios.bin is CBS . Open pipe, and write MIOA requests to pipe and read response from pipe. Wait the VSP ‘s pid. Step 4: Using commands to start testing. afl-fuzz -t 99000 -m 2048 -i IN/ -o OUT/ <DCC command> In our testing environment (8G ram, 4 cores CPU), running the solution about 1.5 hours, we reproduce the Venom vulnerability on the QEMU 2.3.
  33. http://venom.crowdstrike.com/ http://www.slideshare.net/CanSecWest/csw2016-tang-virtualizationdevice-emulator-testing-technology http://lcamtuf.coredump.cx/AFL/ https://www.youtube.com/watch?v=O9P7kXm5WSg Filesystem Fuzzing with American Fuzzy Lop https://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing,%20Vault%202016_0.pdf Triforce-run-afl-on-everything https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/june/project-triforce-run-afl-on-everything/ https://www.seabios.org/SeaBIOS https://www.seabios.org/Execution_and_code_flow http://wiki.qemu.org/Features/QTest http://www.intel.com/content/www/us/en/io/universal-serial-bus/extensible-host-controler-interface-usb-xhci.html http://wiki.osdev.org/Floppy_Disk_Controller