Thursday, July 27, 2017

BHUSA17: Evolutionary Kernel Fuzzing

Richard Johnson

Johnson has been working in fuzzing for awhile and releasing new tools over the last few years. New tool will allow people to do fuzzing in Windows Kernel w/out modifying the binaries.

Kernels are a critical attack surfaces and modern mitigations usually utilize isolation and sandboxing. There are weaponized exploits against the kernel, but little progress in vulndev research.

Evolutionary fuzzing is not a new concept, first introduced at the 2006 BlackHat (Sparks & Cunningham, Sidewinder) and lots of other papers and presentations and open source projects.

Evolutionary fuzzing needs a fast tracing engine, fast logging and a fast evolutionary algorithm. Highly desirable to be easy to use and portable.  His new tool is useful out of the box! First tool only targeted source code originally. American Fuzzy Lop (AFL) features a variety of mutation strategies, block coverage via compile time instrumentation and simplified approach to genetic algorithm.

AFL has a UI and tracks edge transitions. Lots of demos followed.