50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
-
Upload
shakacon -
Category
Technology
-
view
183 -
download
6
Transcript of 50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
WhoAreYou?
• PeterHlavaty• SeniorsecurityResearcher• LeadofWindowsKernelsecurityResearch
• MarcoGrassi• SeniorSecurityResearcher@Tencent KEENSecurityLab• Mainfocus:VulnerabilityResearch,OSX/iOS,Android,Sandboxes
Agenda
• TheTeam• VMWareOverview• VMWareWorkstation/FusionFuzzing• Win32kOverview• Win32kFuzzing• Conclusions• Questions
TheTeam
• PreviouslyknownasKeenTeam• AllresearchersmovedtoTencent becauseofbusinessrequirement• Newname:TencentKEENSecurityLab• Wewonthetitleof“MasterOfPwn”2016andactivelyparticipatingatpwn2ownfrom2013tothisyear.
• Keepaneyeonourblog!(English:http://keenlab.tencent.com/en/ Chinese:http://keenlab.tencent.com/zh/ )
VMWareWorkstation/Fusion
• MostlikelyeveryoneissortoffamiliarwithVMWarehere…• Oneofthefirstcompanies(ifnotthefirst)tosuccessfullyvirtualizex86(whichisnotformallyvirtualizable– seePopek&Goldberg)• NowadayswithVT-Xsupportvirtualizationisfasterandeasier• It’saproductthatallowsyoutorununmodifiedoperationgsystemsasguests.• Theirsoftwarerunsatdifferentprivilegelevels,theyhavekernelcomponentsandsomehostusermode processes.• OurtalkwillfocusmainlyonhowVMWarevirtualizestheGPUinaguest,sincetheyofferadvancedfunctionssuchas3dacceleration.
WhyVMWareresearch?
• VMWareworkstation/fusionisaverywidespreadsoftware,soit’sanattractivetargetforattackers• Maybesometimesavirtualmachineisused,andevenifyougaincodeexecution,orevenkernelcodeexecutioninsidethevirtualmachine,youarestilltrappedinthere.• ByleveraringabuginsomecomponentofVMWareyoucanpotentiallyescapethevirtualmachineandgaincodeexecutioninthehostsystem!
VMWare– importantresources/prev research
• GPUVirtualizationonVMware’sHostedI/OArchitecture- MicahDowty,JeremySugerman – VMWare(thisisthepaperyouabsolutelywanttoreadbeforeapproachingthisarea)• CLOUDBURSTA VMware Guest to Host Escape Story- KostyaKortchinsky – BlackHatUSA2009
VMWareGPU
• DespitethereisagoodsupportatCPUlevelforvirtualizationtodaywithIntel/AMDinhardwaresupport,forGPUandingeneralotherhardwarevirtualization,thestatusquoisnotasgoodasCPUvirt• Vmware wantedtoofferhighperformanceGPU/3dtotheguests,sotheyhadtodeploytheirownsolutiontodefeatalsohostdriverfragmentation,introducingseveralabstractionlayers(andlotofcode)
VMWareGPUVirtualDevice
• TheVMWarevirtualizedGPUwillshowupinyourguestasaPCIdevicecalled“Vmware SVGA3D”• HasseveralMemoryrangesthatmapstointerestingstuff(moreonthenextslide)• Theyimplementa2DFramebuffer(notveryinteresting,justthepixelshownonyourscreen)• AndaGPUCommandqueue(!)
• Hereyoucanseethedifferentpurposesofthememoryareas.• WearemainlyinterestedintheFIFOMemory• ThinkofitlikeaFIFOprocessedasynchronouslyandconcurrentlyoutsideofyoursystem,bytheVMWareGPUsubsystem• Implementsalotofcommandsfor3Dandotherfunctionalities
HighleveldescriptionoftheFIFO
• TheFIFOwhenusedfor3Dcommands,expectacustomprotocol(SVGA3D)• 1.Writecommandsintothequeue• 2.optionallyinsertafenceiftheguestwantstobenotifiedofprogresswithavirtualinterrupt• 3.Atsomepointyourcommandswillbeprocessedasynchronously• TheSVGA3DprotocoltakesideasandsimplifytheDirect3DAPIs
WhereistheVMWareGPUcode?
• ThecorefunctionalityoftheGPUisimplementedinthevmware-vmx.exe• Weshouldexpectfaultinthisprocess(orinany.dllinsidehere)• SoweturnonPageHeapinGflagsforfaultmonitoringandWinDbgautostartonfault• MaybeafaultwilltraversethevirtualizationlayerandappearsinHostgraphicsalsoJ
VMWareSVGA3D
• Veryrichoffunctionalities,likeshaders,texturesetc,lotofattacksurface!• But…HOWDOWEFUZZTHIS?• Let’sexploresomealternatives..
Fuzzingalternatives:FromGuestusermode
• Extremelyinconvenientforseveralreasons:• Toomanylayersofsoftwarethatdoesn’tinterestusandperformvalidation• Performancereasons• TheGPUresourceiscontendedandmanipulatedbytherunningGuestsystem.Itwouldbeverydifficulttoreproduceeventualcrashes.• Heavy,wewanttoscale&runlotofGuests
Fuzzingalternatives:FromGuestkernelmode
• Thisalternativeismoreappealingbecause:• Ingeneralwehavemorecontrol• Lessresourcecontentionifwedon’tuseanyUI• Wecanskipprettymuchanyvalidationlayer• Butstillwearerunningtogetherwithakernel,sowearenottheonlycoderunningonthesystemandlotofstuffisgoingon.• Heavy,wewanttoscale&runlotofGuests
TherightFuzzingoption:Baremetal Guest!
• Ifwerunourcodeasaguest,withoutanyoperatingsystemwehave:• Performanceboostofcourse!• Completecontrol!• Novalidationsteps!• Exclusiveaccesstothehardware!• Extremelylight,fewMBoframonly,wecanrunahugenumberofguests!
Whattofuzz?
• Wepickedshadersbecausetheyarecomplex,andtheyundergoseverallayersoftranslationsinseveralpoints.
1. Collectvalidshaders2. Puttogethercodetoloadandrenderwithshaderscorrectlyon
baremetalcode3. Mutateshader,load,render,seeifitcrash.4. GOTO3• Youcanfuzzalsorawcommands,butthesemanticsisnottrivialandrequirereversing.
w32k– DataParsing #TTF
• TrueTypeFont
• Popularatsophisticated- stuxnet,duqu,..• https://cansecwest.com/slides/2013/Analysis%20of%20a%20Windows%20Kernel%20Vuln.pdf
• Abusedatp2o2015– KEEN• http://www.slideshare.net/PeterHlavaty/windows-kernel-exploitation-this-time-font-hunt-you-down-in-4-bytes
• AyearofWindowskernelfontfuzzing– j00ru• http://googleprojectzero.blogspot.nl/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html
w32k– syscalls #Window#Menu
• Menu• PopUps• Windowconnected{• DrawMenuBarTemp• HilitieMenuItem• TrackPopUpMenu*• CalcMenuBar• …
}• Binded withwindow
w32k– syscalls #Window#Menu
Moreonourw32k-syscallsresultsandanotherpartofw32katruxcon :https://ruxcon.org.au/speakers/#PeterHlavaty &Jin Long
f.e.:
w32k– DirectX
• Ilja Vansprundel• https://www.blackhat.com/us-14/briefings.html#windows-kernel-graphics-driver-attack-surface
• NikitaTarakanov – zeronights• http://2015.zeronights.org/assets/files/11-Tarakanov.pdf
• p2o2016– KEEN• http://community.hpe.com/t5/Security-Research/Pwn2Own-2016-Day-two-crowning-the-Master-of-Pwn/ba-p/6842863#.V4d1NMpOKDt
w32k– DataParsing #DirectX
• Codeshippedbyintel,nvidia• Balast ofcoderesponsibleforvariousdataparsing!• Extendedarmof
{D3DKMTSubmitCommandD3DKMTEscapeD3DKMTRenderD3DKMTPresent
}
w32k– sycalls #2 #DirectX
w32kdxg
Adapter
Alloc
Context
Overlay
Mutex
Sync
Paging
Device
o Universalwindowscodeo Independentongraphic
vendorso Morestrictattackvectorthan
dataparsing
w32k– Fuzzing #templates
• Nt*syscalls mostlyundocumented• VariousAPIhowevernicelydocumented!• goog :“MSDN%target%functions“
• Onceyouknowwhats goingonatAPI,easiertoREarg atsyscalls
w32k– Fuzzing #syscalls
• JusttipoftheIceBerg!• #1api isjustsmallpart• #2whatwecoverisjustsmallsubset!
• Takealookatwin32ksubsystemsyscall table• xwin32k*!Nt*• http://j00ru.vexillium.org/win32k_syscalls/
• Around#xyzsyscalls !!
w32k– Hardening
• NotablyNils,Terjei,j00ru,Tencent,360andothers• Securingcodebase
• TTFstrippingfromkernel• movingattacksurfaceofoutkernel
• w32kseparationwin32k{base,full}• Stepbysteptore-design
• w32klockdown• Strenghten sandboxes
• gdi leakinglocked• FixingOLD&obvioussecurityissues
OSX/iOSGraphicsfuzzing
• Unfortunatelythereisnotmuchtimelefttodiscussthis,butwecanreccomendsomeofourpresentationsonthetopicthatyoucancheckout:• CanSecWest16:Don'tTrustYourEye:AppleGraphicsIsCompromised!– LiangChen– MarcoGrassi – Qidan He• Recon2016:ShootingtheOSXElCapitanKernelLikeaSniper– LiangChen–Qidan He• BlackHatUSA2016:SUBVERTINGAPPLEGRAPHICS:PRACTICALAPPROACHESTOREMOTELYGAININGROOT- LiangChen- Qidan He- MarcoGrassi - YubinFu(TOBEPRESENTED)
• Inpwn2own2016weused2differentbugstocompromisetwiceOSX!
Conclusions
• Graphicsit’sahugeattacksurfacestillreachablefrominterestingsandboxes(likesomebrowsersandboxes)• Manyresearchersarelookingintothisarea,therearealotofbugsinthiskindofcodebutsecurityisbecomingbetter.• Fuzzingthegraphicstackrequiresdifferentapproachesandprinciplescomparedtofuzzingcorecomponents.• Ingraphicsdataandstatefuzzingarebothimportantattackvectors.