Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS,...
Transcript of Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS,...
![Page 1: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/1.jpg)
![Page 2: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/2.jpg)
• •
2
![Page 3: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/3.jpg)
3
![Page 4: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/4.jpg)
• Cornerstone of Hyper-V
Importance
• Accessible from kernel (Ring-0) mode
Accessibility
• Well-documented, good starting point
Simplicity
• Diverse input & output format
Complexity
4
![Page 5: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/5.jpg)
• $250,000 (Hypervisor/Kernel) / $150,000 (User-mode)
RCE w/ Exploit (Guest-to-Host-Escape)
• $200,000 (Hypervisor/Kernel) / $100,000 (User-mode)
RCE (Guest-to-Host-Escape)
• $25,000 (Hypervisor/Kernel), $15,000 (User-mode)
Information Disclosure
• $15,000 (Hypervisor/Kernel)
Denial of Service
5
![Page 6: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/6.jpg)
![Page 7: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/7.jpg)
7
![Page 8: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/8.jpg)
•
•
•
•
•
•
8
![Page 9: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/9.jpg)
Secure Kernel
•
•
•
•Normal (NT) Kernel
https://myignite.techcommunity.microsoft.com/sessions/66666 9
![Page 10: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/10.jpg)
![Page 11: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/11.jpg)
•
•
•
•
typedef union _HV_HYPERCALL_INPUT{
struct{
UINT32 CallCode : 16;UINT32 IsFast : 1;UINT32 VariableHeaderSize : 9;UINT32 Reserved1 : 6;UINT32 CountOfElements : 12;UINT32 Reserved2 : 4;UINT32 RepStartIndex : 12;UINT32 Reserved3 : 4;
};UINT64 AsUINT64;
} HV_HYPERCALL_INPUT, *PHV_HYPERCALL_INPUT;
typedef union _HV_HYPERCALL_OUTPUT{
struct{
UINT16 CallStatus;UINT16 Reserved1;UINT32 ElementsProcessed : 12;UINT32 Reserved2 : 20;
};UINT64 AsUINT64;
} HV_HYPERCALL_OUTPUT, *PHV_HYPERCALL_OUTPUT;
11
![Page 12: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/12.jpg)
12
![Page 13: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/13.jpg)
FROM: https://github.com/LIS/lis-next
/** Setup the hypercall page and enable hypercalls.* 1. Register the guest ID* 2. Enable the hypercall and register the hypercall page*/
generate_guest_id 0 0wrmsrl
__vmalloc
if NULLwrmsrl 0return
rdmsrl1
vmalloc_to_pfnwrmsrl
13
![Page 14: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/14.jpg)
14
![Page 15: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/15.jpg)
VTL 0 -> VTL 1
• nt!VslpEnterIumSecureMode
• vmcall(0x11)
VTL 1 -> VTL 0
• sk!SkCallNormalMode
• vmcall(0x12) 15
![Page 16: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/16.jpg)
16
![Page 17: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/17.jpg)
17
![Page 18: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/18.jpg)
The calling partition must possess a particular privilege
18
![Page 19: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/19.jpg)
19
![Page 20: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/20.jpg)
Reserved
20
![Page 21: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/21.jpg)
AccessVpRunTimeReg:1;
AccessPartitionReferenceCounter:1;
AccessSynicRegs:1;
AccessSyntheticTimerRegs:1;
AccessIntrCtrlRegs:1;
AccessHypercallMsrs:1;
AccessVpIndex:1;
AccessPartitionReferenceTsc:1;
AccessGuestIdleReg:1;
AccessFrequencyRegs:1;
AccessReenlightenmentControls:1;
AccessVsm:1;
AccessVpRegisters:1;
Reserved
EnableExtendedHypercalls:1;
StartVirtualProcessor:1;
21
![Page 22: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/22.jpg)
AccessVpRunTimeReg:1;
AccessPartitionReferenceCounter:1;
AccessSynicRegs:1;
AccessSyntheticTimerRegs:1;
AccessIntrCtrlRegs:1;
AccessHypercallMsrs:1;
AccessVpIndex:1;
AccessPartitionReferenceTsc:1;
AccessGuestIdleReg:1;
AccessFrequencyRegs:1;
AccessReenlightenmentControls:1;
PostMessages:1;
SignalEvents:1;
ConnectPort:1;
AccessVsm:1;
AccessVpRegisters:1;
Reserved
EnableExtendedHypercalls:1;
StartVirtualProcessor:1;
22
![Page 23: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/23.jpg)
AccessVpRunTimeReg:1;
AccessPartitionReferenceCounter:1;
AccessSynicRegs:1;
AccessSyntheticTimerRegs:1;
AccessIntrCtrlRegs:1;
AccessHypercallMsrs:1;
AccessVpIndex:1;
AccessResetReg:1;
AccessStatsReg:1;
AccessPartitionReferenceTsc:1;
AccessGuestIdleReg:1;
AccessFrequencyRegs:1;
AccessDebugRegs:1;
AccessReenlightenmentControls:1;
CreatePartitions:1;
AccessPartitionId:1;
AccessMemoryPool:1;
AdjustMessageBuffers:1;
PostMessages:1;
SignalEvents:1;
CreatePort:1;
ConnectPort:1;
AccessStats:1;
Debugging:1;
CpuManagement:1;
AccessVsm:1;
AccessVpRegisters:1;
Reserved
EnableExtendedHypercalls:1;
StartVirtualProcessor:1;
23
![Page 24: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/24.jpg)
//
// Check for CpuManagement permission.
//
24
![Page 25: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/25.jpg)
The partition being acted upon must be in a particular state
The partition must be either a parent or child
25
![Page 26: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/26.jpg)
//
// This function locates a partition with the specified partition Id and
// references it only if its state matches one of the specified values.
//
26
![Page 27: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/27.jpg)
The calling partition must possess a particular privilege
The partition being acted upon must be in a particular state
The partition must be either a parent or child
The partition must be the root
27
![Page 28: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/28.jpg)
//
// This hypercall can only be made by the highest enabled VTL in the root partition.
//
partition
28
![Page 29: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/29.jpg)
• The virtual processor must be in a particular state
29
![Page 30: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/30.jpg)
//
// VP must be explicitly suspended before restore.
//
30
![Page 31: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/31.jpg)
![Page 32: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/32.jpg)
32
![Page 33: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/33.jpg)
BOOM
BOOM
BOOM
33
![Page 34: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/34.jpg)
34
![Page 35: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/35.jpg)
BOOM
BOOM
BOOM
35
![Page 36: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/36.jpg)
36
![Page 37: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/37.jpg)
BOOM
BOOM
BOOM
BOOM
37
![Page 38: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/38.jpg)
38
![Page 39: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/39.jpg)
BOOM
BOOM
39
![Page 40: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/40.jpg)
• CLFS, Deathnote of Microsoft Windows Kernel
• Intel PT & kAFL
Past Fuzzing Experience
• Effective to bypass fields constraints
• Easy to scale, from coarse-grained to fine-grained, from less hypercalls to more hypercalls.
Pros
• Assumptions may overlook some special circumstance
• Knowledge of input format neededCons
40
![Page 41: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/41.jpg)
Fuzzing
Exceptions
Found
Root-cause
Analysis
Knowledge
Accumulated
Immune Known
Exceptions
Enhance
Fuzzing Logic
41
![Page 42: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/42.jpg)
![Page 43: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/43.jpg)
:
rand_64() -> 0xFFFF123456789ABC
:
swap_half() ->
:
bitflip(47) ->
:
mask(0xA3) -> 43
![Page 44: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/44.jpg)
:
rand_64() -> 0xFFFF123456789ABC
:
swap_half() ->
:
bitflip(47) ->
:
mask(0xA3) -> 44
![Page 45: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/45.jpg)
:
rand_64() -> 0xFFFF123456789ABC
:
swap_half() ->
:
bitflip(47) ->
:
mask(0xA3) -> 45
![Page 46: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/46.jpg)
:
rand_64() -> 0xFFFF123456789ABC
:
swap_half() ->
:
bitflip(47) ->
:
mask(0xA3) -> 46
![Page 47: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/47.jpg)
:
rand_64() -> 0xFFFF123456789ABC
:
swap_half() ->
:
bitflip(47) ->
:
mask(0xA3) -> 47
![Page 48: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/48.jpg)
class CMutatorDispatcher
publictemplate classstatic bool mutateBasicType size_t 0
size_t CPatternGenerator Instance next_randsize_t 0
if is_bit_set CRandomMutator mutateBasicTypeif is_bit_set CBitFlipMutator mutateBasicType 1if is_bit_set CSlidingMutator mutateBasicTypeif is_bit_set CBitFlipMutator mutateBasicType 2if is_bit_set CSwapHalfMutator mutateBasicTypeif is_bit_set CBitFlipMutator mutateBasicType 4if is_bit_set CBitFlipMutator mutateBasicType 8if is_bit_set CMaskMutator mutateBasicType
return true
48
![Page 49: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/49.jpg)
CFlushVASMutation
CSendSyntheticClusterIpiMut
ation
CSignalEventMutation
CVtlCallMutation
CPostMessageMutation
CBitFlipMutator
CSwapHalfMutator
CMaskGenerator
CSlidingMutator
CFlushVASListMutation
……
……
……
49
![Page 50: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/50.jpg)
templatebool mutateCustom HvCallFlushVirtualAddressSpaceTrait CBaseMutation
HvCallFlushVirtualAddressSpaceBufferCBaseFeed
PHV_INPUT_FLUSH_VIRTUAL_ADDRESS_SPACE InputBuffer
BM Header.AddressSpace// #define HV_FLUSH_ALL_PROCESSORS (0x00000001)// #define HV_FLUSH_ALL_VIRTUAL_ADDRESS_SPACES (0x00000002)// #define HV_FLUSH_NON_GLOBAL_MAPPINGS_ONLY (0x00000004)// #define HV_FLUSH_USE_EXTENDED_RANGE_FORMAT (0x00000008)
Header.Flags RAND_8 0x07BMN0 Header.ProcessorMask
set_input string char input_lenreturn true
define SELECT CPatternGenerator::Instance() selectdefine FROM_RANGE CPatternGenerator::Instance()->from_rangedefine RAND_8 next_randdefine RAND_16 next_rand_worddefine RAND_32 next_rand_dworddefine RAND_64 next_rand_qworddefine BM x CMutatorDispatcher mutateBasicTypedefine BMN0 x CMutatorDispatcher mutateBasicType_Nonzerodefine DM x y CMutatorDispatcher mutateData
50
![Page 51: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/51.jpg)
![Page 52: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/52.jpg)
52
![Page 53: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/53.jpg)
53
![Page 54: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/54.jpg)
FROM: https://www.microsoft.com/en-us/msrc/bounty-
hyper-v
54
![Page 55: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/55.jpg)
FROM: https://www.microsoft.com/en-us/msrc/bounty-
windows-insider-preview
55
![Page 56: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/56.jpg)
56
![Page 57: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/57.jpg)
FROM: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8439
57
![Page 58: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/58.jpg)
SynI C
FROM: https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs
58
![Page 59: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/59.jpg)
59
![Page 60: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/60.jpg)
60
![Page 61: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/61.jpg)
61
![Page 62: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/62.jpg)
BusFdoOpenResult, clear the cached reference if the channel is not opened
properly.62
![Page 63: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/63.jpg)
![Page 64: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/64.jpg)
64
![Page 65: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/65.jpg)
65
![Page 66: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/66.jpg)
![Page 67: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/67.jpg)
Security Assessment of Microsoft Hyper-V (ERNW Newsletter 43 / May 2014, Felix Wilhelm, Mattias Luft)
Ring 0 to Ring -1 (Syscan 2015 – Alex Ionescu)
The Battle of SKM and IUM (Blackhat 2015 - Alex Ionescu)
Analysis of the Attack Surface of Windows 10 Virtualization-Base Security (Blackhat 2016 - Rafal Wojtczuk)
VBS and VSM Internals (Saar Amar)
A Dive in to Hyper-V Architecture and Vulnerabilities (Blackhat 2018 - Joe Bialek & Nicolas Joly)
Hardening Hyper-V through offensive security research (Blackhat 2018 – Jordan Rabet)
First steps in Hyper-V research (Saar Amar)
Fuzzing para-virtualized devices in Hyper-V (MSFT Virtualization Security Team)
Writing a Hyper-V “Bridge” for Fuzzing (Alex Ionescu)
67
![Page 68: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/68.jpg)
T L F S• https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs
• https://blogs.technet.microsoft.com/virtualization/2018/04/25/hyper-v-symbols-for-debugging/
• https://github.com/LIS
• Unofficial hdk – Hyper-V Development Kit• https://ionescu007.github.io/hdk/
• Report quality definitions for Microsoft’s Bug Bounty programs• https://www.microsoft.com/en-us/msrc/bounty-example-report-submission
68
![Page 69: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/69.jpg)
![Page 70: Growing Hypervisor 0day with Hyperseedpaper.vulsee.com/OffensiveCon2019/2019_02... · •CLFS, Deathnote of Microsoft Windows Kernel •Intel PT & kAFL Past Fuzzing Experience •Effective](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f0a5a5c7e708231d42b3a08/html5/thumbnails/70.jpg)