50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50ShadesOfFuzzingPeterHlavaty (@zer0mem)MarcoGrassi (@marcograss)

WhoAreYou?

• PeterHlavaty• SeniorsecurityResearcher• LeadofWindowsKernelsecurityResearch

• MarcoGrassi• SeniorSecurityResearcher@Tencent KEENSecurityLab• Mainfocus:VulnerabilityResearch,OSX/iOS,Android,Sandboxes

Agenda

• TheTeam• VMWareOverview• VMWareWorkstation/FusionFuzzing• Win32kOverview• Win32kFuzzing• Conclusions• Questions

TheTeam

• PreviouslyknownasKeenTeam• AllresearchersmovedtoTencent becauseofbusinessrequirement• Newname:TencentKEENSecurityLab• Wewonthetitleof“MasterOfPwn”2016andactivelyparticipatingatpwn2ownfrom2013tothisyear.

• Keepaneyeonourblog!(English:http://keenlab.tencent.com/en/ Chinese:http://keenlab.tencent.com/zh/ )

ThisTalkinoneSlide

VMWareWorkstation/Fusion

VMWareWorkstation/Fusion

• MostlikelyeveryoneissortoffamiliarwithVMWarehere…• Oneofthefirstcompanies(ifnotthefirst)tosuccessfullyvirtualizex86(whichisnotformallyvirtualizable– seePopek&Goldberg)• NowadayswithVT-Xsupportvirtualizationisfasterandeasier• It’saproductthatallowsyoutorununmodifiedoperationgsystemsasguests.• Theirsoftwarerunsatdifferentprivilegelevels,theyhavekernelcomponentsandsomehostusermode processes.• OurtalkwillfocusmainlyonhowVMWarevirtualizestheGPUinaguest,sincetheyofferadvancedfunctionssuchas3dacceleration.

WhyVMWareresearch?

• VMWareworkstation/fusionisaverywidespreadsoftware,soit’sanattractivetargetforattackers• Maybesometimesavirtualmachineisused,andevenifyougaincodeexecution,orevenkernelcodeexecutioninsidethevirtualmachine,youarestilltrappedinthere.• ByleveraringabuginsomecomponentofVMWareyoucanpotentiallyescapethevirtualmachineandgaincodeexecutioninthehostsystem!

VMWare– importantresources/prev research

• GPUVirtualizationonVMware’sHostedI/OArchitecture- MicahDowty,JeremySugerman – VMWare(thisisthepaperyouabsolutelywanttoreadbeforeapproachingthisarea)• CLOUDBURSTA VMware Guest to Host Escape Story- KostyaKortchinsky – BlackHatUSA2009

VMWareGPU

• DespitethereisagoodsupportatCPUlevelforvirtualizationtodaywithIntel/AMDinhardwaresupport,forGPUandingeneralotherhardwarevirtualization,thestatusquoisnotasgoodasCPUvirt• Vmware wantedtoofferhighperformanceGPU/3dtotheguests,sotheyhadtodeploytheirownsolutiontodefeatalsohostdriverfragmentation,introducingseveralabstractionlayers(andlotofcode)

VMWareGPUVirtualDevice

• TheVMWarevirtualizedGPUwillshowupinyourguestasaPCIdevicecalled“Vmware SVGA3D”• HasseveralMemoryrangesthatmapstointerestingstuff(moreonthenextslide)• Theyimplementa2DFramebuffer(notveryinteresting,justthepixelshownonyourscreen)• AndaGPUCommandqueue(!)

• Hereyoucanseethedifferentpurposesofthememoryareas.• WearemainlyinterestedintheFIFOMemory• ThinkofitlikeaFIFOprocessedasynchronouslyandconcurrentlyoutsideofyoursystem,bytheVMWareGPUsubsystem• Implementsalotofcommandsfor3Dandotherfunctionalities

HighleveldescriptionoftheFIFO

• TheFIFOwhenusedfor3Dcommands,expectacustomprotocol(SVGA3D)• 1.Writecommandsintothequeue• 2.optionallyinsertafenceiftheguestwantstobenotifiedofprogresswithavirtualinterrupt• 3.Atsomepointyourcommandswillbeprocessedasynchronously• TheSVGA3DprotocoltakesideasandsimplifytheDirect3DAPIs

WhereistheVMWareGPUcode?

• ThecorefunctionalityoftheGPUisimplementedinthevmware-vmx.exe• Weshouldexpectfaultinthisprocess(orinany.dllinsidehere)• SoweturnonPageHeapinGflagsforfaultmonitoringandWinDbgautostartonfault• MaybeafaultwilltraversethevirtualizationlayerandappearsinHostgraphicsalsoJ

Codepath

VMWareSVGA3D

• Veryrichoffunctionalities,likeshaders,texturesetc,lotofattacksurface!• But…HOWDOWEFUZZTHIS?• Let’sexploresomealternatives..

Fuzzingalternatives:FromGuestusermode

• Extremelyinconvenientforseveralreasons:• Toomanylayersofsoftwarethatdoesn’tinterestusandperformvalidation• Performancereasons• TheGPUresourceiscontendedandmanipulatedbytherunningGuestsystem.Itwouldbeverydifficulttoreproduceeventualcrashes.• Heavy,wewanttoscale&runlotofGuests

Fuzzingalternatives:FromGuestkernelmode

• Thisalternativeismoreappealingbecause:• Ingeneralwehavemorecontrol• Lessresourcecontentionifwedon’tuseanyUI• Wecanskipprettymuchanyvalidationlayer• Butstillwearerunningtogetherwithakernel,sowearenottheonlycoderunningonthesystemandlotofstuffisgoingon.• Heavy,wewanttoscale&runlotofGuests

TherightFuzzingoption:Baremetal Guest!

• Ifwerunourcodeasaguest,withoutanyoperatingsystemwehave:• Performanceboostofcourse!• Completecontrol!• Novalidationsteps!• Exclusiveaccesstothehardware!• Extremelylight,fewMBoframonly,wecanrunahugenumberofguests!

Whattofuzz?

• Wepickedshadersbecausetheyarecomplex,andtheyundergoseverallayersoftranslationsinseveralpoints.

1. Collectvalidshaders2. Puttogethercodetoloadandrenderwithshaderscorrectlyon

baremetalcode3. Mutateshader,load,render,seeifitcrash.4. GOTO3• Youcanfuzzalsorawcommands,butthesemanticsisnottrivialandrequirereversing.

BaremetalGPUFuzzer DEMO

BUGDEMOJ

SoonacoupleofCVEsinVMWareFusion,waitingforthefixtobedeployed(ETAq3)disclosed

severalmonthsago(slow)

Microsoftw32ksub-systemFuzzingallaroundyourwindow,andbeyond!

w32k– DataParsing #TTF

• TrueTypeFont

• Popularatsophisticated- stuxnet,duqu,..• https://cansecwest.com/slides/2013/Analysis%20of%20a%20Windows%20Kernel%20Vuln.pdf

• Abusedatp2o2015– KEEN• http://www.slideshare.net/PeterHlavaty/windows-kernel-exploitation-this-time-font-hunt-you-down-in-4-bytes

• AyearofWindowskernelfontfuzzing– j00ru• http://googleprojectzero.blogspot.nl/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html

w32k– syscalls #DC

DC

bitmap

Brush

Pen

Pallete

Font

…

w32k– syscalls #DC#collisionsDC#UAF,howevernils wasalreadyhere..

w32k– syscalls #DC#collisions

DC*nice*#UAF,however..onceagain,nils ..:)


(nils)PoC overview:


(nils)PoC overview:

…prettymuchalltoone…

w32k– syscalls #DC

• Variouscomponentsareinterconnected• BindingtoDC

• GetStockObject,SelectObject

w32k– syscalls #Window

ShowSet

WND Msg

ClipBClass

SetWindowText

w32k– syscalls #DC#Window

• Interconnections#2• GetWindowDC,BeginPaint,Caret• BindingbacktoDC

w32k– syscalls #Window#Menu

• Menu• PopUps• Windowconnected{• DrawMenuBarTemp• HilitieMenuItem• TrackPopUpMenu*• CalcMenuBar• …

}• Binded withwindow

w32k– syscalls #Window#Menu

Moreonourw32k-syscallsresultsandanotherpartofw32katruxcon :https://ruxcon.org.au/speakers/#PeterHlavaty &Jin Long

f.e.:

w32k– DirectX

• Ilja Vansprundel• https://www.blackhat.com/us-14/briefings.html#windows-kernel-graphics-driver-attack-surface

• NikitaTarakanov – zeronights• http://2015.zeronights.org/assets/files/11-Tarakanov.pdf

• p2o2016– KEEN• http://community.hpe.com/t5/Security-Research/Pwn2Own-2016-Day-two-crowning-the-Master-of-Pwn/ba-p/6842863#.V4d1NMpOKDt

w32k– DataParsing #DirectX

• Codeshippedbyintel,nvidia• Balast ofcoderesponsibleforvariousdataparsing!• Extendedarmof

{D3DKMTSubmitCommandD3DKMTEscapeD3DKMTRenderD3DKMTPresent

}

w32k– sycalls #2 #DirectX

w32kdxg

Adapter

Alloc

Context

Overlay

Mutex

Sync

Paging

Device

o Universalwindowscodeo Independentongraphic

vendorso Morestrictattackvectorthan

dataparsing

Fuzzing

w32k– Fuzzing #templates

• syzkaller • Qilin

w32k– Fuzzing #templates

• Nt*syscalls mostlyundocumented• VariousAPIhowevernicelydocumented!• goog :“MSDN%target%functions“

• Onceyouknowwhats goingonatAPI,easiertoREarg atsyscalls

w32k– Fuzzing #syscalls

• JusttipoftheIceBerg!• #1api isjustsmallpart• #2whatwecoverisjustsmallsubset!

• Takealookatwin32ksubsystemsyscall table• xwin32k*!Nt*• http://j00ru.vexillium.org/win32k_syscalls/

• Around#xyzsyscalls !!

w32k– Hardening

• NotablyNils,Terjei,j00ru,Tencent,360andothers• Securingcodebase

• TTFstrippingfromkernel• movingattacksurfaceofoutkernel

• w32kseparationwin32k{base,full}• Stepbysteptore-design

• w32klockdown• Strenghten sandboxes

• gdi leakinglocked• FixingOLD&obvioussecurityissues

w32k– 50shades [Qilin ]

w32k– 50shades [DEMO]

• ~50coretest

OSX/iOSGraphicsfuzzing

• Unfortunatelythereisnotmuchtimelefttodiscussthis,butwecanreccomendsomeofourpresentationsonthetopicthatyoucancheckout:• CanSecWest16:Don'tTrustYourEye:AppleGraphicsIsCompromised!– LiangChen– MarcoGrassi – Qidan He• Recon2016:ShootingtheOSXElCapitanKernelLikeaSniper– LiangChen–Qidan He• BlackHatUSA2016:SUBVERTINGAPPLEGRAPHICS:PRACTICALAPPROACHESTOREMOTELYGAININGROOT- LiangChen- Qidan He- MarcoGrassi - YubinFu(TOBEPRESENTED)

• Inpwn2own2016weused2differentbugstocompromisetwiceOSX!

OSX/iOSGraphicsfuzzing

Conclusions

• Graphicsit’sahugeattacksurfacestillreachablefrominterestingsandboxes(likesomebrowsersandboxes)• Manyresearchersarelookingintothisarea,therearealotofbugsinthiskindofcodebutsecurityisbecomingbetter.• Fuzzingthegraphicstackrequiresdifferentapproachesandprinciplescomparedtofuzzingcorecomponents.• Ingraphicsdataandstatefuzzingarebothimportantattackvectors.

Credits

• Wushi• LiangChen• DanielKing• Allourteammates!

Questions?

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

Technology

Transcript of 50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi