When virtualization encounters AFL

When virtualization encounters AFL Jack Tang, @jacktang310Moony Li, @Flyic

Welcome everyone

Im very happy to be presenting here today at the BLACKHAT conference.

My name is Moony and I will be presenting today on the topic of virtualization fuzzing with AFL.

1

What We Will CoverWho We Are

Approach

Implementation

Case StudyCVE-2015-3456, VenomDemo

Today I will cover several key areas

1. First Ill tell you a little about me and my partner

Ill then walk you through - how we designed our approach to fuzz virtual devices integrated with AFL - and how we implemented our design3. Following this I will present to you a case study to show how we fuzz and reproduce a floppy vulnerability step by step4. Finally I will give you a video demo.

2

Who We Are

3

Jack Tang

@jacktang31010+ years securityBrowserDocumentMac/Windows Kernel Virtualization Vulnerability

My partners name is Jack

Jack has worked in security for 10 years

His focus has been on browser and document vulnerabilities as well as Mac Windows and virtualization vulnerabilities.

Jack cant be with us today. He has broken his leg and cannot travel.

4

Moony Li

@Flyic7 years securitySandcastle Deep DiscoveryExploit DetectionMac/Windows Kernel Android Vulnerability

My name is Moony

Ive worked for 7 years in security.

My role has been developing sandbox systems.

Focusing on Mac - Windows and Android Kernel vulnerabilities.

5

Approaches ComparisonApproachNotesProsConsFuzz in guest OS1.Capture 2.Replay & Fuzz1.Simple2.Ignorance of I/O protocol1.No code coverage2.Incomplete by designConformance fuzzing test1.Symbol Execution1.Fuzz deeper1.No code coverage2.AcdemicalCode Review1.Fexible1.Cost effort2.No scalable

Here I will compare several approaches about hunting virtualization vulnerabilities.

The first approach is to fuzz IO communication from the guest Os. The basic procedure includes capturing the traffic first, replaying it, then fuzzing it. This is a very simple process and requires no knowledge of i/o protocol. The Con is that there is no code coverage and feedback. This means the fuzz is incomplete by design.

Conformance fuzz testing is the second approach. The main principle is to introduce Symbolic Execution to IO communication leading to a deeper fuzz scope. Again there is no code coverage and this approach is mainly academic.

Finally we look at Code review. This approach is more flexible for the researcher however, it takes more effort and is not scalable.

6

Target: Virtual Devices

HypervisorGuest OSVirtual DevicesHardware DevicesGuest OSVirtual DevicesKernel DriverKernel Driver

Actually there are many attacking interfaces in the virtual machine, however, we only focus on the area relating to virtual devices.7

PortableCustomized BIOS as common format Virtual DiskSerial portPerformancesizeof(BIOS)