richinseattle/gist:69affc0f05fae0c60ca612d3e078dd2d

## gistfile1.txt
Harnessing Intel Processor Trace on Windows for Vulnerability Discovery
Richard Johnson

Biography

Richard Johnson is a computer security specialist with a focus on software
vulnerability analysis. Currently the Research Technical Lead of Talos Group
for Cisco, Richard offers 15 years of expertise and leadership in the software
security industry. Current responsibilities include research and development of
advanced fuzzing and crash analysis technologies facilitating the automation of
the vulnerability triage and discovery process. Richard has presented annually
at top-tier industry conferences worldwide for over a decade and was co-founder
of the Uninformed Journal.

Abstract

This talk will explore Intel Processor Trace, the new hardware branch tracing
feature included in Intel Skylake processors. We will explain the design of
Intel Processor trace and detail how the current generation implementation
works including the various filtering modes and output configurations.

This year we designed and developed the first opensource Intel PT driver for
the Microsoft Windows operating system. We will discuss the architecture of the
driver and the large number of low level programming hurdles we had to overcome
throughout the development of the driver to program the PMU, including
registering Performance Montering Interrupts (PMI), locating the Local Vector
Table (LVT) Performance Monitor timer register, bypassing the TLB and cache
through managing physical memory, and more. We will demonstrate the usage of
Intel PT in Windows environments for diagnostic and debugging purposes,
demonstrate an IDA plugin that can render coverage and loop information against
user and kernel targets, and then discuss how weve harnessed this branch
tracing engine for guided fuzzing.

This year we have added the Intel PT tracing mode as an engine for targeting
Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop.
This fuzzer is capable of using random mutation fuzzing with a code coverage
feedback loop to explore new areas. Using our new Intel PT driver for Windows,
we provide the fastest hardware supported engine for targeting binaries with
evolutionary fuzzing. In addition we have added new functionality to AFL for
guided fuzzing, which allows users to specify targeted areas on a program
control flow graph that are of interest. This can be combined with static
analysis results or known-vulnerable locations to help automate the creation of
trigger inputs to reproduce a vulnerability without the limits of symbolic
execution. To keep performance as the highest priority, we have also created
new methods for efficiently encoding weighted graphs into an efficiently
comparable bytemap.

New to this version of the talk is full support for kernel tracing, and an
IDA plugin for visualization, and a JIT disassembly engine with cache for
the winafl intelpt trace parsing.


NOTES FOR REVIEWER
==================

New content in this talk compared to the slide deck is the addition of kernel
module tracing support, an ida plugin to parse the traces,
and an update to the winafl-intelpt code to do persistent mode and complete
edge coverage instead of previous hack of only using the long jump targets.
This required a technical solution of creating a JIT cache of branch targets as
the graph is explored for efficient lookup, making a truly effective and fast
winafl-backend with parity of accuracy and better performance than winafl with
dynamorio.
	Harnessing Intel Processor Trace on Windows for Vulnerability Discovery
	Richard Johnson

	Biography

	Richard Johnson is a computer security specialist with a focus on software
	vulnerability analysis. Currently the Research Technical Lead of Talos Group
	for Cisco, Richard offers 15 years of expertise and leadership in the software
	security industry. Current responsibilities include research and development of
	advanced fuzzing and crash analysis technologies facilitating the automation of
	the vulnerability triage and discovery process. Richard has presented annually
	at top-tier industry conferences worldwide for over a decade and was co-founder
	of the Uninformed Journal.

	Abstract

	This talk will explore Intel Processor Trace, the new hardware branch tracing
	feature included in Intel Skylake processors. We will explain the design of
	Intel Processor trace and detail how the current generation implementation
	works including the various filtering modes and output configurations.

	This year we designed and developed the first opensource Intel PT driver for
	the Microsoft Windows operating system. We will discuss the architecture of the
	driver and the large number of low level programming hurdles we had to overcome
	throughout the development of the driver to program the PMU, including
	registering Performance Montering Interrupts (PMI), locating the Local Vector
	Table (LVT) Performance Monitor timer register, bypassing the TLB and cache
	through managing physical memory, and more. We will demonstrate the usage of
	Intel PT in Windows environments for diagnostic and debugging purposes,
	demonstrate an IDA plugin that can render coverage and loop information against
	user and kernel targets, and then discuss how weve harnessed this branch
	tracing engine for guided fuzzing.

	This year we have added the Intel PT tracing mode as an engine for targeting
	Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop.
	This fuzzer is capable of using random mutation fuzzing with a code coverage
	feedback loop to explore new areas. Using our new Intel PT driver for Windows,
	we provide the fastest hardware supported engine for targeting binaries with
	evolutionary fuzzing. In addition we have added new functionality to AFL for
	guided fuzzing, which allows users to specify targeted areas on a program
	control flow graph that are of interest. This can be combined with static
	analysis results or known-vulnerable locations to help automate the creation of
	trigger inputs to reproduce a vulnerability without the limits of symbolic
	execution. To keep performance as the highest priority, we have also created
	new methods for efficiently encoding weighted graphs into an efficiently
	comparable bytemap.

	New to this version of the talk is full support for kernel tracing, and an
	IDA plugin for visualization, and a JIT disassembly engine with cache for
	the winafl intelpt trace parsing.


	NOTES FOR REVIEWER
	==================

	New content in this talk compared to the slide deck is the addition of kernel
	module tracing support, an ida plugin to parse the traces,
	and an update to the winafl-intelpt code to do persistent mode and complete
	edge coverage instead of previous hack of only using the long jump targets.
	This required a technical solution of creating a JIT cache of branch targets as
	the graph is explored for efficient lookup, making a truly effective and fast
	winafl-backend with parity of accuracy and better performance than winafl with
	dynamorio.