Last active
May 25, 2019 11:57
-
-
Save richinseattle/69affc0f05fae0c60ca612d3e078dd2d to your computer and use it in GitHub Desktop.
Harnessing Intel Processor Trace on Windows for Vulnerability Discovery
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Harnessing Intel Processor Trace on Windows for Vulnerability Discovery | |
Richard Johnson | |
Biography | |
Richard Johnson is a computer security specialist with a focus on software | |
vulnerability analysis. Currently the Research Technical Lead of Talos Group | |
for Cisco, Richard offers 15 years of expertise and leadership in the software | |
security industry. Current responsibilities include research and development of | |
advanced fuzzing and crash analysis technologies facilitating the automation of | |
the vulnerability triage and discovery process. Richard has presented annually | |
at top-tier industry conferences worldwide for over a decade and was co-founder | |
of the Uninformed Journal. | |
Abstract | |
This talk will explore Intel Processor Trace, the new hardware branch tracing | |
feature included in Intel Skylake processors. We will explain the design of | |
Intel Processor trace and detail how the current generation implementation | |
works including the various filtering modes and output configurations. | |
This year we designed and developed the first opensource Intel PT driver for | |
the Microsoft Windows operating system. We will discuss the architecture of the | |
driver and the large number of low level programming hurdles we had to overcome | |
throughout the development of the driver to program the PMU, including | |
registering Performance Montering Interrupts (PMI), locating the Local Vector | |
Table (LVT) Performance Monitor timer register, bypassing the TLB and cache | |
through managing physical memory, and more. We will demonstrate the usage of | |
Intel PT in Windows environments for diagnostic and debugging purposes, | |
demonstrate an IDA plugin that can render coverage and loop information against | |
user and kernel targets, and then discuss how weve harnessed this branch | |
tracing engine for guided fuzzing. | |
This year we have added the Intel PT tracing mode as an engine for targeting | |
Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop. | |
This fuzzer is capable of using random mutation fuzzing with a code coverage | |
feedback loop to explore new areas. Using our new Intel PT driver for Windows, | |
we provide the fastest hardware supported engine for targeting binaries with | |
evolutionary fuzzing. In addition we have added new functionality to AFL for | |
guided fuzzing, which allows users to specify targeted areas on a program | |
control flow graph that are of interest. This can be combined with static | |
analysis results or known-vulnerable locations to help automate the creation of | |
trigger inputs to reproduce a vulnerability without the limits of symbolic | |
execution. To keep performance as the highest priority, we have also created | |
new methods for efficiently encoding weighted graphs into an efficiently | |
comparable bytemap. | |
New to this version of the talk is full support for kernel tracing, and an | |
IDA plugin for visualization, and a JIT disassembly engine with cache for | |
the winafl intelpt trace parsing. | |
NOTES FOR REVIEWER | |
================== | |
New content in this talk compared to the slide deck is the addition of kernel | |
module tracing support, an ida plugin to parse the traces, | |
and an update to the winafl-intelpt code to do persistent mode and complete | |
edge coverage instead of previous hack of only using the long jump targets. | |
This required a technical solution of creating a JIT cache of branch targets as | |
the graph is explored for efficient lookup, making a truly effective and fast | |
winafl-backend with parity of accuracy and better performance than winafl with | |
dynamorio. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment