\n\n\n
Our goal was to find Windows kernel bugs using a fuzzer.
\n\n\n\nWe started exploring the fuzzers landscape in the Windows kernel, and since we had experience with AFL style fuzzers, we looked for one that performs similarly and found kAFL.
\n\n\n\nWe looked at kAFL and searched for attack surfaces in the Windows kernel, but we found out quickly that a syscall fuzzer can reach a lot more attack surfaces.
\n\n\n\nWe searched for syscall fuzzers and found Syzkaller.
\n\n\n\nAt this point, we started porting it to WSL as it’s the most similar to Linux kernel and we could get some experience with Syzkaller on Windows. We implemented coverage instrumentation for the Windows kernel using IntelPT. We shared a crash detection mechanism, our crash symbolizer approach and that was used for bug de-duplication. We found a few coverage stability issues and shared our solution for that.
\n\n\n\nAfter we found some DoS bugs, we decided to move to a real PE target – win32k – but we had to implement missing parts in Syzkaller. We then did a sanity check and stress test to make sure the fuzzer is not wasting CPU time. After that we invested a lot of time in writing grammar, reading about our target and eventually adding support for newly learned parts in Win32k back to the fuzzer.
\n\n\n\nOverall, our research lead us to find 8 vulnerabilities, DoS bugs and deadlocks in the Windows 10 Kernel.
\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2020/bugs-on-the-windshield-fuzzing-the-windows-kernel/","tags":[],"score":0.5566937923431396,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};