ebook img

nagy-kernel PDF

65 Pages·2012·1.71 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview nagy-kernel

Windows Kernel Fuzzing for Beginners Ben Nagy ohai. - Not oldsk00l. Just old. - ~ 5 weeks experience with Windows Kernel - > 5 years experience with Fuzzing - Hate all Technology - Ruby and Drinking Make the Pain Go Away Disclaimer: I am aware of the prevailing opinion that fuzzing talks without bugs suck, by definition. I do not have any bugs. Even if I did have bugs, I wouldn’t tell you. There are no bugs. There are, however, otters and buff Russian men of dubious sexuality. Also, many red boxes. You have been warned. Secret Fuzzing Wisdoms • Select a Good Target • Acquire Essential Knowledge • Apply Fuzzing Canon - DIGS – How do we Deliver – How do we Instrument – How do we Generate – How does that Scale Secret Fuzzing Wisdoms • Delivery, Instrumentation, Generation – Gotta keep em separated! – Please stop writing heavily coupled tools, kthx • A good toolchain allows rapid retargeting – Start fuzzing with a stupid generator – Cold cores find no bugs! Target Selection n_bugs = p_bug * n_tests • p_bug / testing speed is inherently target specific • Can tune the equation – Better ( possibly slower ) Generators – More Scale – Rapid Tooling ( lead time counts! ) – Better Samples – Pre Fuzzing Toolchain p_bug++ • Feedback Driven Fuzzing – Via code coverage, success rate or some other metric – Eg SAGE, bunny, EFS, Flayer – PRO - Awesome, super elite, finds bugs dumb fuzzers will never hit – CON – Slow, difficult to write, poor Windows support • Fault Injection / deeply instrumented fuzzing – Inject bad data close to code being attacked – PRO - vastly simplifies delivery – CON - need to then check reachability • Corpus Distillation – Low effort, high reward technique – Need a way to measure coverage ( tricky for kernel stuff ) Target Selection n_bugs = p_bug * n_tests • More broadly, n_bugs isn’t interesting • Are there USEFUL bugs in there? • If there are, can we locate them – Bug Chaff – Post Fuzzing Toolchain Target Selection n_bugs = p_bug * n_tests • Bug Utility is SUBJECTIVE • Sell? Use? Fix? Disclose? • Whatever our utility metric, can we REALISE VALUE – Will it provide USEFUL CAPABILITY? – Is it RELIABLY exploitable? – Will anyone buy it anyway? – Is it worth fixing? – Will it bring us fame and imply great sexual prowess? Windows Kernel, Simplified • Featuring “Barry the Kernel Otter” • Some stuff is completely missing or wrong • All of it is greatly simplified • Real resources abound! – MSDN ( new layout / navigation is awesome ) – Anything by j00ru, Alex Ionescu, Tarjei Mandt – Anything by Russinovich / Solomon / Probert – “CRK” is an academic course, freely downloadable – “WRK” is a full windows kernel source tree, plus build tools Userland kernel32 ntdll “NT Executive” Dragons Hardware

Description:
Windows Kernel Fuzzing for Beginners downloadable. – “WRK” is a full windows kernel source tree, plus build tools . parsed directly by GDI as no further language- Do lots of annoying maths with pels and twips. –. Actually
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.