50 Shades of Fuzzing

50 Shades Of Fuzzing Peter Hlavaty (@zer0mem) Marco Grassi (@marcograss)

Who Are You? • Peter Hlavaty • Senior security Researcher
• Lead of Windows Kernel security Research • Marco Grassi • Senior Security Researcher @ Tencent KEEN Security Lab • Main focus: Vulnerability Research, OS X/iOS, Android, Sandboxes

Agenda • The Team • VMWare Overview • VMWare Workstation/Fusion
Fuzzing • Win32k Overview • Win32k Fuzzing • Conclusions • Questions

The Team • Previously known as KeenTeam • All researchers
moved to Tencent because of business requirement • New name: TencentKEEN Security Lab • We won the title of “Master Of Pwn” 2016 and actively participating at pwn2own from 2013 to this year. • Keep an eye on our blog! (English: http://keenlab.tencent.com/en/ Chinese: http://keenlab.tencent.com/zh/ )

This Talk in one Slide

VMWare Workstation / Fusion

VMWare Workstation / Fusion • Most likely everyone is sort
of familiar with VMWare here… • One of the first companies (if not the first) to successfully virtualize x86 (which is not formally virtualizable – see Popek & Goldberg) • Nowadays with VT-X support virtualization is faster and easier • It’s a product that allows you to run unmodified operationg systems as guests. • Their software runs at different privilege levels, they have kernel components and some host usermode processes. • Our talk will focus mainly on how VMWare virtualizes the GPU in a guest, since they offer advanced functions such as 3d acceleration.

Why VMWare research? • VMWare workstation/fusion is a very widespread
software, so it’s an attractive target for attackers • Maybe sometimes a virtual machine is used, and even if you gain code execution, or even kernel code execution inside the virtual machine, you are still trapped in there. • By leveraring a bug in some component of VMWare you can potentially escape the virtual machine and gain code execution in the host system!

VMWare – important resources/prev research • GPU Virtualization on VMware’s
Hosted I/O Architecture - Micah Dowty, Jeremy Sugerman – VMWare (this is the paper you absolutely want to read before approaching this area) • CLOUDBURST A VMware Guest to Host Escape Story - Kostya Kortchinsky – Black Hat USA 2009

VMWare GPU • Despite there is a good support at
CPU level for virtualization today with Intel/AMD in hardware support, for GPU and in general other hardware virtualization, the status quo is not as good as CPU virt • Vmware wanted to offer high performance GPU / 3d to the guests, so they had to deploy their own solution to defeat also host driver fragmentation, introducing several abstraction layers (and lot of code)

VMWare GPU Virtual Device • The VMWare virtualized GPU will
show up in your guest as a PCI device called “Vmware SVGA 3D” • Has several Memory ranges that maps to interesting stuff (more on the next slide) • They implement a 2D Framebuffer (not very interesting, just the pixel shown on your screen) • And a GPU Command queue (!)

• Here you can see the different purposes of the
memory areas. • We are mainly interested in the FIFO Memory • Think of it like a FIFO processed asynchronously and concurrently outside of your system, by the VMWare GPU subsystem • Implements a lot of commands for 3D and other functionalities

High level description of the FIFO • The FIFO when
used for 3D commands, expect a custom protocol (SVGA3D) • 1. Write commands into the queue • 2. optionally insert a fence if the guest wants to be notified of progress with a virtual interrupt • 3. At some point your commands will be processed asynchronously • The SVGA3D protocol takes ideas and simplify the Direct3D APIs

Where is the VMWare GPU code? • The core functionality
of the GPU is implemented in the vmware- vmx.exe • We should expect fault in this process (or in any .dll inside here) • So we turn on PageHeap in Gflags for fault monitoring and WinDbg autostart on fault • Maybe a fault will traverse the virtualization layer and appears in Host graphics also J

Code path

VMWare SVGA3D • Very rich of functionalities, like shaders, textures
etc, lot of attack surface! • But… HOW DO WE FUZZ THIS? • Let’s explore some alternatives..

Fuzzing alternatives: From Guest usermode • Extremely inconvenient for several
reasons: • Too many layers of software that doesn’t interest us and perform validation • Performance reasons • The GPU resource is contended and manipulated by the running Guest system. It would be very difficult to reproduce eventual crashes. • Heavy, we want to scale & run lot of Guests

Fuzzing alternatives: From Guest kernelmode • This alternative is more
appealing because: • In general we have more control • Less resource contention if we don’t use any UI • We can skip pretty much any validation layer • But still we are running together with a kernel, so we are not the only code running on the system and lot of stuff is going on. • Heavy, we want to scale & run lot of Guests

The right Fuzzing option: Baremetal Guest! • If we run
our code as a guest, without any operating system we have: • Performance boost of course! • Complete control! • No validation steps! • Exclusive access to the hardware! • Extremely light, few MB of ram only, we can run a huge number of guests!

What to fuzz? • We picked shaders because they are
complex, and they undergo several layers of translations in several points. 1. Collect valid shaders 2. Put together code to load and render with shaders correctly on bare metal code 3. Mutate shader, load, render, see if it crash. 4. GOTO 3 • You can fuzz also raw commands, but the semantics is not trivial and require reversing.

Bare metal GPU Fuzzer DEMO

BUG DEMO J

Soon a couple of CVEs in VMWare Fusion, waiting for
the fix to be deployed (ETA q3) disclosed several months ago (slow)

Microsoft w32k sub-system Fuzzing all around your window, and beyond!

w32k – Data Parsing #TTF • TrueType Font • Popular
at sophisticated - stuxnet, duqu, .. • https://cansecwest.com/slides/2013/Analysis%20of%20a%20Windows%20Ke rnel%20Vuln.pdf • Abused at p2o 2015 – KEEN • http://www.slideshare.net/PeterHlavaty/windows-kernel-exploitation-this- time-font-hunt-you-down-in-4-bytes • A year of Windows kernel font fuzzing – j00ru • http://googleprojectzero.blogspot.nl/2016/06/a-year-of-windows-kernel-font- fuzzing-1_27.html

w32k – syscalls #DC DC bitmap Brush Pen Pallete Font
…

w32k – syscalls #DC #collisions DC #UAF, however nils was
already here..

w32k – syscalls #DC #collisions DC *nice* #UAF, however ..once
again, nils .. :)

w32k – syscalls #DC #collisions (nils) PoC overview :

w32k – syscalls #DC #collisions (nils) PoC overview : …
pretty much all to one…

w32k – syscalls #DC • Various components are interconnected •
Binding to DC • GetStockObject, SelectObject

w32k – syscalls #Window Show Set WND Msg ClipB Class
SetWindowText

w32k – syscalls #DC #Window • Interconnections #2 • GetWindowDC,
BeginPaint, Caret • Binding back to DC

w32k – syscalls #Window #Menu • Menu • PopUps •
Window connected { • DrawMenuBarTemp • HilitieMenuItem • TrackPopUpMenu* • CalcMenuBar • … } • Binded with window

w32k – syscalls #Window #Menu More on our w32k-syscalls results
and another part of w32k at ruxcon : https://ruxcon.org.au/speakers/#Peter Hlavaty & Jin Long f.e. :

w32k – DirectX • Ilja Van sprundel • https://www.blackhat.com/us-14/briefings.html#windows-kernel-graphics- driver-attack-surface
• Nikita Tarakanov – zeronights • http://2015.zeronights.org/assets/files/11-Tarakanov.pdf • p2o 2016 – KEEN • http://community.hpe.com/t5/Security-Research/Pwn2Own-2016-Day-two- crowning-the-Master-of-Pwn/ba-p/6842863#.V4d1NMpOKDt

w32k – Data Parsing #DirectX • Code shipped by intel,
nvidia • Balast of code responsible for various data parsing! • Extended arm of { D3DKMTSubmitCommand D3DKMTEscape D3DKMTRender D3DKMTPresent }

w32k – sycalls #2 #DirectX w32k dxg Adapter Alloc Context
Overlay Mutex Sync Paging Device o Universal windows code o Independent on graphic vendors o More strict attack vector than data parsing

Fuzzing

w32k – Fuzzing #templates • syzkaller • Qilin

w32k – Fuzzing #templates • Nt* syscalls mostly undocumented •
Various API however nicely documented! • goog : “ MSDN %target% functions “ • Once you know whats going on at API, easier to RE arg at syscalls

w32k – Fuzzing #syscalls • Just tip of the IceBerg!
• #1 api is just small part • #2 what we cover is just small subset! • Take a look at win32k subsystem syscall table • x win32k*!Nt* • http://j00ru.vexillium.org/win32k_syscalls/ • Around #xyz syscalls !!

w32k – Hardening • Notably Nils, Terjei, j00ru, Tencent, 360
and others • Securing code base • TTF stripping from kernel • moving attack surface of out kernel • w32k separation win32k{base, full} • Step by step to re-design • w32k lockdown • Strenghten sandboxes • gdi leaking locked • Fixing OLD & obvious security issues

w32k – 50 shades [ Qilin ]

w32k – 50 shades [ DEMO ] • ~50 core
test

OSX/iOS Graphics fuzzing • Unfortunately there is not much time
left to discuss this, but we can reccomend some of our presentations on the topic that you can check out: • CanSecWest 16: Don't Trust Your Eye: Apple Graphics Is Compromised! – Liang Chen – Marco Grassi – Qidan He • Recon 2016: Shooting the OS X El Capitan Kernel Like a Sniper – Liang Chen – Qidan He • Black Hat USA 2016: SUBVERTING APPLE GRAPHICS: PRACTICAL APPROACHES TO REMOTELY GAINING ROOT - Liang Chen - Qidan He - Marco Grassi - Yubin Fu (TO BE PRESENTED) • In pwn2own 2016 we used 2 different bugs to compromise twice OS X!

OSX/iOS Graphics fuzzing

Conclusions • Graphics it’s a huge attack surface still reachable
from interesting sandboxes (like some browser sandboxes) • Many researchers are looking into this area, there are a lot of bugs in this kind of code but security is becoming better. • Fuzzing the graphic stack requires different approaches and principles compared to fuzzing core components. • In graphics data and state fuzzing are both important attack vectors.

Credits • Wushi • Liang Chen • Daniel King •
All our teammates!

Questions?

50 Shades of Fuzzing

50 Shades of Fuzzing

More Decks by Marco Grassi

Other Decks in Research

Featured

Transcript