Offensivecon 2019

Hi,

Last week I had the pleasure to attend Offensivecon 2019 in Berlin. The conference was organized very well, and I liked the familial atmosphere which allowed to meet lots of different people. Thanks to the organizers, speakers and everyone else involved for this conference! Andreas posted a one tweet tldr of the first day; fuzzing is still the way to go to find bugs, and mitigations make exploitation harder. Here are some short summaries of the talks I enjoyed.

Modern Source Fuzzing by Ned Williamson

This talk was an extension of Ned’s talk at 35C3. He explained how he fuzzed the Chrome IPC sandbox to discover the vulnerability he and Niklas used for their Hack2Win sandbox escape. Niklas presented the exploitation steps required in another talk and published his Slides.

Ned started with some insights on how coverage guided fuzzers work. As his work is based on libfuzzer that was the main focus. Libfuzzer performs in-process fuzzing and coverage information as feedback for the mutations. Libfuzzer provides a byte stream as input, along with the size of it. However, the Chrome IPC sandbox API requires structured data. Ned’s approach was to use the byte stream provided by libfuzzer and split it to accommodate his needs. He used the first byte to choose which API he was fuzzing, the rest of the byte stream was divided as needed, e.g., the next four bytes for a 32-bit integer. This approach allowed him fast prototyping while he manually analyzed the API, and always extended his harness as he learned more about the API.

Once this stream-based approach achieves good coverage and works, Ned recommended transforming the prototype into a proper structure-aware fuzzer using google protobuf. This approach allowed him to properly model the structure with protobuf; the libprotobuf-mutator takes care of the mutation. An example of how to integrate it with libfuzzer and fuzz the chrome IPC sandbox is provided as an example in google’s structure-aware fuzzing manual. This process is also described in greater detail in the mentioned 35C3 talk.

Coverage-Guided USB Fuzzing with Syzkaller by Andrey Konovalov

In this talk (slides), Andrey presented the newly added USB fuzzing capabilities of the kernel fuzzer syzkaller. He first provided an overview of Syzkaller, which is a coverage-guided grammar-based syscall fuzzer that supports multiple operating systems like Linux, different BSD variants and Fuchsia. The syscalls are modeled in a simple grammar; it allows you to specify producers, e.g., for file descriptors and consumers, like read. For each crash discovered by Syzkaller, it creates a proof of concept C snippet that can be used to replay the crash. Lots of effort went into automation of creating and restarting the virtual machines under test.

Adding USB support was not straight forward due to the way how USB works. Syzkaller usually fuzzes syscalls from user space and tests code in kernel space. However, in case of USB, the kernel itself initiates the communication with the device, it tries to enumerate which driver should handle the device. There are also some existing projects that implement USB fuzzing with this architecture in mind, facedancer by Travis Goodspeed (if you are interested in fuzzing USB hosts with facedancer check out Kate Temkin‘s Troopers 19 training) and vUSBf which runs the Kernel under Qemu. Both approaches are not feasible for syzkaller as facedancer requires custom hardware and vUSB requires Qemu as the hypervisor. To fuzz USB something like the loopback interface, but for USB would be needed. Andrey used GadgetFS to communicate with the kernel from userspace. With this setup, he was able to fuzz USB device using syzkaller and found several bugs in the Linux kernel. As replaying the crashes requires the patched version of GadgetFS he also presented how a RasberryPi Zero can be used as a USB stick and reproduce the crashes in hardware. He demonstrated a crash in Linux with this approach, furthermore as he had a large corpus of fuzz input he demonstrated a crash on Windows using his USB inputs created on the Linux kernel. 

 

Not all slides are published yet, here are some more I was able to get from twitter:

• IPC You Outside the Sandbox: One bug to Rule the Chrome Broker by Niklas Baumstark
• OSX XPC Revisited – 3rd Party Application Flaws by Tyler Bohan
• Attacking Edge Through the JavaScript Just-In-Time compiler by Bruno Keith
• Coverage-Guided USB Fuzzing with Syzkaller by Andrey Konovalov
• macOS: How to Gain Root with CVE-2018-4193 in < 10s by Eloi Benoist-Vanderbeken (Exploit)
• FuzzIL: Guided Fuzzing for JavaScript Engines by Samuel Groß (Master Thesis)

Best, Till