No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static...
Transcript of No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static...
![Page 1: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/1.jpg)
No source? No problem!High speed binary fuzzing
Nspace & @gannimo
![Page 2: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/2.jpg)
2High Speed Binary Fuzzing - HexHive - 36C3
About this talk
● Fuzzing binaries is hard!◦ Few tools, complex setup
● Fuzzing binaries in the kernel is even harder!
● New approach based on static rewriting
![Page 3: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/3.jpg)
3High Speed Binary Fuzzing - HexHive - 36C3
+ ≈ 100M LoC KernelLibcDesktop
![Page 4: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/4.jpg)
4High Speed Binary Fuzzing - HexHive - 36C3
Fuzzing 101
Input generation
OK
Bug!
Target
![Page 5: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/5.jpg)
5High Speed Binary Fuzzing - HexHive - 36C3
Effective fuzzing 101
● Test cases must trigger bugs◦ Coverage-guided fuzzing
● The fuzzer must detect bugs◦ Sanitization
● Speed is key (zero sum game)!
![Page 6: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/6.jpg)
6High Speed Binary Fuzzing - HexHive - 36C3
Fuzzing with source code
Source code Compiler Instrumented binary
Coverage tracking, sanitization, ...
● Add instrumentation at compile time● Short snippets of code for coverage tracking, sanitization, ...
![Page 7: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/7.jpg)
7High Speed Binary Fuzzing - HexHive - 36C3
Application Application
Libraries
Kernel Drivers
Source
No source
![Page 8: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/8.jpg)
8High Speed Binary Fuzzing - HexHive - 36C3
Rewriting binaries
● Approach 0: black box fuzzing● Approach 1: rewrite dynamically
◦ Translate target at runtime◦ Terrible performance (10-100x slower)
● Approach 2: rewrite statically◦ More complex analysis◦ ...but much better performance!
![Page 9: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/9.jpg)
9High Speed Binary Fuzzing - HexHive - 36C3
Static rewriting challenges
● Simply adding code breaks the target
mov [rax + rbx*8], rdidec rbxjnz -7
mov [rax + rbx*8], rdi<new code>dec rbxjnz -7
● Need to find all references and adjust them
![Page 10: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/10.jpg)
10High Speed Binary Fuzzing - HexHive - 36C3
Static rewriting challenges
● Scalars and references are indistinguishable◦ Getting it wrong breaks the target
long (*foo)(long) = &bar;
mov [rbp-0x8], 0x400aae
long foo = 0x400aae; ?
![Page 11: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/11.jpg)
11High Speed Binary Fuzzing - HexHive - 36C3
Coverage-guided fuzzing
Sanitization
Instrumenting binaries in the kernel
Instrumenting binaries
![Page 12: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/12.jpg)
12High Speed Binary Fuzzing - HexHive - 36C3
Coverage-guided fuzzing
Sanitization
Instrumenting binaries in the kernel
Instrumenting binaries
![Page 13: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/13.jpg)
13High Speed Binary Fuzzing - HexHive - 36C3
RetroWrite [Oakland ‘20]
● System for static binary instrumentation
● Symbolized assembly files easy to instrument
● Implements coverage tracking and binary ASan
![Page 14: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/14.jpg)
14High Speed Binary Fuzzing - HexHive - 36C3
Position-independent code
● Code that can be loaded at any address
● Required for: ASLR, shared libraries
● Cannot use hardcoded static addresses◦ Must use relative addressing instead
![Page 15: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/15.jpg)
15High Speed Binary Fuzzing - HexHive - 36C3
Position-independent code
● On x86_64, PIC leverages RIP-relative addressing◦ lea rax, [rip + 0x1234]
● Distinguish references from constants in PIE binaries◦ RIP-relative = reference, everything else = constant
![Page 16: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/16.jpg)
16High Speed Binary Fuzzing - HexHive - 36C3
Symbolization
● Symbolization replaces references with assembler labels
lea rax, [rip + 0x1234]call 0x1337dec rcxjnz -15
![Page 17: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/17.jpg)
17High Speed Binary Fuzzing - HexHive - 36C3
Symbolization
● Symbolization replaces references with assembler labels
1) Relative jumps/calls
loop1:lea rax, [rip + 0x1234]call func1dec rcxjnz loop1
![Page 18: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/18.jpg)
18High Speed Binary Fuzzing - HexHive - 36C3
Symbolization
● Symbolization replaces references with assembler labels
1) Relative jumps/calls2) PC-relative addresses
loop1:lea rax, [data1]call func1dec rcxjnz loop1
![Page 19: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/19.jpg)
19High Speed Binary Fuzzing - HexHive - 36C3
Symbolization
● Symbolization replaces references with assembler labels
1) Relative jumps/calls2) PC-relative addresses3) Data relocations
loop1:lea rax, [data1]call func1dec rcxjnz loop1
![Page 20: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/20.jpg)
20High Speed Binary Fuzzing - HexHive - 36C3
Symbolization
● Symbolization replaces references with assembler labels
1) Relative jumps/calls2) PC-relative addresses3) Data relocations
loop1:lea rax, [data1]<new code>call func1dec rcxjnz loop1
![Page 21: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/21.jpg)
21High Speed Binary Fuzzing - HexHive - 36C3
Coverage-guided fuzzing
Sanitization
Instrumenting binaries in the kernel
Instrumenting binaries
![Page 22: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/22.jpg)
22High Speed Binary Fuzzing - HexHive - 36C3
Coverage-guided fuzzing
input[0] == ‘P’
input[1] == ‘N’
input[2] == ‘G’
do_something() fail()
● Record test coverage (e.g. with instrumentation)
● Inputs that trigger new paths are “interesting”
● Mutate interesting inputs to discover new paths
![Page 23: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/23.jpg)
23High Speed Binary Fuzzing - HexHive - 36C3
Coverage-guided fuzzing
https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html
![Page 24: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/24.jpg)
24High Speed Binary Fuzzing - HexHive - 36C3
Coverage-guided fuzzing
Sanitization
Instrumenting binaries in the kernel
Instrumenting binaries
![Page 25: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/25.jpg)
25High Speed Binary Fuzzing - HexHive - 36C3
Address Sanitizer (ASan)
● Instrumentation catches memory corruption at runtime◦ Arguably most dangerous class of bugs
● Very popular sanitizer◦ Thousands of bugs in Chrome and Linux
● About 2x slowdown
![Page 26: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/26.jpg)
26High Speed Binary Fuzzing - HexHive - 36C3
ASan red zones
char buf[4];buf
Red zone
Red zonestrcpy(buf, “AAAAA”);
![Page 27: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/27.jpg)
27High Speed Binary Fuzzing - HexHive - 36C3
Coverage-guided fuzzing
Sanitization
Instrumenting binaries in the kernel
Instrumenting binaries
![Page 28: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/28.jpg)
28High Speed Binary Fuzzing - HexHive - 36C3
RetroWrite instrumentation
● Coverage tracking: instrument basic block starts
● Binary ASan: instrument all memory accesses, link with libASan
![Page 29: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/29.jpg)
29High Speed Binary Fuzzing - HexHive - 36C3
Kernel vs. userspace fuzzing
Crash handling Tooling Determinism
UserspaceOS handles
crashes gracefully
Easy to use and widely available
Single-threaded code usually deterministic
KernelNeed VM to keep
the system stable
More complex setup, fewer
tools
Interrupts, many concurrent
threads
![Page 30: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/30.jpg)
30High Speed Binary Fuzzing - HexHive - 36C3
Kernel binary fuzzing● Approach 0: black box fuzzing● Approach 1: dynamic translation
◦ Slow! (10x +)◦ No sanitization like ASan
● Approach 2: Intel Processor Trace (or similar)◦ Requires hardware support◦ Still no sanitization
● Approach 3: static rewriting
![Page 31: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/31.jpg)
31High Speed Binary Fuzzing - HexHive - 36C3
kRetroWrite
● Apply RetroWrite to the kernel
● Implemented so far: support for Linux modules
● Demonstrates that RetroWrite applies to the kernel
![Page 32: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/32.jpg)
32High Speed Binary Fuzzing - HexHive - 36C3
kRetroWrite
● Kernel modules are always position-independent
● Linux modules are ELF files◦ Reuse RetroWrite’s symbolizer
● Implemented code coverage and binary ASan
![Page 33: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/33.jpg)
33High Speed Binary Fuzzing - HexHive - 36C3
kRetroWrite coverage
● Idea: use kCov infrastructure◦ Can interoperate with source-based kCov
● Call coverage collector at the start of each basic block
● Integrates with, e.g., syzkaller, or debugfs
![Page 34: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/34.jpg)
34High Speed Binary Fuzzing - HexHive - 36C3
kRetroWrite coverage
cmp rbx, 1234jz block1
mov [rax], rbx mov [rax], 1234
![Page 35: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/35.jpg)
35High Speed Binary Fuzzing - HexHive - 36C3
kRetroWrite coverage
call trace_pccmp rbx, 1234jz block1
call trace_pcmov [rax], rbx
call trace_pcmov [rax], 1234
![Page 36: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/36.jpg)
36High Speed Binary Fuzzing - HexHive - 36C3
kRetroWrite binary ASan
● In userspace: link with libASan
● In kernel: build kernel with KASan (kernel ASan)
● Reuse modified userspace instrumentation pass
![Page 37: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/37.jpg)
37High Speed Binary Fuzzing - HexHive - 36C3
kRetroWrite binary ASan
● Instrument each memory access with a check
● Failed checks print a bug report
● Compatible with source-based kASan
![Page 38: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/38.jpg)
38High Speed Binary Fuzzing - HexHive - 36C3
Fuzzing with kRetroWrite
● Rewritten modules can be loaded and fuzzed with standard kernel fuzzers
● So far: tested with syzkaller
![Page 39: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/39.jpg)
39High Speed Binary Fuzzing - HexHive - 36C3
Coverage-guided fuzzing
Sanitization
Instrumenting binaries in the kernel
Instrumenting binaries
![Page 40: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/40.jpg)
40High Speed Binary Fuzzing - HexHive - 36C3
Our experiments● Userspace: SPEC2006 runtime performance
◦ RetroWrite ASan◦ Source ASan ◦ Valgrind memcheck
● Kernel: fuzz filesystems/drivers with syzkaller◦ Source KASan + kCov◦ kRetroWrite KASan + kCov
![Page 41: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/41.jpg)
41High Speed Binary Fuzzing - HexHive - 36C3
Results - Userspace
![Page 42: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/42.jpg)
42High Speed Binary Fuzzing - HexHive - 36C3
Preliminary results - kernel
Exec/s - BTRFS
Source
kRetroWrite
![Page 43: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/43.jpg)
Demo
![Page 44: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/44.jpg)
44High Speed Binary Fuzzing - HexHive - 36C3
Let’s test kRetroWrite on a filesystem
![Page 45: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/45.jpg)
45High Speed Binary Fuzzing - HexHive - 36C3
Coverage-guided fuzzing
Sanitization
Instrumenting binaries in the kernel
Instrumenting binaries
![Page 46: No source? No problem! · 1 day ago · High Speed Binary Fuzzing - HexHive - 36C3 9 Static rewriting challenges Simply adding code breaks the target mov [rax + rbx*8], rdi dec rbx](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff6b321b8ff9216404b5ba7/html5/thumbnails/46.jpg)
46High Speed Binary Fuzzing - HexHive - 36C3
Conclusions● Instrument real-world binaries for fuzzing
◦ Coverage tracking for fast fuzzing◦ Memory checking to detect bugs
● Static rewriting at zero instrumentation cost◦ Limited to position independent code◦ Symbolize without heuristics
● More? https://github.com/HexHive/retrowrite ◦ User-space now, kernel in ~2-3 weeks