Improving Fuzzing Speed with userfaultfd
09 Dec 2022About the same time I wrote up my previous post about snapshot fuzzing, I was thinking about other ways to restore program state for fuzzing, ideally in userland for ease of use.
About the same time I wrote up my previous post about snapshot fuzzing, I was thinking about other ways to restore program state for fuzzing, ideally in userland for ease of use.
A few weeks ago, I found and reported CVE-2022-25636 - a heap out of bounds write in the Linux kernel. The bug is exploitable to achieve kernel code execution (via ROP), giving full local privilege escalation, container escape, whatever you want.
Right as the pandemic was starting in March/April 2020, I spent a couple of weekends writing a Loadable Kernel Module (LKM) for Linux, designed to add a syscall which could be used by a fuzzer to quickly restore program state instead of using a conventional fork/exec loop. This was originally suggested on the AFL++ Ideas page, and it nicely intersected a bunch of stuff I’m familiar with so I wanted to take a crack at it.
When exploiting a program, there’s four primary regions of memory that matter to us:
A recent post to the OSS Security mailing list brought up a potential DoS fixed in Linux about a year ago. This got a decent amount of attention on Twitter, and so I decided to see if I could create a proof-of-concept for this relatively simple bug.
In the fall of 2017, hyper and I co-created and co-taught a new class at NYU Tandon: Introduction to Offensive Security. We wanted to create a course that taught the basics of what’s needed in, well, offensive security (playing CTFs, doing pentests, etc.). It was very well received that semester, and is now being re-taught for the third time by Prof. Brendan Dolan-Gavitt who supervised Josh and I when we taught the course for the first time.
Since I interned at M.I.T Lincoln Lab in the summer of 2016, I’ve been working on an extension project of the work I did there. While it’s still not finished, it’s a pretty big chunk of work that deserves to be on this website somewhere :)
This semester, hyper and I have been working on developing the basis for our own Cyber Reasoning System (CRS). The slides from our presentation at the OSIRIS Lab’s end of year meetup are here.