The mere existence of fuzzers is not breaking news, as they’ve been around for more than two decades. The big news is that fuzzers have grown up. They’ve become more capable, more accessible, and overall more mature.
This talk describes a new approach for coverage-guided grammar fuzzing the Windows Kernel, and enhancements to the known approaches for fuzzing Windows Applications.
Our research picks ups where our last one (squeezed WinAFL to get 50 CVEs in 50 Days from Adobe) ended, making our way from userspace to ring0.
We utilized a state of the art Linux syscall fuzzer (Syzkaller) to hunt for bugs in the Windows kernel. We did this first through targeting the Windows Subsystem for Linux (WSL) and then going straight to win32k, resulting in a handful of vulnerabilities.
We will share our experiences from the trenches of fuzzing Windows, triaging the bugs from the vulnerabilities, and being acknowledged in the MSRC Top 100 (All bounty payments are donated).
Netanel Ben-Simon has been a security researcher at Check Point Software Technologies LTD for over a year. Netanel is specialized in Windows exploitation (Userspace & Kernel) and fuzzers development for bug hunting and bounties
Yoav Alon is a security researcher with over 10 years of experience. He specializes in vulnerability research, exploitation and fuzzing on various platforms. Before joining Check Point, Yoav served for 5 years as an officer in an elite Israeli intelligence unit. When he is not breaking things for profit, Yoav loves playing CTF with his team 5BC.