Tamas K Lengyel and Bálint Varga-Perke

Case Studies of Fuzzing with Xen


Kernel Fuzzer for Xen (KF/x), the Xen-based snapshot fuzzer has been open-source for over a year now and it has resulted in finding bugs in a variety of Linux kernel modules. As the name of the tool implies,it was intended to target hard-to-reach parts of the OS and allow deterministic fuzzing by running the target code in lightweight VM forks.

In this presentation we will demonstrate the versatility of the fuzzer using two targets from the opposite sides of the spectrum. Our first target will be a low-level component, not supported by Xen. Our second target, a user application runs perfectly virtualized, but is stubborn when approached with dynamic methods. 


Tamas works as Senior Security Researcher at Intel. He received his PhD in Computer Science from the University of Connecticut where he built hypervisor-based malware-analysis and collection tools. In his free time he is maintainer of the Xen Project Hypervisor's VMI subsystem, LibVMI & the DRAKVUF binary analysis project. Tamas gave prior talks at conferences such as BlackHat, CCC, DEFCON & Hacktivity.

Bálint Varga-Perke is a founder of Silent Signal where he serves as an IT security expert. Since 2010 he's been performing penetration tests in over a dozen countries for major companies from sectors including finance, healthcare and government. His research focuses on reverse engineering and finding vulnerabilities in widely used software, with a compulsive focus on security products.