Fuzzing [Code Blue 2024] 1-Click-Fuzz: Systematically Fuzzing the Windows Kernel Driver with Symbolic Execution

[weaver]

slides:
https://github.com/0dayResearchLab/msFuzz/blob/master/CODEBLUE2024.pdf

As the dominant platform for desktops ranging from individual users to industrial applications, Windows OS relies heavily on robust driver operations. Our presentation introduces MS-Fuzzer, a sophisticated tool that leverages Symbolic Execution and Kernel Fuzzing to systematically uncover vulnerabilities in Windows Drivers.

Windows Drivers commonly interact with the user through IOCTL (Input Output Control) codes, each with specific constraints like InBufferLength and OutBufferLength. Analyzing multiple IOCTL codes is a meticulous task due to their sheer number and complexity. We utilize Angr-based Symbolic Execution to automate the analysis of each IOCTL code’s constraints. This automation significantly reduces manual effort and enhances code coverage during fuzzing processes.

Additionally, built-in drivers require custom fuzzing harnesses. We will discuss efficient strategies to produce these harnesses, highlighting their role in identifying vulnerabilities. During our one-month analysis, several drivers, such as ‘usbprint’, were found to contain vulnerabilities. We will present a case study detailing the methods used to discover these vulnerabilities.

Over a span of 100 days, our efforts led to the discovery of 100 vulnerabilities. We cataloged 21 CVEs and 10 KVEs (Korean CVEs) involving key vendors like Microsoft, AMD, Siemens, MSI, Mitsubish and antivirus companies including Sophos. Selected cases of significant interest to the security research community will be showcased.

In support of ongoing security research, we commit to releasing all utilized tools, proof-of-concept examples for major vulnerabilities (subject to NDA terms), and sample code for fuzzing harnesses as open-source resources available at

https://github.com/0dayResearchLab/msFuzz.

This session aims to illuminate the operational principles of Windows Kernel Drivers and provide a comprehensive guide for the security research community in discovering vulnerabilities in Windows drivers.