Program

/

CODE BLUE 2024

Time Table

1-Click-Fuzz:Systematically Fuzzing the Windows Kernel Driver with Symbolic Execution.

DAY 2

13:00-13:40

As the dominant platform for desktops ranging from individual users to industrial applications, Windows OS relies heavily on robust driver operations. Our presentation introduces MS-Fuzzer, a sophisticated tool that leverages Symbolic Execution and Kernel Fuzzing to systematically uncover vulnerabilities in Windows Drivers.

Windows Drivers commonly interact with the user through IOCTL (Input Output Control) codes, each with specific constraints like InBufferLength and OutBufferLength. Analyzing multiple IOCTL codes is a meticulous task due to their sheer number and complexity. We utilize Angr-based Symbolic Execution to automate the analysis of each IOCTL code’s constraints. This automation significantly reduces manual effort and enhances code coverage during fuzzing processes.

Additionally, built-in drivers require custom fuzzing harnesses. We will discuss efficient strategies to produce these harnesses, highlighting their role in identifying vulnerabilities. During our one-month analysis, several drivers, such as ‘usbprint’, were found to contain vulnerabilities. We will present a case study detailing the methods used to discover these vulnerabilities.

Over a span of 100 days, our efforts led to the discovery of 100 vulnerabilities. We cataloged 21 CVEs and 10 KVEs (Korean CVEs) involving key vendors like Microsoft, AMD, Siemens, MSI, Mitsubish and antivirus companies including Sophos. Selected cases of significant interest to the security research community will be showcased.

In support of ongoing security research, we commit to releasing all utilized tools, proof-of-concept examples for major vulnerabilities (subject to NDA terms), and sample code for fuzzing harnesses as open-source resources available at https://github.com/0dayResearchLab/msFuzz.

This session aims to illuminate the operational principles of Windows Kernel Drivers and provide a comprehensive guide for the security research community in discovering vulnerabilities in Windows drivers.

  • Location :

    • Track 2(HALL A)

  • Category :

    • U25

  • Share :

Speakers

  • サンジュン・パク の写真

    Sangjun Park

    サンジュン・パク

    Master Student, KAIST
    Sangjun Park is a Master’s student at KAIST, specializing in cybersecurity and software engineering. His research focuses on analyzing programs and assessing their security through automated methods. He received his B.S. in Computer Science and Engineering from Soongsil University in 2024. He is currently a member of the KAIST Software Security Lab.

  • ユンジン・パク の写真

    Yunjin Park

    ユンジン・パク

    Yunjin Park is a B.S. student majoring in Information Security at Seoul Women's University in South Korea. She has participated as a Technical Writer in a variety of corporate penetration testing projects and R&D initiatives.
    and she was also recognized as a Best 10 participant in the “Best of the Best” next-generation security leader development program hosted by the KITRI and Korean government. and has served as both Project Manager and Consultant for the 'Windows Driver 0-day Research' project in BoB.
    Recently, she has developed a renewed passion for corporate security, particularly in Red Teaming.

  • ジョンソン・キム の写真

    Jongseong Kim

    ジョンソン・キム

    Ajou University, ENKI WhiteHat security researcher
    Jongseong Kim is currently a student at Ajou University and works as a security researcher at ENKI WhiteHat.
    He has a deep interest in Windows Offensive Security, with his current focus on researching Windows Kernel and Hyper-V.