Prospecting For Rootite: More Code Coverage, More Bugs, Less Wasted Effort presented at Ruxcon 2010

by Ben Nagy (COSEINC),

Tags: Rootkits


Summary : Everyone wants better code coverage for their fuzzers. Work in the field has ranged from the extremely theoretical to the downright impossible. Recently, Microsoft and Charlie Miller both released research on using run-tracing to select a set of templates, in such a way that maximum code coverage is achieved. Trouble is, Microsoft has the advantage of source code access, and Charlie is using Valgrind.

The bad news for people fuzzing Windows files is that there have been no viable options for closed source targets. Well, now there are. We're releasing some scripts to mine search engines for templates, a scriptable run-tracer that doesn't suck, and the post-processing backend to select the minimal template set. We'll also drop some interesting fuzzing metrics based on our internal use of Prospector and probably an 0day or two.

Ben Nagy: Ben Nagy is a senior security researcher with COSEINC and has recently moved from Kuala Lumpur to hack with a view of the mountains in Kathmandu. For over a year he has been exploring ways to improve fuzzing scalability, especially against complex, closed source targets like Windows and Office. Previously working on liver destruction with eEye in Geneva and Bangkok, Ben has written whitepapers on a number of subjects and presented at conferences in Europe, Asia and Australia. Ben is probably that guy over there drinking beer and talking about Ruby.