I find and exploit 0day, develop OSes, hypervisors and emulators, design massively parallel data structures and code, and do precision machining! Optimization❤️
We did it, we used our exploit to snapshot a running Android device, and then brought it into QEMU where we can single step it, apply full symbols (since we build a binary identical to the release build), and of course... fuzz it in the future :)
Feeling down? iOS jailbreak you've been working on for a year got patched? Fuzzer not finding any bugs? Miss the 90s where everything crashed? Change your time format on Windows to 90 characters! Watch everything fall over as they get 90 character formats from Windows APIs!
You are invited to Fuzz Week 2020! The week where I demonstrate some of the basics of fuzzers, all the way to my thoughts about cutting edge fuzzing. We'll write some of our own basic fuzzers, learn how to use AFL, read some papers, rant a lot, and more! gamozolabs.github.io/2020/07…
Tell me fun hacking/RE/low-level beginner projects. Go! My suggestion: Write a Windows DLL injector (something that injects a DLL into a foreign process so that you can add your own sauce to it)
What's it like to be inside AFL? We wrote a tool to find out! Much much more to come, but it generates random programs which report real-time information over shared memory, then over websockets to a visualization! github.com/gamozolabs/cookie…
High-performance QEMU tracing of all PCs and memory accesses (read/write + addr + size + value read/written). Capable of doing about 2 x86 cycles/MIPS instruction with full tracing. Here's a cool demo video of watching all memory accesses in real-time! piped.video/watch?v=dYyjc2qq…
Definitely in my⚡Top3 best papers! My fuzzing conjecture 2020 has just been accepted @FSEconf (2xAccept, 1xAward Quality).
Turns out there is no sudden road block; more like a frontier that is exponentially harder to push.
📄: mboehme.github.io/paper/FSE2…
Collab w/ @gamozolabs!
Fuzz week day 1 is up on YouTube. All the others have uploaded and are pending processing by YouTube (probably ~12 hours). piped.video/watch?v=2xXt_q3F…
I'm excited to start a new Software Metrology team at Microsoft. Our focus is to develop and open source multiple tools for fuzzing, debugging, and reproducing bugs. I'm lucky to start off the team with a great group of people, providing for a great internal group and community!
Introducing the fzero fuzzer! A target-architecture-agnostic grammar-based fuzzer (inspired by F1). With no input size constraints, multi-thread support, and all Rust code for no corruption bugs. 5x faster than the worlds fastest grammar-based fuzzer ;D github.com/gamozolabs/fzero_…
Regardless of it not aging well or not, who the fuck simps for a big company like this. Do they think they're gonna get a raise? I mean, maybe they just really love it that much, in which case I envy their passion because it probably means they're happy, which is cute I guess.
Pro-tip to all security researchers. Never do this. This is exactly the shit that causes a big rift between developers and security researchers. It's simply insulting to developers time to drop such a useless list of bugs on them.
CITL just posted the ~7000 software defects/vulns they are making available to 3,243 Ubuntu-APT package maintainers.
Blog post with full list of the target software, package, and faults is here:
cyber-itl.org/2020/10/28/cit…
Today I am releasing one of my best Android fuzzers I've ever written. This single fuzzer successfully finds vulnerabilities on Android every time I have used it. Sadly it requires source, but here it is. Run it on your AOSP/kernel tree. `grep -rli Broadcom`
Pro-tip. Ever wonder what a structure _actually_ looks like in memory when it's full of unions, typedefs, etc? The `pahole` command (from the `dwarves` package) can take in an ELF with DWARF symbols and output the structures unrolled recursively. Example: gist.github.com/gamozolabs/0…
Operation The Floor is Lava is finally complete. Not a single thing touching the floor except for my table legs. 100 GbE in, switches in, everything can be vacuumed. It’s beautiful.
64 full 2 GiB Windows 10 VMs fuzzing Word, 4.39 million unique coverage entries in seconds (full system coverage), 3.35 GiB memory use. No problem! Things are finally falling into place, and scaling is exactly as desired. So much memory/input sharing between cores :3
I made a Cheat Engine-style memory scanner for /proc/mem a while back. I’ve released it! github.com/gamozolabs/mempee… Mainly just useful when attaching a debugger is too noisy.
The results are in. About 5 billion fuzz cases, a few 10 hours streams, and we found 6 unique bugs in OpenBSD ctags. All with an absolutely garbage fuzzer. Some were pretty tricky (uninit stack use, global overflows), but vecemu was able to detect em! gist.github.com/gamozolabs/a…
Need binary code coverage on Windows without access to source or an ability to recompile code? Try out mesos! A simple, debugger-based code coverage and crash monitoring harness. This is what I use when not fuzzing things in emulators and hypervisors.
github.com/gamozolabs/mesos
I wrote a super simple ELF loader that converts ELFs (core, exec, shared, object, doesn't matter) into flat in-memory representations with things like BSS zero padded out. It's what I used to run MIPS Rust on NT 4.0 github.com/gamozolabs/elfloa… . Super useful for shellcode.
I added symbol support to my /proc/<pid>/mem IDA loader. Load up a running process into your system without having to attach a debugger, and get full symbols for all files in it (well, with DWARF symbols that is). Works great for WINE processes! github.com/gamozolabs/proc_m…
We did it, we can now reset a VM 1 million times per second on a single core (E3-1240 v6 @ 4.1 GHz turbo). Assuming the VM has no dirty pages, but this is the "overhead" of a VM exit + register reset. Anything after this is just paying the memcpy cost to reset dirty mem...
Rust bootloader pushed up to GitHub! It's a small (20 KiB) PXE bootloader written in Rust, that can boot a relocated 64-bit PE for a kernel. Code is up github.com/gamozolabs/orange… . Next stream we will start work on the kernel. For those who missed the stream: piped.video/watch?v=okSUAlx_…
Here's a talk I gave a few years back at @EmpireHacking on 10 different binary code coverage mechanisms (specifically for use from hypervisor level) piped.video/watch?v=4nz-7ktd… . So many unique ways to gather coverage, all with their own tradeoffs!
Ever wondered what speculative execution looks like cycle-by-cycle? I just added cycle-level uarch introspection to my CPU research kernel. Here's a graph showing speculative loads occurring (that never retire as they are after a faulting instruction).
Giving my first conference talk ever at @reconmtl this year, so excited! What happens when you focus all your effort into making fuzzing faster? Can a bad fuzzer produce good results when running 1 trillion fuzz cases a week? Intro to the concept: gamozolabs.github.io/fuzzing…
Ever wanted to load an entire Linux process into IDA without having to attach/debug it? Well, fear no more, use my quality idapython script to load a file from `/proc/pid/mem` and `/proc/pid/maps` only! gist.github.com/gamozolabs/b…
Just landed in Vegas to this tweet. This is unreal! Thanks so much, y'all are amazing, what an incredible community! ❤ Can't wait to share more research soon!
Hmm, it seems people really want some low-level OS/kernel dev educational content. Got a few requests for it in the past few days. I definitely am not a traditional OS kind of person, but I think I still could make some cool content on the topic!~
Yer a wizard Harry! Watch as I travel through time on a whole system with WinDbg! Fully deterministic, time-travelling, and mutable environment (you can change state when travelling in time and observe the results). Might make triaging bugs a joke. piped.video/watch?v=mB9LIztj…
New blog! Some random thoughts on fuzzing and benchmarking of them. Technically, this was a comment to a GitHub thread but it definitely warranted a blog! gamozolabs.github.io/2020/08…
This is what I mean when I say working with MSRC is degrading. They want everything: write up, stack traces, PoC, exploit source, analysis, life advice, approval on anything you will ever publish. In return they will patch your bug whenever they feel like it and not tell you
As someone who wants to stay fully technical and continue doing research forever, being heavily signaled that going into management is the only way to go up and be rewarded is a great way for me to stop caring.
Yesterday we found and exploited a bug on an old Android 2.3.5 phone. We used this bug to get arbitrary code running in the kernel, which trivially turns into root. We also dumped the kernel and built a bit-identical kernel to the official signed kernel. piped.video/watch?v=g62FXds2…
I wrote a really simple RISC-V (rv32i) JIT for x86_64 designed for gathering some stats for my upcoming Bluehat IL talk. It runs at about ~1 RISC-V instruction per 2 x86 cycles, and can create and run hello world ~8.6 million times per second on 96 cores! github.com/gamozolabs/rv32i_…
applepie: A hypervisor for Bochs. This will be a rapidly evolving project that currently is just a hypervisor but shortly will be an instrumentation and fuzzing framework. I've got like 8 Word 0-day from falkervisor I'll refind with this and blog about :D github.com/gamozolabs/applep…
Introducing Orange Slice. A new research kernel and hypervisor, with the end goal of getting a hardware-virtualization accelerated fully-deterministic emulator. I'll be starting development live on YouTube on Wednesday to kick things off. Read more github.com/gamozolabs/orange…
In about an hour I'm going to stream fuzzing calc.exe for bugs on Twitch. How do you fuzz calc.exe? No idea, lets listen to some music, ask me questions, and just have some fun! twitch.tv/gamozo
Are you scared of ptrace()? Come write a high-performance debugger for Linux which is designed for low-overhead debugging of many-threaded and multi-process applications twitch.tv/gamozo
Over the past 2 days we wrote a hypervisor capable of running a user-land application, took a snapshot of WinRAR while it was executing on Windows, and transplanted it into a VM. We then proceeded to fuzz it 40k times per second with coverage! Native speed binary coverage+fuzzin!
So. I've been thinking for a while to make a high-performance structure-aware memory analyzer. Think like, cheat engine, but it would be aware of common structures (eg, MSVC vectors, maps, glibc vectors, maps) and give you a structured view of memory rather than flat map.
Don't forget to catch my talk on MapleStory cheats at SSTIC on Friday! It's the first time I've edited and animated a video, it turned out amazing. It'll also be up on YouTube for archival shortly after. You're gonna love it. piped.video/watch?v=o9O3PjKg…
Tonight we do it big, we're gonna get an entire Windows instance running in Chocolate Milk so we can fuzz a full system, including apps, syscalls and drivers. Streamin in like ~60 min twitch.tv/gamozo
I made a lot of new playlists for my YouTube videos, hopefully it helps find the content you need! piped.video/user/gamozolabs/… Don't forget to lycan subscribe.
Windows DHCP Server RCE found by the team I'm on, got patched today! Such a great group of people to work with 😊 Smash that update button! portal.msrc.microsoft.com/en…
All current VoDs from the printer hacking are up piped.video/playlist?list=PL… ! All the fun from picking a printer, desoldering and dumping flash, reversing the decompression, implanting with a backdoor, and shipping up Rust shellcode which forms a GDB stub! All in 5 easy days!
I wrote exploits for effectively every CPU bug which has come out, and spent a lot of time focusing on improving data rates and introspection with them. I got data rates well above the academic ones. gamozolabs.github.io/metrolo…
Looking to learn how hypervisors are written with Intel VT-x? I'm going to stream adding a hypervisor to Orange Slice using VT-x... all from scratch, so you'll see all the nitty-gritty details! Tune in on Tuesday at 1700 PST, piped.video/watch?v=WabeOICA…
Let's talk a bit about fuzzer benchmarking. I'll start off with some data directly from fuzzbench, of `aflfast` fuzzing `libjpeg-turbo`. Here's what the 20 runs of `aflfast` look like. fuzzbench.com/reports/2020-0…
I love new server day. 24x 1.92TiB PCIe 4 NVMe drives! In theory, this should saturate 100gbit with random 4K access! (6000 MB/s read, 4000 MB/s write, 1000k read, 180k write, per drive). Hopefully software doesn’t let me down!
Gonna start a new series on my Twitch (twitch.tv/gamozo) called "Paper Review". Tonight (undetermined stream time) we're gonna look through the "Building Fast Fuzzers" paper, which is the "worlds fastest grammar fuzzer" arxiv.org/pdf/1911.07707.pdf
People kinda always ask to just see my fuzzing process. Lets pick a target and write a fuzzer for it (probably some random project we find on GitHub). I'll show how I set up a debug environment, how I harness, how I start/make a fuzzer, etc. twitch.tv/gamozo
Heap disclosure in Windows libc for effectively forever. Reachable from some scripting languages too by using a similar code pattern: gist.github.com/gamozolabs/b…
Nice, ran 1.3 trillion fuzz cases against an x509 parser overnight. I love vectorized emulation. Really cool target actually! No coverage increases from about 5 seconds into fuzzing, but there were new bugs (human-verified unique) hours into the run!
In last night's stream we were root causing a type confusion bug in calc.exe. Somebody in chat asked what I meant when I said "pointer offset". I went on a short little rant about memory layout, type confusion bugs, and why they are exploitable! piped.video/watch?v=jmgGPbfV…
So I've been working on a pretty complex mutator in Rust which is designed for fast deserialization and serialization of structured data. And it's hot. Over 2 GiB/sec of deserializing a `Vec<Box<u8>>`! About 1.5 cycles per allocation while deserializing!
I've started the "So you're writing a fuzzing paper" blog. What do you want answered? The focus of the blog will be primarily going through how I judge and benchmark fuzzers/harnesses.
If you missed it, we implemented a system-level VT-x hypervisor capable of fuzzing Windows minidumps at millions of fuzz cases per second on a quad core! Since then, it now supports anything that runs in QEMU! piped.video/watch?v=oQiktfC3…
Tonight we're going to look at an Android Bluetooth chipset (ARM) to test out Ghidra, with emphasis of exploring the options/features and menus of Ghidra. I want to shellcode in a debugger to the chipset so I can GDB it. Stream scheduled here: piped.video/watch?v=UXEfmTE-…