Two New Tools and Techniques to Find, Fight 0-Days
At SafeBreach, we try to take a system-wide view of cybersecurity. For this reason, we have recently refocused our research away from finding one-off exploits and vulnerabilities and towards taking a holistic view of Zero Days. By making this shift, we were able to conceptualize and create new tools that we believe will be useful in helping other researchers and companies more efficiently find 0-Days.
One of those tools is an entirely new piece of software designed to fuzz the Hyper-V hypervisor family of software. Developed by Peleg Hadar and Ophir Harpaz of Guardicore, the tool is named hAFL1 and is based on the kAFL fuzzing infrastructure. hAFL1 is the first open-source fuzzing tool for Hyper-V. This is important because Hyper-V is the foundational hypervisor for Microsoft Azure. Exploits targeting Hyper-V could affect any application or service running on Azure and possibly be used to take one or a number of Azure hosts offline. Azure is used by 95% of the Fortune 500, according to Microsoft; it is one of the most important pieces of infrastructure on the planet. Azure also runs much of Microsoft’s Office365 online productivity suite, which means that many businesses and organizations that don’t even know they are in the cloud are vulnerable to Hyper-V exploits.
Fuzzing hypervisors, in general, is challenging because of the nested structure inherent in creating virtualized infrastructure. We built hAFL1 to automate fuzzing of Hyper-V and simplify detection and mitigation of 0-Days affecting Azure. Using hAFL1, we quickly identified a 0-Day for Hyper-V, an arbitrary read vulnerability, that could be used to take down Azure hosts. We presented hAFL1 and the results of our research on August 4 at Black Hat USA 2021 in Las Vegas. We also released the code for hAFL1 on GitHub that day, with an open-source license.
A second tool we developed is a “time travel” machine that uses differential patch analysis across multi-year cohorts of Windows patches. This new infrastructure began as a thought experiment; we wondered whether patches over time would point us towards common patterns found in 0-days. By collecting all the patches, examining how they differed, and tracking this information over time, we hypothesized that we might gain fruitful insights into where to look for more 0-days.
We collected all Windows patches going back to 2016 and built a database that included sequential patch-diffs for a five-year period. By traveling back through patching history, we found a pattern of exploits affecting specific aspects of Microsoft’s Remote Desktop client and connectivity. Using this approach and the software infrastructure we built to examine patch-diffs, we found multiple 0-days, one of which Microsoft quickly patched. This infrastructure could be extended beyond Windows to cover Linux and other operating systems. The “time-travel” approach takes a more systematic and pattern-based approach to 0-day detection and could easily be incorporated into security audits. Interestingly, we also identified instances where exploit patches were announced but not included in released patches for up to two months. This created opportunities for 1-day attacks. The disparity between announcement and release date highlights another potentially valuable use case for patch-diff analysis. We presented our new patch-diff infrastructure, and released it on GitHub, at Def Con 2021 in August in Las Vegas.
Just as fuzzing moved from one-off examination and laborious manual writing of test cases and harnesses, we believe the future of 0-day detection can and should be automated. Too much of the work going into identifying the most critical exploits remains manual and driven by human intuition rather than automated coverage. Human intuition is a wonderful guide but it does not scale. As the cost to compute continues to fall, automation to unearth potential vulnerabilities becomes not only more attractive but essential in keeping ahead of attackers. The bad guys will likely use the same approach to automating infrastructure and similar approaches to find flaws.
By allowing faster, better coverage of code and identification of exploits that other types of code analysis would not catch, automated 0-day detection methodologies can simplify code audits and dramatically increase the number of 0-days detected and patched. This will mean a safer world with fewer 0-days to exploit. That is our goal and we hope that the entire world benefits from our work.