SafeBreach introduces new tools to automate zero-day detection


At Black Hat and Def Con this week, SafeBreach security researchers Peleg Hadar and Tomer Bar will showcase two new tools developed to automate the discovery of zero-day vulnerabilities. Both announcements highlight the power of automation to increase the efficiency and reach of vulnerability research.

The first tool, hAFL1, developed by Hadar and Ophir Harpaz of Guardicore, is an open source kAFL-based fuzzer designed for Hyper-V hypervisors. The potential impact is significant – Microsoft uses Hyper-V to run virtual machines in Azure, which it says is used by 95% of Fortune 500 companies.

End-to-end Hyper-V fuzzer

Hadar said ESecurity planet that blurring can be both more efficient and more efficient than static analysis. “Especially when we talk about Hyper-V, which is a very complex target with a very complex architecture, doing it manually can find fewer vulnerabilities,” he said.

And hypervisors, Hadar said, present a unique challenge for vulnerability research. “We’re not talking about a single virtual machine that runs the Windows virtual machine – we’re talking about the hypervisor itself, which is a virtual machine that runs more virtual machines within it – more Windows or Linux virtual machines. “, did he declare.

While there are simple fuzzers available for Hyper-V, Hadar said, hAFL1 adds several features that make the tool much more efficient. “We are the first to release an end-to-end fuzzer for Hyper-V that includes structural knowledge, fault monitoring and code coverage,” he said.

Hyper-V critical vulnerability detected

Releasing the tool as open source software and detailing Black Hat’s results, Hadar said he hoped other security researchers would better understand the complex area of ​​hypervisor internals and be inspired to launch their own. research on the vulnerability of hypervisors. “We wanted to help other researchers get into this field because we think it’s fascinating,” he said.

Notably, within two hours of its initial deployment, hAFL1 discovered a remote code execution vulnerability, CVE-2021-28476, with a CVSS score of 9.9. The flaw could allow an attacker to crash a Hyper-V host, affecting virtual machines in multiple companies, or to execute arbitrary code on the Hyper-V host.

In one blog post detailing the vulnerability, Hadar and Harpaz noted that the flaw affected Windows 7, 8.1 and 10, as well as Windows Server 2008, 2012, 2016 and 2019 – and that it first appeared in an August 2019 release, meaning it was in production for over a year and a half before detection.

“Vulnerabilities such as CVE-2021-28476 demonstrate the risk that a shared resource model (eg, a public cloud) brings,” they wrote. “Indeed, in the case of shared infrastructures, even simple bugs can lead to devastating results such as denial of service and remote code execution. “

Hadar and Harpaz will present hAFL1, and demonstrate the vulnerability discovered by the tool, during a Black Hat session on August 4.

Further Reading: Key Vulnerability Management Tools for 2021

Zero-day tool

Separately, SafeBreach’s director of security research Tomer Bar and security researcher Eran Segal have developed a tool they call “Back to the Future,” which leverages patch analysis over a period of several years. years to search for common patterns found in day zero. vulnerabilities.

Bar says ESecurity planet that the idea for the tool came from previous research, he and Hadar present at Black Hat 2020, who discovered that some patches used to fix vulnerabilities exploited by Stuxnet ten years ago failed to fix the flaws. “It got us thinking, what might we find out if we did the same thing, but extend it to all fixes since 2016? ” he said.

According to Bar, the tool incorporates 33 different features focused on different types of patterns. “Each feature is optimized differently – some are optimized to have the fewest false positives, and some are optimized to give us the big picture of the fix,” he said.

And the tool is designed specifically to be extended and adapted by other researchers. “It’s upgradeable to other versions of Windows like the upcoming Windows 11, and it can also be copied and extended to other systems like Linux or Mac,” he said. “And anyone can add their own functionality – it’s pluggable infrastructure.

Researchers have already used the tool to find several zero-day vulnerabilities, including CVE-2021-34507, an information leak vulnerability affecting Windows 7, 8.1, and 10, as well as Windows Server 2008, 2012, 2016, and 2019, with a CVSS score of 6.5.

Bar said he hopes other researchers and vendors will use the tool to find many more vulnerabilities. “I think in order to really shake things up and take a leap in security, we as a research community should broaden our focus on automation, using both existing and new approaches,” he said. -he declares.

In a recent blog post, Bar and Hadar said the future of zero-day detection can and should be automated. “Too much of the work of identifying the most critical exploits remains manual and guided by human intuition rather than automated covering,” they wrote. “Human intuition is a wonderful guide, but it does not evolve.”

Bar and Segal demonstrate the tool in a Def Con session after Black Hat on August 6.

Further reading

About Jon Moses

Check Also

A laptop based on the Russian-made Baikal M1 appears in pre-production

Bitblaze, a Russian brand specializing in servers, storage systems and workstations, introduced its pre-production Bitblaze …

Leave a Reply

Your email address will not be published.