By: Andrea Allievi, Richard Johnson

Scheduled on: January 27 at 13:00

This talk will explore Intel Processor Trace, the new hardware branch tracing feature included in Intel Skylake processors. We will explain the design of Intel Processor trace and detail how the current generation implementation works, including the various filtering modes and output configurations. This year we designed and developed the first open-source Intel PT driver for the Microsoft Windows operating system. We will discuss the architecture of the driver and the large number of low level programming hurdles we had to overcome throughout the development of the driver to program the PMU, including registering Performance Montering Interrupts (PMI), locating the Local Vector Table (LVT), managing physical memory. We will introduce even the new features of the latest version, like the IP filtering, and multi-processor support. We will demonstrate the usage of Intel PT in Windows environments for diagnostic and debugging purposes, showing a “tracing” demo and our new IDA Plugin, able to decode and apply the trace data directly to the visual assembly graph. Finally we discuss how we’ve harnessed this branch tracing engine for guided fuzzing. We have added the Intel PT tracing mode as an engine for targeting Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop. This fuzzer is capable of using random mutation fuzzing with a code coverage feedback loop to explore new areas. Using our new Intel PT driver for Windows, we provide the fastest hardware supported engine for targeting binaries with evolutionary fuzzing. In addition we have added new functionality to AFL for guided fuzzing, which allows users to specify targeted areas on a program control flow graph that are of interest. This can be combined with static analysis results or known-vulnerable locations to help automate the creation of trigger inputs to reproduce a vulnerability without the limits of symbolic execution. To keep performance as the highest priority, we have also created new methods for efficiently encoding weighted graphs into an efficiently comparable bytemap.