There's a lot of effort that goes into making good fuzzers. Developing better mutators and generators, collecting larger corpuses, and of course, manual auditing for fuzz-worthy paths. But, what if instead of doing all the fuzz related things, you just put all of your efforts into making fuzzing as fast as possible? I've done that work for you! I've worked on many high performance fuzzers, ranging from custom hypervisors, to modifying QEMU, and finally to vectorized emulation. Vectorized emulation leverages the AVX-512 instruction set to run 8 (or 16) VMs at a time in parallel. While initially the only goal was high-performance emulation, it turns out that the information that can be collected by diffing multiple VMs while they are executing can result in "solver-like" behavior for simple cases. This technique gives immediate and low-cost feedback on what aspects of execution were affected by the mutations that were performed in the input.
I'll talk about the performance ramifications of vectorized emulation, the hardening techniques used to apply ASAN-style protections of binary targets, data that can be extracted from targets, and some examples of what all of this together can do!
Brandon is a security researcher with over 8 years of professional experience. He has specialized in fuzzing and harnessing, leading him to write various hypervisors and emulators to assist in fuzzing. By putting an emphasis on scalability and performance, he continuously produces some of the fastest fuzzers around. These tools are often written to gather more than standard code coverage, while still maintaining the ability to work on targets without source or even a system to run them on. Brandon recently has been spending effort on looking into how Intel CPUs work internally, attempting to document undocumented behavior with the end goal of looking for Meltdown style attacks.