This talk will explore Intel Processor Trace, the new hardware branch tracing feature included in Intel Skylake processors. We will explain the design of Intel Processor trace and detail how the current generation implementation works including the various filtering modes and output configurations.
This year we designed and developed the first opensource Intel PT driver for the Microsoft Windows operating system. We will discuss the architecture of the driver and the large number of low level programming hurdles we had to overcome throughout the development of the driver to program the PMU, including registering Performance Montering Interrupts (PMI), locating the Local Vector Table (LVT) Performance Monitor timer register, bypassing the TLB and cache through managing physical memory, and more. We will demonstrate the usage of Intel PT in Windows environments for diagnostic and debugging purposes, demonstrate an IDA plugin that can render coverage and loop information against user and kernel targets, and then discuss how we’ve harnessed this branch tracing engine for guided fuzzing.
This year we have added the Intel PT tracing mode as an engine for targeting Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop. This fuzzer is capable of using random mutation fuzzing with a code coverage feedback loop to explore new areas. Using our new Intel PT driver for Windows, we provide the fastest hardware supported engine for targeting binaries with evolutionary fuzzing. In addition we have added new functionality to AFL for guided fuzzing, which allows users to specify targeted areas on a program control flow graph that are of interest. This can be combined with static analysis results or known-vulnerable locations to help automate the creation of trigger inputs to reproduce a vulnerability without the limits of symbolic execution. To keep performance as the highest priority, we have also created new methods for efficiently encoding weighted graphs into an efficiently comparable bytemap.
New to this version of the talk is full support for kernel tracing, multi-core support, using Windows ETW for hooking thread context switching and module loads/unloads, an IDA plugin for visualization, and a JIT disassembly engine with cache for the winafl intelpt trace parsing