14 DAY TRIAL // Tavis Ormandy is the Google Project Zero security researcher responsible for many of the recently discovered vulnerabilities in Microsoft’s Windows operating system, most of which were patched by the software giant, while some of them were made public after the 90-day disclosure window expired.
This time, Ormandy has developed a tool whose purpose is to enhance fuzzing, which is in essence a technique that enables vulnerability scanning using data injection directly in the DLL file. Fuzz testing is an all automated solution and uses invalid, unexpected, or random data injected in applications that are then monitored for memory leaks, crashes or other security vulnerabilities.
Fuzzing, however, is much more effective on Linux, Ormandy explains, also because the open-source platform has better tools and can deal with the interconnected components that typically make the process far more complex on Windows.
“Distributed, scalable fuzzing on Windows can be challenging and inefficient. This is especially true for endpoint security products, which use complex interconnected components that span across kernel and user space. This often requires spinning up an entire virtualized Windows environment to fuzz them or collect coverage data,” Ormandy explains.
Windows Defender on Linux
As a result, he developed a tool that includes a library allowing native Linux programs to load and call functions from a Windows DLL, with a demo he put together involving a port of Windows Defender to Linux for fuzzing purposes. Windows Defender is the default antivirus solution in Windows 8.1 and Windows 10.
“The intention is to allow scalable and efficient fuzzing of self-contained Windows libraries on Linux. Good candidates might be video codecs, decompression libraries, virus scanners, image decoders, and so on,” Ormandy explains on the Github page where it describes the purpose of his tool and also details the demo involving Windows Defender.
The Google security researcher explains that mpengine.dll, which is a core component of the Malware Protection Engine, also known as MsMpEng, is one of the main targets for exploits, so bringing it on Linux for fuzzing helped look for possible vulnerabilities.