Amazon Web Services, Released a New Open Source KVM Backed Fuzzing Tool
The news was released thate Amazon has released a new fuzzing tool called Snapchange, which allows you to check executable files without modifying them and without the presence of the application's source code. This is a move designed in part to address concerns about the security of the software supply chain.
In the Amazon post it is mentioned that, Snapchange started as an experiment from the AWS Find and Fix (F2) open source security research team to explore the potential of using KVM to enable snapshot fuzzing.
Today we're excited to announce Snapchange, a new open source project to make snapshot-based fuzzing much easier. Snapchange allows fuzzing a target binary with minimal modifications, providing useful insight that aids in fuzzing.
Snapchange is a Rust framework for creating fuzzers that play snapshots of physical memory to increase efficiency and reduce complexity in fuzzing many types of targets. Snapchange uses the features of the Linux kernel's built-in virtual machine manager known as the Kernel Virtual Machine, or KVM.
About Snapchange
It is mentioned that, Snapchange allows loading a physical memory dump with derived executable code and organize, using the KVM hypervisor, a cyclical execution of the code present in the dump, iterating over various combinations of input data, tracking emerging failures or anomalies and restarting the check after the next iteration, each time the memory segment and CPU registers are restored to the original state.
An iteration resets and restarts after an abnormal end, a waiting time or the occurrence of a certain event. The input data is replaced directly into memory and to save resources during initialization to the initial state of memory, after performing the next iteration, it is determined what data is in memory and has changed.
The initial memory dump is created by saving a snapshot of the virtual machine in which the environment with the application under test is executed, running under VirtualBox or QEMU The logic of substitution of input data is determined by creating special scripts, and the starting position of the cyclic execution is set by setting from a breakpoint in the debugger.
For example, if it is necessary to check the multi-state processing of a network request, the researcher starts the application on the guest system in VirtualBox or QEMU, in the debugger finds the beginning of the execution of the request processing procedure (for example , after calling the recv function), puts a breakpoint on it and determines the memory area into which the received network packet is loaded. After that, a snapshot of the guest system is created and uploaded to Snapchange.
For verification, a script is written that writes data during enumeration directly to the buffer. of the network packet, which allows you to simulate the processing of real network packets. Snapchange picks up where it left off, each time changing the content of the data in the buffer and resetting the memory state to its original state.
Various strategies are supported for generating input data. Multiple environments bound to different CPU cores can be enumerated with parallel execution. In addition to detecting failures during code execution, it also supports the collection of performance metrics, the accumulation of coverage statistics to assess executable code coverage, and step-by-step tracing of executable code.
For interested in the project, you should know that the project's code is written in Rust and is distributed under the Apache 2.0 license via GitHub.
Snapchange works within Linux, but requires direct access to the underlying KVM primitives. Therefore, it supports EC2 bare metal instance types, which run without a hypervisor, but not EC2 virtualized instances.
Finally, if you are interested in being able to learn more about it, you can consult the original announcement In the following link.