What's got a vast attack surface and runs on Linux? Windows Defender, of course
Penguinistas, rejoice: Tavis Ormandy lets you fuzz Windows
Google Project Zero's Windows bug-hunter and fuzz-boffin Tavis Ormandy has given the world an insight into how he works so fast: he works on Linux, and with the release of a personal project on GitHub, others can too.
Ormandy's project is to port Windows DLLs to Linux for his vuln tests (“So that's how he works so fast!” Penguinistas around the world are saying).
Typically self-effacing, Ormandy made this simple announcement on Twitter (to a reception mixing admiration, humour, and horror):
Surprise, I ported Windows Defender to Linux. 😎https://t.co/7eP48O87Vi— Tavis Ormandy (@taviso) May 23, 2017
Ormandy's reason for the project is to let loose fuzzing against Windows-based software, using Linux platforms.
“The intention is to allow scalable and efficient fuzzing of self-contained Windows libraries on Linux. Good candidates might be video codecs, decompression libraries, virus scanners, image decoders, and so on,” he writes.
Efficiency is the key, with Ormandy writing that on Windows, it's all too slow.
“Distributed, scalable fuzzing on Windows can be challenging and inefficient. This is especially true for endpoint security products, which use complex interconnected components that span across kernel and user space. This often requires spinning up an entire virtualized Windows environment to fuzz them or collect coverage data.”
Porting stuff like Windows antivirus tools to Linux lets Ormandy “run the code I’m testing in minimal containers with very little overhead, and easily scale up testing”.
Oh, and “I also think Linux has better tools”.
So far, what's working in the environment includes C++ exception dispatch and unwinding; loading additional symbols from IDA; debugging with gdb (including symbols), breakpoints, stack traces, etc; runtime hooking and patching; and support for ASAN and Valgrind to detect subtle memory corruption bugs.
And then there's Windows Defender: Ormandy's work also means researchers can go to work on its “vast and complex attack surface”.
We hope Redmond's paying attention. ®