SafeBreach Intros New Tools to Automate Zero-Day Detection

At Black Hat and Def Con this week, SafeBreach security researchers Peleg Hadar and Tomer Bar will demonstrate two new tools developed to automate the discovery of zero-day vulnerabilities. Both announcements highlight the power of automation to increase the efficiency and scope of vulnerability research.

The first tool, hAFL1, developed by Hadar and Guardicore’s Ophir Harpaz, is an open source fuzzer based on kAFL and designed for Hyper-V hypervisors. The potential impact is significant – Microsoft leverages Hyper-V to run virtual machines in Azure, which it says is used by 95 percent of Fortune 500 companies.

End-to-end Hyper-V Fuzzer

Hadar told eSecurity Planet that fuzzing can be both more efficient and more effective than static analysis. “Especially when we’re talking about Hyper-V, which is a very complex target with a very complex architecture, doing it manually may find fewer vulnerabilities,” he said.

And hypervisors, Hadar said, present a unique challenge for vulnerability research. “We’re not talking about a single virtual machine which runs the Windows VM – we’re talking about the hypervisor itself, which is a virtual machine which runs more virtual machines within it – more Windows VMs or Linux VMs,” he said.

While there are simple fuzzers available for Hyper-V, Hadar said, hAFL1 adds several capabilities that make the tool far more efficient. “We’re the first to release an end-to-end fuzzer for Hyper-V which includes structural awareness, crash monitoring and code coverage,” he said.

Critical Hyper-V Vulnerability Found

By releasing the tool as open source software and detailing the findings at Black Hat, Hadar said his hope is that other security researchers will gain a better understanding of the complex field of hypervisor internals, and will become inspired to initiate their own hypervisor vulnerability research. “We wanted to help other researchers to get into this field, because we believe it’s fascinating,” he said.

Notably, within two hours of its initial deployment, hAFL1 uncovered a remote code execution vulnerability, CVE-2021-28476, with a CVSS score of 9.9. The flaw could enable an attacker to crash a Hyper-V host, impacting several companies’ virtual machines – or to run arbitrary code on the Hyper-V host.

In a blog post detailing the vulnerability, Hadar and Harpaz noted that the flaw affected Windows 7, 8.1 and 10, as well as Windows Server 2008, 2012, 2016 and 2019 – and that it first appeared in a build from August 2019, meaning that it was in production for over a year and a half prior to detection.

“Vulnerabilities like CVE-2021-28476 demonstrate the risk that a shared resource model (e.g. a public cloud) brings,” they wrote. “Indeed, in cases of shared infrastructures, even simple bugs can lead to devastating results like denial of service and remote code execution.”

Hadar and Harpaz will present hAFL1, and demonstrate the vulnerability the tool uncovered, in a Black Hat session on August 4.

Further reading: Top Vulnerability Management Tools

Zero-day Tool

Separately, SafeBreach director of security research Tomer Bar and security researcher Eran Segal have developed a tool they’re calling “Back to the Future,” which leverages differential patch analysis across a multi-year period to look for common patterns found in zero-day vulnerabilities.

Bar told eSecurity Planet that the idea for the tool came from previous research he and Hadar presented at Black Hat 2020, which found that some patches used to fix vulnerabilities exploited by Stuxnet a decade ago had failed to repair the flaws. “This made us think, what could be discovered if we do the same, but scale it up to all the patches since 2016?” he said.

According to Bar, the tool incorporates 33 different features focusing on different types of patterns. “Each feature is optimized differently – some are optimized to have the lowest amount of false positives, and some are optimized to give us overview insights on the patch,” he said.

And the tool is designed specifically to be expanded and adapted by other researchers. “It’s expandable to other Windows versions like the upcoming Windows 11, and it can also be copied and expanded into other systems like Linux or Mac,” he said. “And everybody can add their own features – it’s a pluggable infrastructure.”

The researchers have already used the tool to find several zero-day vulnerabilities, including CVE-2021-34507, an information leak vulnerability affecting Windows 7, 8.1 and 10, as well as Windows Server 2008, 2012, 2016 and 2019, with a CVSS score of 6.5.

Bar said he hopes other researchers and vendors will use the tool to find many more vulnerabilities. “I believe that in order to really move the needle and have a leap in security, we as a research community should enlarge our focus on automation, using existing and also new approaches,” he said.

In a recent blog post, Bar and Hadar said the future of zero-day detection can and should be automated. “Too much of the work going into identifying the most critical exploits remains manual and driven by human intuition rather than automated coverage,” they wrote. “Human intuition is a wonderful guide, but it does not scale.”

Bar and Segal will demonstrate the tool in a Def Con session following Black Hat on August 6.

Further reading

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles