Hacker From Google Ports Windows Defender To Linux To Demonstrate New Tools Capabilities
Windows being the de facto operating system of the world is also a hot bed for security research. Microsoft has for years had a system where researchers could notify the company of new exploits – termed zero-day exploits – to patch the same. These exploits at times throw up interesting research just like Tavis Ormandy has done recently with his fuzzing tool.
Surprise, I ported Windows Defender to Linux. ?https://t.co/7eP48O87Vi
— Tavis Ormandy (@taviso) May 23, 2017
Fuzz testing or fuzzing is a software testing approach wherein invalid or unexpected data is fed to a computer program that is then monitored for unexpected behavior such as crashes or memory leaks. The technique that Ormandy has worked on is in the domain of vulnerability scanning by injecting data directly into a DLL file ( a Windows file format ). Fuzzing however, is better utilized on Linux since the open-source OS is gifted with better tools to deal with interconnected components – the lack of which makes the process much more complicated on Windows.
“Distributed, scalable fuzzing on Windows can be challenging and inefficient. This is especially true for endpoint security products, which use complex interconnected components that span across kernel and user space. This often requires spinning up an entire virtualized Windows environment to fuzz them or collect coverage data,” Ormandy explains.
Therefore, Ormandy developed a tool for Linux that included a library that was capable of loading and running functions from a Windows DLL file. He has put together a demo of this tool – which also required him to port Windows Defender – the default anti-virus on Windows 8.1 onward onto Linux. Ormandy has provided a detailed explanation of his tool along with details of the demo involving Windows Defender stating, “The intention is to allow scalable and efficient fuzzing of self-contained Windows libraries on Linux. Good candidates might be video codecs, decompression libraries, virus scanners, image decoders, and so on.”
mpengine.dll, which is a core component of the Malware Protection Engine, also known as MsMpEng, is one of the primary targets of exploits and therefore bringing it onto Linux for fuzzing enabled him to examine it for possible vulnerabilities – explains the Google security researcher. You can check out the demo for yourself here.