About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

100+ Kernel Bugs in 30 Days- 1905

Yaron Dinkin & Eyal KraftPosted 23 Days Ago
  • The authors of this post had an interesting concern about LLMs: what about the security of targets that no one has ever looked at? There are TBs of binaries on machines that no one has ever looked at. So, they decided to perform zero-day research at scale in Windows Kernel Drivers. The approach and scale of impact were fascinating to see!
  • First, they scrapped the MSFT update catalog, OEM sites, and public driver repos to get 1.6K unique drivers. Next, they performed an analysis of the binaries to determine the attack surface, including IOCTL dispatch complexity and other kernel driver-specific issues. They prioritized the drivers with the most attack surface.
  • Next, they analyzed the binaries in an LLM loop. This required a decompilation agent to rename unnamed functions, deduce functionality, and perform basic reverse engineering tasks. After this, another agent would identify functions worth auditing based on the attack surface and the decompiled code. The final agent would inspect the functions for memory corruption bugs, walking through the call graph to understand the data flow.
  • Once done, the findings were written for another agent to write a proof of concept for a VM-based harness. This required a customized QEMU to test. From this output, they were able to identify the expected crash and analyze the vulnerability's real impact. Finally, they manually validated the reports with a PoC script on a real Windows 11 machine. From there, they submitted the bug to PSIRT themselves.
  • The LLM analysis cost a total of $600, or $3 per chosen target and $4 per bug. On those, they found a wide range of issues, from heap overflows to arbitrary reads. The false positive rate was about 60%. So, a little over 1 in 2. Still, these are great leads and make triaging bugs much easier to do. Only a single vulnerability was fixed from this, which is absolutely crazy.
  • They had some good takeaways. First, agent-assisted bug hunting is cheap but not free. You can realistically create an agent-loop to help find issues at scale for a reasonable cost. The agentic flows require closed loops for figuring everything out themselves. In practice, this means giving the agent a ton of feedback via custom tools/harnesses. With the ability to bugcheck the machine repeatedly, it will eventually find the proper way to exploit it.
  • This was a great post on finding vulnerabilities at scale using LLMs. We're in a gold rush to find all of the vulnerabilities right now!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed