About the Speaker

As critical surface becomes more and more secure and mitigations become more and more effective, it has become a recent trend for security researchers to develop complex tooling specialized to attack specific targets. For attacking an operating system kernel this tooling is usually required to include a hypervisor or emulator. Especially emulators provide an excellent analysis platform for root-causing bugs and implementing scalable and deterministic tools like coverage-driven fuzzers.
 

In 2022, Colas Le Guernic and Jérémy Rubert showed that snapshot fuzzing can be very useful for attacking targets like the Remote Desktop Client, by using the bochscpu and/or kvm based system "What the Fuzz" to target the graphical component of the Microsoft RDP Client and finding CVE-2022-30221, a vulnerability inside the D3D11 software rasterizer implementation.
 

Expanding on that topic, in this talk, we aim to showcase the advantages of using an emulator specifically designed for snapshot fuzzing. We will do this, by looking at three recent CVE's discovered using our own system: SNAFUzz.
 

First, we will introduce the basics of snapshot fuzzing by discussing CVE-2025-[Undisclosed_0], a simple kernel vulnerability. Then we will target RDP and see how, inside an emulator, one can introduce allocation tracking and out-of-bounds detection to find heap memory leak vulnerabilities like CVE-2025-32715. Finally, we take a look at a remote code execution vulnerability found in a pre-release version of the RDP Client. It will serve as an example how the complete determinacy of an emulator can be used to fully understand a somewhat complicated and convoluted vulnerability, by reproducing and debugging it over and over again.

Pascal Beyer is a security researcher and C-programmer at Fraunhofer FKIE CA&D.  His interests include emulator-, hypervisor-, compiler-, OS- and exploit-development as well as reversing and optimization. Basically anything so close to the CPU that the individual instructions become important.