Hourglass Fuzz - A Quick Bug Hunting Method

Explore an innovative bug hunting method called Hourglass Fuzz in this 58-minute conference talk from the Hack In The Box Security Conference. Learn how this system, designed for Android but applicable to other platforms, addresses limitations of traditional fuzzing techniques like AFL and syzkaller. Discover how Hourglass Fuzz overcomes data dependencies and code execution sequence challenges to reach deeper code locations, while consuming less computational power and time. Gain insights into the successful application of this method in uncovering 0day bugs in graphic drivers and Bluetooth systems on Android 9 for Pixel 3. Delve into the Hourglass Fuzzing philosophy, user space and kernel space fuzzing techniques, attack interface selection, and best practices. Understand the intricacies of Bluetooth architecture, packet structure, and target functions. Explore sanitizer support, fuzzing strategies, and practical implementation details, including build kernel issues, KGSL specifics, and automation techniques. Enhance your security research toolkit with this powerful approach to vulnerability discovery in complex systems.

Intro
Pain point
Hourglass Fuzzing Philosophy
User Space Fuzzing
Attack Interface --- selection
Bluetooth - Architecture in brief
Bluetooth -- Module View
Bluetooth -- Source Tree
Bluetooth -- Architecture in detail
Bluetooth -- Startup work flow
Bluetooth ----Packet Structure & Common Dispatcher
Bluetooth --- Target functions
Sanitizer Support
Fuzzer Overview
Fuzzing Strategy
Best Practice
Kernel Space Fuzzing
Introduction
How to achieve passive fuzz
How to transfer the filter list
Fuzzing strategies
What do we need to prepare
Build kernel issues
KGSL in detail
Solution Overview
Panic call stack
How to make it automatic
Fuzz status statistics
Install and run different kinds of 3D games
add a for loop
Add a trigger program
Case 1