Tavis Ormandy, the most famous of Google's security experts, has ported Windows Defender DLLs to Linux with the aid of a new tool he released today on GitHub.
The new tool is named loadlibrary, and Ormandy says he created it for the sole purpose of helping security researchers, not necessarily the Linux user community.
Surprise, I ported Windows Defender to Linux. https://t.co/7eP48O87Vi— Tavis Ormandy (@taviso) May 23, 2017
Loadlibrary's sole purpose is to allow researchers to run and load Windows DLLs on Linux together with specialized pen-testing tools called fuzz tools, or fuzzers.
These tools perform an automated operation called fuzzing, which relies on feeding a software application with random data and analyzing the output for abnormalities.
Google's security experts are big fans of fuzzing when searching for undocumented vulnerabilities. In the past years, Google has developed two of the most popular fuzzing tools around, namely OSS-Fuzz and syzkaller.
Syzkaller is how Google engineers discovered three major bugs in the Linux kernel [1, 2, 3]. Two of these bugs had survived in the kernel code for 9 and 11 years, respectively, showing a fuzzing tool's ability to uncover bugs that humans couldn't spot during manual code reviews.
Earlier this month, Ormandy also used fuzzing to find a vulnerability in the Microsoft Malware Protection Engine, which he later described as "crazy bad" and "the worst Windows remote code exec in recent memory." The loadlibrary project is one of the tools Ormandy used for discovering that flaw.
Distributed, scalable fuzzing on Windows can be challenging and inefficient. This is especially true for endpoint security products, which use complex interconnected components that span across kernel and user space. This often requires spinning up an entire virtualized Windows environment to fuzz them or collect coverage data.
This is less of a problem on Linux, and I've found that porting components of Windows Antivirus products to Linux is often possible. This allows me to run the code I’m testing in minimal containers with very little overhead, and easily scale up testing.
The default loadlibrary package Ormandy released today on GitHub includes a demo in which the researcher ported Windows Defender on Linux.
More precisely, Ormandy ported the Microsoft Malware Protection Engine (MsMpEng), the security service installed by default on Windows 8, 8.1, 10, Windows Server 2016 operating systems. Of the MsMpEng package, Ormandy ported the Mpengine component, responsible for scanning and analyzing malware.
Despite his demo, the researcher says loud and clear that his tool is not intended as a way to run Windows apps on Linux.
"This project does not replace Wine or Winelib," Ormandy says, "Winelib is used to port Windows C++ projects to Linux, and Wine is intended to run full Windows applications. This project is intended to allow native Linux code to load simple Windows DLLs."
Nonetheless, while Linux desktop users can't use loadlibrary in any way, the tool is attractive to app developers, who can use it to load DLL data into Linux apps without having to port the entire Windows app along the way.