>They just start trying things they think will flummox the software.
This works...until you go against a target that's heard of fuzzing before and has the time and money to do it to their own code.
The really interesting Windows exploits require a combination of "throwing stuff that will flummox the software" and a deep level understanding of structures hidden to the average developer. Look at Yardin Shafir's really wonderful blog post about developing a kernel bug to a PoC - there's a lot of moving parts and security checks in modern windows, and having the source is a HUGE help.
I also found another hint about their findings in this PDF written by Yarden's co-researcher Alex Ionescu: https://www.usenix.org/system/files/woot20_slides_ionescu.pd.... One of the slides specifically mentions the use of fuzzing tools to find these issues.
If there are other, better links I don't know about, please kindly share. :)
This works...until you go against a target that's heard of fuzzing before and has the time and money to do it to their own code.
The really interesting Windows exploits require a combination of "throwing stuff that will flummox the software" and a deep level understanding of structures hidden to the average developer. Look at Yardin Shafir's really wonderful blog post about developing a kernel bug to a PoC - there's a lot of moving parts and security checks in modern windows, and having the source is a HUGE help.