Skip to content

SyScan 2013, Bochspwn paper and slides

(Collaborative post by Mateusz “j00ru” Jurczyk and Gynvael Coldwind)

Singapore, photo by Arashi Coldwind

A few days ago we (Gynvael and I) gave a talk during the SyScan’13 conference in the fine city of Singapore, and as promised (though with a slight delay), today we are publishing both the slide deck and a white paper discussing memory access pattern analysis – a technique we recently employed with success to discover around 50 double-fetch vulnerabilities in Windows kernel and related drivers (Elevation of Privileges and Denial of Service class; see Microsoft Security Bulletins MS13-016, MS13-017, MS13-031 and MS13-036 released in February and April this year. Also, stay tuned for more security patches in May and June).

In our SyScan presentation, we explained the concept of kernel race conditions in interacting with user-mode memory, gave a brief rundown on how they can be identified by using CPU-level instrumentation of an operating system session, and later focused on how they can be successfully exploited with the help of several generic techniques (on the example of three Windows vulnerabilities discovered by the Bochspwn project). While we only had the time to go through a single case study (the CVE-2013-1254 vulnerability in win32k!SfnINOUTSTYLECHANGE), both slides and the paper contain a detailed analysis of another local privilege escalation: CVE-2013-1278 in nt!ApphelpCacheLookupEntry, and an amusing case of a double fetch behavior (it is not clear if it can be classified as a bug) found in the default kernel implementation of the standard nt!memcmp function, as a bonus.

We hope you will enjoy both the slides and whitepaper – considering the amount of time we have dedicated to the research, we would really appreciate your feedback.


Please note that we are not releasing the Bochspwn project at this time – we are planning to open-source it later this year. On the other hand, the demo videos for the CVE-2013-1254 and CVE-2013-1278 vulnerabilities shown during the talk are now available online:

The SyScan event itself was really fun – the speaker line-up was one of the best ones we have seen this year, ensuring high technical quality of the talks (which they were in fact quite inspiring), with nothing lacking on the organizational side. We were also positively surprised by the city-state of Singapore – it’s really a modern, clean and friendly place! We had a great time there and hope to visit it again soon ;)

{ 8 } Comments

  1. Andrea | 03-May-13 at 08:17:56 | Permalink

    Use double memory access on page boundaries to exploit Kernel syscalls: I read your post and the introduction of PDF article of your awesome work. I think that your considerations and job is ingenious and very talented.
    Thanks very much for sharing it….

    Are you going to introduce something like this at NosuchCon conference?
    I look forward to meet you and listen personally the presentation…


  2. Brendan Dolan-Gavitt | 04-May-13 at 10:39:00 | Permalink

    How on earth did you get 64-bit Windows to run in Bochs? I just get bluescreens when I try. I’d love to know this as I’ve been trying to get it to work in QEMU for some research with no luck.

  3. j00ru | 07-May-13 at 02:32:38 | Permalink

    @Andrea: Thanks! At NoSuchCon, I am going to be presenting a slightly different research :) You shall find out soon.

    @Brendan: I dropped you an e-mail.

  4. mgrzeg | 07-May-13 at 03:44:43 | Permalink

    69 pages paper – guys, you should definitely write a book about windows security :)

  5. ncr | 07-May-13 at 13:54:34 | Permalink

    I agree with mgrzeg, you should write a book about windows kernel security and exploitation. excellent work, as always.

  6. Ani | 22-May-13 at 06:18:53 | Permalink

    Hi guys,

    I got 2 questions for you.

    1) Have you seen the presentation about VirtICE that was held at blackhat 2010?

    2) Is it possible to make any comparison between yours and their approach, even though you do not have their tool (I assume)? Do you see any benefits of using Qemu instead of Boch, for example?
    Considering to make my own tool/framework for this and wonder which way to go. Why did you pick Boch?

  7. j00ru | 24-Jul-13 at 13:37:16 | Permalink

    @Ani: yes, we heard about the research. We decided to use Bochs because it is by far easier to write instrumentation for, i.e. it has a very intuitive and simple instrumentation API, documentation and examples you can use to cleanly and elegantly implement the desired logic. As far as we are concerned, hacking on qemu is much more difficult because of lacking instrumentation support and horribly written code.

  8. lotr | 01-Mar-17 at 00:43:28 | Permalink

    Can you share exploit source code?

{ 12 } Trackbacks

  1. […] of the function’s parameters. Due to lack of time, this was not covered at NSC; however, our SyScan’13 slides and paper explain the problem thoroughly. […]

  2. […] of the event. The talk is going to largely extend our previous performance at SyScan this year (see blog post), detailing the implementation of our “Bochspwn” project, discussing other approaches […]

  3. […] most innovative research went to Mateusz “j00ru” Jurczyk and Gynvael Coldwind for their study into Windows kernel vulnerabilities that resulted in the discovery of 37 previously unknown […]

  4. […] инновационное исследование: Идентификация и эксплуатация эффекта гонки в ядре Windows. В качестве претендентов упомянуты публикации об […]

  5. […] most innovative research went to Mateusz “j00ru” Jurczyk and Gynvael Coldwind for their study into Windows kernel vulnerabilities that resulted in the discovery of 37 previously unknown […]

  6. […] Jurczyk und Gynvael Coldwind wurden für ihre Arbeit “Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns” mit dem Pwnie für innovative Forschung ausgezeichnet. Keinen Pwnie gibt es 2013 für die […]

  7. […] all this, our visit to Vegas turned out quite successful for other reasons too – our “Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns” work was nominated and eventually awarded a Pwnie (in fact, two mascots) in the “Most […]

  8. […] it’s not enough to prevent the race-condition from being winnable by the attacker (see the bochspwn research for techniques to try and win these tight race […]

  9. […] kernel. In an updated study in 2013, Mateusz “j00ru” Jurczyk and Gynvael Coldwind produced a paper, which examined the Windows kernel and found 89 potential issues, 36 of which were highly […]

  10. […] the scope of one system call, and produce meaningful reports. The project was called Bochspwn [1][2][3] (or kfetch-toolkit on Github) and was largely successful, leading to the discovery of several […]

  11. […] 早在2013年,Gynvael和我发布了我们的研究结果,在操作系统内核中发现所谓的 双重获取漏洞,通过在一个称为Bochs的IA-32仿真器中的完全软件仿真模式下运行它们。仿真器(以及我们的定制嵌入式仪器)的目是对在内核用户模式存储器访问的详细信息,以便我们以后可以运行分析工具来发现对一个存储器地址的多个引用,系统调用,并产生有意义的报告。我们的这个项目被称为Bochspwn (使用Github上的kfetch工具包测试内存引用),并且大部分成功,导致在Windows内核中发现了几十个严重的漏洞。在其他一些成果很好的项目中,最值得注意的是Xenpwn也在推广双重获取漏洞类和使用系统级仪器安全的概念方面发挥了重要作用。 […]

  12. […] identify so-called double fetch conditions in the kernels of various popular operating systems (see SyScan slides and whitepaper, Black Hat slides and source code on GitHub). Bochspwn Reloaded repeated the success of its […]

Post a Comment

Your email is never published nor shared. Required fields are marked *