Ten post nie jest dostępny w języku polskim!
Use double memory access on page boundaries to exploit Kernel syscalls: I read your post and the introduction of PDF article of your awesome work. I think that your considerations and job is ingenious and very talented.
Thanks very much for sharing it….
Are you going to introduce something like this at NosuchCon conference?
I look forward to meet you and listen personally the presentation…
How on earth did you get 64-bit Windows to run in Bochs? I just get bluescreens when I try. I’d love to know this as I’ve been trying to get it to work in QEMU for some research with no luck.
@Andrea: Thanks! At NoSuchCon, I am going to be presenting a slightly different research :) You shall find out soon.
@Brendan: I dropped you an e-mail.
69 pages paper – guys, you should definitely write a book about windows security :)
I agree with mgrzeg, you should write a book about windows kernel security and exploitation. excellent work, as always.
I got 2 questions for you.
1) Have you seen the presentation about VirtICE that was held at blackhat 2010? http://media.blackhat.com/bh-us-10/whitepapers/Anh/BlackHat-USA-2010-Anh-Virt-ICE-wp.pdf
2) Is it possible to make any comparison between yours and their approach, even though you do not have their tool (I assume)? Do you see any benefits of using Qemu instead of Boch, for example?
Considering to make my own tool/framework for this and wonder which way to go. Why did you pick Boch?
@Ani: yes, we heard about the research. We decided to use Bochs because it is by far easier to write instrumentation for, i.e. it has a very intuitive and simple instrumentation API, documentation and examples you can use to cleanly and elegantly implement the desired logic. As far as we are concerned, hacking on qemu is much more difficult because of lacking instrumentation support and horribly written code.
Can you share exploit source code?
[…] of the function’s parameters. Due to lack of time, this was not covered at NSC; however, our SyScan’13 slides and paper explain the problem thoroughly. […]
[…] of the event. The talk is going to largely extend our previous performance at SyScan this year (see blog post), detailing the implementation of our “Bochspwn” project, discussing other approaches […]
[…] most innovative research went to Mateusz “j00ru” Jurczyk and Gynvael Coldwind for their study into Windows kernel vulnerabilities that resulted in the discovery of 37 previously unknown […]
[…] инновационное исследование: Идентификация и эксплуатация эффекта гонки в ядре Windows. В качестве претендентов упомянуты публикации об […]
[…] Jurczyk und Gynvael Coldwind wurden für ihre Arbeit “Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns” mit dem Pwnie für innovative Forschung ausgezeichnet. Keinen Pwnie gibt es 2013 für die […]
[…] all this, our visit to Vegas turned out quite successful for other reasons too – our “Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns” work was nominated and eventually awarded a Pwnie (in fact, two mascots) in the “Most […]
[…] it’s not enough to prevent the race-condition from being winnable by the attacker (see the bochspwn research for techniques to try and win these tight race […]
[…] kernel. In an updated study in 2013, Mateusz “j00ru” Jurczyk and Gynvael Coldwind produced a paper, which examined the Windows kernel and found 89 potential issues, 36 of which were highly […]
[…] the scope of one system call, and produce meaningful reports. The project was called Bochspwn  (or kfetch-toolkit on Github) and was largely successful, leading to the discovery of several […]
[…] 早在2013年，Gynvael和我发布了我们的研究结果，在操作系统内核中发现所谓的 双重获取漏洞，通过在一个称为Bochs的IA-32仿真器中的完全软件仿真模式下运行它们。仿真器（以及我们的定制嵌入式仪器）的目是对在内核用户模式存储器访问的详细信息，以便我们以后可以运行分析工具来发现对一个存储器地址的多个引用，系统调用，并产生有意义的报告。我们的这个项目被称为Bochspwn （使用Github上的kfetch工具包测试内存引用），并且大部分成功，导致在Windows内核中发现了几十个严重的漏洞。在其他一些成果很好的项目中，最值得注意的是Xenpwn也在推广双重获取漏洞类和使用系统级仪器安全的概念方面发挥了重要作用。 […]