Information
- Language: English
- Conference: INFILTRATE
- Location: Miami, USA
- Date: April 2018
- Speaker(s): Mateusz ‘j00ru’ Jurczyk
Slides
Video
Abstract
In modern operating systems, most interactions between user-mode applications and the kernel take place on a very low level, using shared ring-3 memory and native C/C++ constructs like structures, unions, arrays and pointers. While very efficient, this makes the kernel code prone to a multitude of serious but well-concealed vulnerability classes, such as double fetches or disclosure of uninitialized memory. Thankfully, both types of issues can be effectively discovered with full-system instrumentation built on top of an x86 emulator. This was illustrated in 2013 by the original Bochspwn research – with over 30 exploitable double fetches reported to Microsoft together with Gynvael Coldwind – and later in 2017, by a revived version of the project, used to identify over 50 Windows kernel infoleaks so far.
In this talk, we will discuss our latest advancements in the area of memory disclosure detection. The subjects will include the technical details behind implementing support for x64 kernel builds; an overview of a few dozen Windows infoleaks that have been found on the 64-bit platform; an analysis of kernel memory leaks to filesystems on mass storage devices; and finally an introduction of a relatively new and little-known type of infoleaks – double writes (as opposed to double fetches) – with real-life examples.
Resources
- Blog post – Wrapping up the kernel infoleak research with a whitepaper
- Whitepaper – Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking
- Windows bug reports – Issues – project-zero – Project Zero – Monorail
- Linux patches – kernel/git/torvalds/linux.git – Linux kernel source tree