Following the previous post in June last year, I continued to actively work on Bochspwn Reloaded, a Bochs-based tool designed to detect leaks of uninitialized memory from kernels to the user address space. In addition to my talk at REcon Montreal 2017 (slides, video), I also gave similar presentations at Black Hat USA 2017 (slides, video) and a Polish event called Security PWNing Conference held in Warsaw (slides in Polish).
Since then, I improved and polished various parts of the instrumentation and testing environment, which led to new waves of Windows bugs being reported to Microsoft in several iterations throughout the year. The most significant advancements I made during this time are as follows:
- Implemented support for x64 guest systems and used it to identify 17 new Windows bugs specific to the 64-bit platform.
- Developed and evaluated a taint-less method of detecting leaks to mass storage devices, which helped find a number of bugs in the Windows NTFS.sys file system driver.
- Implemented a test suite of programs to automatically test the
NtQuerysystem call family on Windows, which uncovered new issues in a total of 14 syscalls across 23 different information classes.
- Tested other types of instrumentation aimed to detect problems related to user↔kernel communication, such as kernel address disclosures through double-writes.
In the course of the research, I discovered and reported over 70 previously unknown security flaws in Windows (all detailed in the Project Zero bug tracker), and more than 10 bugs in Linux. The latest progress outlined above was the subject of a talk at the INFILTRATE conference in April 2018. The slides can be downloaded below:
As I learned during the study, there were a number of considerations related to kernel memory disclosure that were not well suited to be presented on stage. However, they were equally important to understand the nature of the problem and how it could be effectively worked against going forward. In an attempt to systematically outline the background of the bug class and the current state of the art, I wrote a comprehensive paper on this subject. It aims to provide an exhaustive guide to kernel infoleaks, their genesis, related prior work, means of detection and future avenues of research. While a significant portion of the document is dedicated to Bochspwn Reloaded, it also covers other methods of infoleak detection, non-memory data sinks and alternative applications of full-system instrumentation, including the empirical evaluation of some of the ideas. It has already been announced at the Project Zero blog a few weeks ago, and can be found below:
The paper is the culmination of over a year-long examination of the particular type of kernel issues, and marks the end of my work in this area for the moment. I hope you enjoy the read!