Bochspwn: Exploiting Kernel Race Conditions Found via Memory Access Patterns (SyScan 2013)

Information

• Language: English
• Conference: SyScan
• Location: Singapore
• Date: April 2013
• Speaker(s): Mateusz ‘j00ru’ Jurczyk, Gynvael Coldwind

Slides

• Download: https://j00ru.vexillium.org/slides/2013/syscan.pdf

Abstract

Windows kernel vulnerabilities are quickly becoming the second most significant concern of low-level software specialists after client-side security issues, allowing remote exploits to subvert the widely deployed sandboxing technologies found in popular web browsers or document readers. As a growing number of such security flaws is being found and fixed every month with Microsoft investing more and more effort into hardening the kernel, we believe it is equally important to understand and discuss how certain classes of bugs could be eliminated entirely. In this presentation, we will highlight several interesting kernel-mode flaws caused by invalid reference counting recently patched by Microsoft, cover their actual impact on the system security and propose some ideas of how the bugs could have been addressed in a more generic way.

Resources

• Blog post – SyScan 2013, Bochspwn paper and slides
• Blog post – Kernel double-fetch race condition exploitation on x86 – further thoughts
• Whitepaper – Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns
• Open-source project – kfetch-toolkit on GitHub
• Video – Microsoft Windows 7 CVE-2013-1254 Exploitation Demo
• Video – Microsoft Windows 7 CVE-2013-1278 Exploitation Demo