2013-05-02:

SyScan 2013, Bochspwn paper and slides

syscan:bochspwn:windows:kernel:j00ru
Singapore, photo by Arashi Coldwind(Collaborative post by Mateusz "j00ru" Jurczyk and Gynvael Coldwind)
A few days ago we (j00ru and I) gave a talk during the SyScan'13 conference in the fine city of Singapore, and as promised (though with a slight delay), today we are publishing both the slide deck and a white paper discussing memory access pattern analysis - a technique we recently employed with success to discover around 50 double-fetch vulnerabilities in Windows kernel and related drivers (Elevation of Privileges and Denial of Service class; see Microsoft Security Bulletins MS13-016, MS13-017, MS13-031 and MS13-036 released in February this year. Also, stay tuned for more security patches in May and June).

In our SyScan presentation, we explained the concept of kernel race conditions in interacting with user-mode memory, gave a brief rundown on how they can be identified by using CPU-level instrumentation of an operating system session, and later focused on how they can be successfully exploited with the help of several generic techniques (on the example of three Windows vulnerabilities discovered by the Bochspwn project). While we only had the time to go through a single case study (the CVE-2013-1254 vulnerability in win32k!SfnINOUTSTYLECHANGE), both slides and the paper contain a detailed analysis of another local privilege escalation: CVE-2013-1278 in nt!ApphelpCacheLookupEntry, and an amusing case of a double fetch behavior (it is not clear if it can be classified as a bug) found in the default kernel implementation of the standard nt!memcmp function as a bonus.

We hope you enjoy both the slides and whitepaper - considering the amount of time we have put into this, we would really appreciate your feedback.

Download:
• Slides: "Bochspwn: Exploiting Kernel Race Conditions Found via Memory Access Patterns" (3.1MB, PDF)
• Paper: "Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns" (1.0MB, PDF)

Please note that we are not releasing the Bochspwn project itself at this time - we are planning to open-source it later this year. The demo videos for CVE-2013-1254 and CVE-2013-1278 shown during the talk are now available online:



The SyScan event itself was really fun - the speaker line-up was one of the best ones we have seen so far, ensuring high technical quality of the talks (which they were in fact quite inspiring), with nothing lacking on the organizational side. We were also positively surprised by the city-state of Singapore itself - it's really modern, clean and friendly place! We had great time there and hope to visit it again soon ;)

Comments:

2013-05-02 21:07:51 = arizvisa
{
i really dig that memcmp side effect. nice presentation. thanks for sharing it to people whom couldn't make it out there.
}
2013-05-03 11:06:32 = Infern0_
{
Geniuses! - Thats what can I say.
Do you know whether the videos of the conference will be available(especially yours presentation)?
}

Add a comment:

Nick:
URL (optional):
Math captcha: 3 ∗ 3 + 4 =