YoVDO

A Stitch in Time Saves Nine - A Case of Multiple Operating System Vulnerability

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cybersecurity Courses Linux Courses Privilege Escalation Courses FreeBSD Courses CPU Architecture Courses

Course Description

Overview

Explore a comprehensive analysis of a critical vulnerability affecting multiple operating systems in this Black Hat USA 2012 conference talk. Delve into the intricacies of the "sysret" privileged Intel CPU instruction and its unsafe implementation, which led to user-to-kernel privilege escalation exploits. Gain insights into the technical details of Intel CPU architecture, ring transitions on x86_64, and the stack switch mechanism. Examine specific exploit scenarios for FreeBSD and Windows 7, complete with live demonstrations. Learn about the coordinated patch release process, non-affected systems, and potential mitigation strategies. Understand the far-reaching impact of this vulnerability and the importance of thorough security analysis across different operating systems. Suitable for attendees with a basic understanding of Intel CPU architecture, this talk provides valuable lessons on identifying and addressing widespread security issues in complex systems.

Syllabus

Intro
CVE-2012-0217 overview
Coordinating patches release
Known non-affected systems
More on Linux case
Crash course on ring transitions on x86_64
Exception while in ringo
More on stack switch mechanism
"syscall" instruction
"syscall" handler lifecycle
Exception in syscall handler...
Sysret manual entry, Intel
Impact?
Exploit techniques
What is a non-canonical address?
How to force non-canonical address?
FreeBSD exploit scenario
FreeBSD exploit demo
Windows 7 case
Windows User Mode Scheduling
#GP with usermode RSP
Windows 7 exploit
Is it reliable?
Related research
Witchhunt - whose fault is it?.
Mitigation?


Taught by

Black Hat

Related Courses

Getting Started with Reverse Engineering
Pluralsight
Intro to Binary Exploitation
HTB Academy via Independent
Energy Efficient Programming
openHPI
Journey to the Centre of the JVM - Exploring CPU Architecture and Memory Models
ChariotSolutions via YouTube
One Glitch to Rule Them All - Fault Injection Attacks Against the AMD Secure Processor
Black Hat via YouTube