A Stitch in Time Saves Nine - A Case of Multiple Operating System Vulnerability

Explore a comprehensive analysis of a critical vulnerability affecting multiple operating systems in this Black Hat USA 2012 conference talk. Delve into the intricacies of the "sysret" privileged Intel CPU instruction and its unsafe implementation, which led to user-to-kernel privilege escalation exploits. Gain insights into the technical details of Intel CPU architecture, ring transitions on x86_64, and the stack switch mechanism. Examine specific exploit scenarios for FreeBSD and Windows 7, complete with live demonstrations. Learn about the coordinated patch release process, non-affected systems, and potential mitigation strategies. Understand the far-reaching impact of this vulnerability and the importance of thorough security analysis across different operating systems. Suitable for attendees with a basic understanding of Intel CPU architecture, this talk provides valuable lessons on identifying and addressing widespread security issues in complex systems.

Intro
CVE-2012-0217 overview
Coordinating patches release
Known non-affected systems
More on Linux case
Crash course on ring transitions on x86_64
Exception while in ringo
More on stack switch mechanism
"syscall" instruction
"syscall" handler lifecycle
Exception in syscall handler...
Sysret manual entry, Intel
Impact?
Exploit techniques
What is a non-canonical address?
How to force non-canonical address?
FreeBSD exploit scenario
FreeBSD exploit demo
Windows 7 case
Windows User Mode Scheduling
#GP with usermode RSP
Windows 7 exploit
Is it reliable?
Related research
Witchhunt - whose fault is it?.
Mitigation?