YoVDO

Bochspwn Reloaded - Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cybersecurity Courses System Calls Courses

Course Description

Overview

Explore kernel memory disclosure detection using x86 emulation and taint tracking in this Black Hat conference talk. Delve into the intricacies of kernel-mode buffer overflows and memory corruption issues, focusing on the subtle flaws in user-mode client interactions. Learn about the Bochspwn Reloaded project, which employs advanced techniques to identify these elusive vulnerabilities. Discover the potential severity and benefits of stack and heap disclosures, and gain insights into the performance considerations of this approach. Examine the Bochs instrumentation support, core logic, and ancillary functionality used in the detection process. Understand the implementation of shadow memory representation, taint propagation, and bug detection mechanisms. Compare memory taint layouts in Windows 7 and Ubuntu 16.04, and explore real-world examples of stack infoleak reproduction and uninitialized memory bugs. Gain valuable knowledge on kernel debugging techniques and future directions for improving kernel security.

Syllabus

Intro
Life of a system call
Writing data to ring-3
The easy problem - primitive types
Extra factors: no automatic initialization
Severity and considerations
Stack disclosure benefits
Heap disclosure benefits
Prior work (Windows)
Performance (short story)
Performance (long story)
Bochs instrumentation support
Bochs instrumentation callbacks
Core logic
Ancillary functionality
Shadow memory representation
Setting taint on stack
Setting taint on heap/pools (simplified)
Taint propagation
Bug detection
(Un)tainting pool allocations
Propagating taint and detecting bugs
Windows 7 memory taint layout
Keeping track of loaded kernel modules
Testing performed
Stack infoleak reproduction
Stack spraying to the rescue
Quick digression: bugs without Bochspwn
Perfect candidate: NtQueryinformation
Windows infoleak summary
Closing remarks
Tainting heap allocations
Ubuntu 16.04 memory taint layout
Kernel debugging
Use of uninitialized memory bugs
Conclusions
Future work for Bochspwn


Taught by

Black Hat

Related Courses

Computer Security
Stanford University via Coursera
Cryptography II
Stanford University via Coursera
Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera
Building an Information Risk Management Toolkit
University of Washington via Coursera
Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network