Understanding TOCTTOU in the Windows Kernel Font Scaler Engine

Explore the intricacies of TOCTTOU vulnerabilities in the Windows Kernel Font Scaler Engine in this Black Hat conference talk. Delve into the history of the Font Scaler engine, its transition from user mode to kernel mode, and the resulting security implications. Examine the various factors contributing to the engine's vulnerabilities, with a particular focus on Time-of-Check to Time-of-Use (TOCTTOU) issues. Learn about the basic double fetch problem and discover more subtle TOCTTOU vulnerabilities introduced by the font engine's design. Gain insights into advanced exploit techniques, memory allocation, and data structures related to these vulnerabilities. Understand the FSAC routine, GDI graph, and other key components involved in exploiting the Font Scaler engine. This comprehensive presentation covers everything from the background of font rendering to specific attack vectors, providing a thorough understanding of this critical kernel attack surface.

Introduction
Background
Time of Use
Why
How
State Structure
Changing Font File
Changing Character Code
Executing VM Instructions
Conclusions
Questions
Data Structure
Memory Allocation
Advanced Exploit Techniques
Understanding TOCTTOU
First Overrated
Summary
Drawing a Picture
FSAC Routine
BoxBone
While Loop
Patch Tuesday
MAF
Log
Precompute
GDI
Graph