Bochspwn Reloaded - Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded - Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Black Hat via YouTube Direct link

Bochs instrumentation support

12 of 37

12 of 37

Bochs instrumentation support

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

Bochspwn Reloaded - Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 Life of a system call
  3. 3 Writing data to ring-3
  4. 4 The easy problem - primitive types
  5. 5 Extra factors: no automatic initialization
  6. 6 Severity and considerations
  7. 7 Stack disclosure benefits
  8. 8 Heap disclosure benefits
  9. 9 Prior work (Windows)
  10. 10 Performance (short story)
  11. 11 Performance (long story)
  12. 12 Bochs instrumentation support
  13. 13 Bochs instrumentation callbacks
  14. 14 Core logic
  15. 15 Ancillary functionality
  16. 16 Shadow memory representation
  17. 17 Setting taint on stack
  18. 18 Setting taint on heap/pools (simplified)
  19. 19 Taint propagation
  20. 20 Bug detection
  21. 21 (Un)tainting pool allocations
  22. 22 Propagating taint and detecting bugs
  23. 23 Windows 7 memory taint layout
  24. 24 Keeping track of loaded kernel modules
  25. 25 Testing performed
  26. 26 Stack infoleak reproduction
  27. 27 Stack spraying to the rescue
  28. 28 Quick digression: bugs without Bochspwn
  29. 29 Perfect candidate: NtQueryinformation
  30. 30 Windows infoleak summary
  31. 31 Closing remarks
  32. 32 Tainting heap allocations
  33. 33 Ubuntu 16.04 memory taint layout
  34. 34 Kernel debugging
  35. 35 Use of uninitialized memory bugs
  36. 36 Conclusions
  37. 37 Future work for Bochspwn

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.