Completed
Setting taint on heap/pools (simplified)
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Bochspwn Reloaded - Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 Life of a system call
- 3 Writing data to ring-3
- 4 The easy problem - primitive types
- 5 Extra factors: no automatic initialization
- 6 Severity and considerations
- 7 Stack disclosure benefits
- 8 Heap disclosure benefits
- 9 Prior work (Windows)
- 10 Performance (short story)
- 11 Performance (long story)
- 12 Bochs instrumentation support
- 13 Bochs instrumentation callbacks
- 14 Core logic
- 15 Ancillary functionality
- 16 Shadow memory representation
- 17 Setting taint on stack
- 18 Setting taint on heap/pools (simplified)
- 19 Taint propagation
- 20 Bug detection
- 21 (Un)tainting pool allocations
- 22 Propagating taint and detecting bugs
- 23 Windows 7 memory taint layout
- 24 Keeping track of loaded kernel modules
- 25 Testing performed
- 26 Stack infoleak reproduction
- 27 Stack spraying to the rescue
- 28 Quick digression: bugs without Bochspwn
- 29 Perfect candidate: NtQueryinformation
- 30 Windows infoleak summary
- 31 Closing remarks
- 32 Tainting heap allocations
- 33 Ubuntu 16.04 memory taint layout
- 34 Kernel debugging
- 35 Use of uninitialized memory bugs
- 36 Conclusions
- 37 Future work for Bochspwn