Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Bochspwn Reloaded - Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Black Hat via YouTube

Overview

Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Explore kernel memory disclosure detection using x86 emulation and taint tracking in this Black Hat conference talk. Delve into the intricacies of kernel-mode buffer overflows and memory corruption issues, focusing on the subtle flaws in user-mode client interactions. Learn about the Bochspwn Reloaded project, which employs advanced techniques to identify these elusive vulnerabilities. Discover the potential severity and benefits of stack and heap disclosures, and gain insights into the performance considerations of this approach. Examine the Bochs instrumentation support, core logic, and ancillary functionality used in the detection process. Understand the implementation of shadow memory representation, taint propagation, and bug detection mechanisms. Compare memory taint layouts in Windows 7 and Ubuntu 16.04, and explore real-world examples of stack infoleak reproduction and uninitialized memory bugs. Gain valuable knowledge on kernel debugging techniques and future directions for improving kernel security.

Syllabus

Intro
Life of a system call
Writing data to ring-3
The easy problem - primitive types
Extra factors: no automatic initialization
Severity and considerations
Stack disclosure benefits
Heap disclosure benefits
Prior work (Windows)
Performance (short story)
Performance (long story)
Bochs instrumentation support
Bochs instrumentation callbacks
Core logic
Ancillary functionality
Shadow memory representation
Setting taint on stack
Setting taint on heap/pools (simplified)
Taint propagation
Bug detection
(Un)tainting pool allocations
Propagating taint and detecting bugs
Windows 7 memory taint layout
Keeping track of loaded kernel modules
Testing performed
Stack infoleak reproduction
Stack spraying to the rescue
Quick digression: bugs without Bochspwn
Perfect candidate: NtQueryinformation
Windows infoleak summary
Closing remarks
Tainting heap allocations
Ubuntu 16.04 memory taint layout
Kernel debugging
Use of uninitialized memory bugs
Conclusions
Future work for Bochspwn

Taught by

Black Hat

Reviews

Start your review of Bochspwn Reloaded - Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.