Overview
Syllabus
Intro
Life of a system call
Writing data to ring-3
The easy problem - primitive types
Extra factors: no automatic initialization
Severity and considerations
Stack disclosure benefits
Heap disclosure benefits
Prior work (Windows)
Performance (short story)
Performance (long story)
Bochs instrumentation support
Bochs instrumentation callbacks
Core logic
Ancillary functionality
Shadow memory representation
Setting taint on stack
Setting taint on heap/pools (simplified)
Taint propagation
Bug detection
(Un)tainting pool allocations
Propagating taint and detecting bugs
Windows 7 memory taint layout
Keeping track of loaded kernel modules
Testing performed
Stack infoleak reproduction
Stack spraying to the rescue
Quick digression: bugs without Bochspwn
Perfect candidate: NtQueryinformation
Windows infoleak summary
Closing remarks
Tainting heap allocations
Ubuntu 16.04 memory taint layout
Kernel debugging
Use of uninitialized memory bugs
Conclusions
Future work for Bochspwn
Taught by
Black Hat