Understanding TOCTTOU in the Windows Kernel Font Scaler Engine

Explore the intricacies of TOCTTOU vulnerabilities in the Windows Kernel Font Scaler Engine in this Black Hat conference talk. Delve into the history of the Font Scaler engine, its transition from user mode to kernel mode, and the resulting security implications. Examine the various factors contributing to the engine's vulnerabilities, with a particular focus on Time-of-Check to Time-of-Use (TOCTTOU) issues. Learn about the basic double fetch problem and discover more subtle TOCTTOU vulnerabilities introduced by the font engine's design. Gain insights into advanced exploit techniques, memory allocation, and data structures related to these vulnerabilities. Understand the FSAC routine, GDI graph, and other key components involved in exploiting the Font Scaler engine. This comprehensive presentation covers everything from the background of font rendering to specific attack vectors, providing a thorough understanding of this critical kernel attack surface.