Following the reveal of speculative execution vulnerabilities, Meltdown was mitigated in software by separating the address space to ring0 and ring3 views. Though it sounds simple, it changed the memory management in all major operating systems drastically and introduced a new hidden area between user-mode and the kernel where code can execute.
In this talk we cover the fundamental details of Meltdown, dive deep into KVA Shadow internals and show how we used it to bypass PatchGuard and HyperGuard.
Moreover, as the mitigation was implemented in all the major operating systems and on some it was even backported to all supported versions, we’ll discuss the security issues it presents, new avenues it opens for rootkits and what countermeasures should be taken in light of them.