HACKING LIKE IN THE MOVIES: VISUALIZING PAGE TABLES FOR LOCAL EXPLOITATION

A shiny and sparkling way to break user-space ASLR, kernel ASLR and even find driver bugs! Understanding how a specific Operating System organizes its Page Tables allow you to find your own ASLR bypasses and even driver vulnerabilities. We will drop one 0day Android ASLR bypass as an example; you can then break all your other expensive toys yourself. Page Tables are the data structures that map between the virtual address space your programs see to the actual physical addresses identifying locations on your physical RAM chips. We will visualize these data structures for:

  • Windows 8 on x86_64
  • Windows 8 RT on ARMv7
  • Linux 3.8 on x86_64
  • Linux 3.4 on ARMv7 alias Android 4.2
  • XNU on x86_64 alias OS X
  • XNU on ARMv7 alias iOS

Besides showing pretty pictures, we will actually explain what they show and how to interpret commonalities and differences across the same kernel on different architectures.

By comparing the page table state on the same architecture across different runs, we will identify static physical mappings created by drivers, which can be useful for DMA attacks (think FireWire or Thunderbolt forensics). Static virtual mappings are even more interesting and can be used for (K)ASLR bypasses.

To make a final point, that this is not only nice to look at, we will show how we found a mitigated Android <= 4.0.x generic user-space ASLR bypass. For those interested in actually owning targets, we will show an Android 4.2.2 generic user-space ASLR bypass that also affects other latest Linux/ARM kernels.

Presented by