In kernel-mode, buffer overflows and similar memory corruption issues in the internal logic are usually self-evident and can be detected with a number of static and dynamic approaches. On the contrary, flaws directly related to interactions with user-mode clients tend to be more subtle, and can survive unnoticed for many years, while still providing primitives similar to the classic bugs. One example of such flaws are so-called "double fetches" – repeated accesses to single user-mode memory units within the same semantic contexts, with the assumption that their values don't change in between the reads. These are race conditions which can be often exploited to achieve memory corruption, write-what-where conditions and other dangerous primitives; yet they never manifest themselves at runtime, unless being actively exploited. In 2013, Gynvael and I devised a project called "Bochspwn", which was used to discover at least 37 double fetches in the Windows kernel, by employing a custom full-system instrumentation built on top of the Bochs x86 emulator.
This presentation will introduce another subtle class of kernel vulnerabilities – disclosure of uninitialized stack and heap memory to user-mode applications. Since information leaks of this kind leave hardly any footprint, they are rarely noticed and reported to system vendors. However, we have found that it is still a prevalent problem in current kernels (especially Windows), and can be abused to defeat certain exploit mitigations or steal sensitive data residing in ring-0. In order to address this matter, we have developed a new Bochspwn-style instrumentation based on rudimentary kernel memory taint tracking, which we then used to discover 30 memory disclosure issues in Windows alone. In this talk, we will discuss the kernel design problems behind the bugs, the design of our tool, and the exploitation process of some of the most interesting findings.