15 years ago, Windows NT 4.0 introduced Win32k.sys to address the inherent limitations of the older client-server graphics subsystem model. Today, win32k still remains a fundamental component of the Windows architecture and manages both the Window Manager (USER) and Graphical Device Interface (GDI).
In order to properly interface with user-mode data, win32k makes use of user-mode callbacks, a mechanism allowing the kernel to make calls back into user-mode.
User-mode callbacks enable a variety of tasks such as invoking application-defined hooks, providing event notifications, and copying data to/from user-mode. In this talk, we discuss the many challenges and problems concerning user-mode callbacks in win32k. We will show how win32k's questionable design potentially may have introduced hundreds of subtle vulnerabilities, which so far have resulted in numerous patch bulletins. Recently, MS11-034 addressed a record number (30) of privilege escalation vulnerabilities in an effort to remove multiple bug classes related to user-mode callbacks. However, in spite of the attempts made to address these vulnerabilities, the underlying problem still persists.
Tarjei Mandt is a security researcher at Norman. He holds a Masters degree in Information Security and has previously spoken at security conferences such as Black Hat, Infiltrate, and Hackito Ergo Sum. In his free time, he enjoys spending countless hours challenging security mechanisms and researching intricate issues in low-level system components. Recently, he has done extensive research on modern kernel pool exploitation and discovered several vulnerabilities in the Windows kernel.