HACKING LIKE IN THE MOVIES: VISUALIZING PAGE TABLES FOR LOCAL EXPLOITATION

Black Hat USA 2013

Presented by: Alexandru Radocea, Georg Wicherski
Date: Thursday August 01, 2013
Time: 17:00 - 18:00
Location: Palace 3

A shiny and sparkling way to break user-space ASLR, kernel ASLR and even find driver bugs! Understanding how a specific Operating System organizes its Page Tables allow you to find your own ASLR bypasses and even driver vulnerabilities. We will drop one 0day Android ASLR bypass as an example; you can then break all your other expensive toys yourself. Page Tables are the data structures that map between the virtual address space your programs see to the actual physical addresses identifying locations on your physical RAM chips. We will visualize these data structures for:

Besides showing pretty pictures, we will actually explain what they show and how to interpret commonalities and differences across the same kernel on different architectures.

By comparing the page table state on the same architecture across different runs, we will identify static physical mappings created by drivers, which can be useful for DMA attacks (think FireWire or Thunderbolt forensics). Static virtual mappings are even more interesting and can be used for (K)ASLR bypasses.

To make a final point, that this is not only nice to look at, we will show how we found a mitigated Android <= 4.0.x generic user-space ASLR bypass. For those interested in actually owning targets, we will show an Android 4.2.2 generic user-space ASLR bypass that also affects other latest Linux/ARM kernels.

Georg Wicherski

Georg Wicherski is a Senior Security Researcher with CrowdStrike, mostly analyzing advanced targeted threats but also putting himself in attackers’ shoes from time to time. He loves to work on a low level, abandoning all syntactic sugar that HLL offer and working on instructions or bytecode. Recently, he has developed an interest for the ARM architecture in addition to his old x86 adventures.

Alexandru Radocea

Alex Radocea works for CrowdStrike, offering services, intelligence, and technologies to companies who want to turn the tides and bring pain to advanced adversaries. Previous employers include Apple where he worked on the Product Security team and Matasano, working as a consultant testing a wide variety of technologies. He is a cryptographic failure enthusiast and aspiring silicon chip reverser. Alex Rad has led the "lollerskaterz dropping from rofl copters" team a number of years to the Defcon CTF Finals where they consistently did everything but win, and remains a huge fan of computer security wargames. Prior noticeable speaking engagements include CodeGate '09, WWDC'11, and EkoParty'12.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats