MORE SHADOW WALKER: THE PROGRESSION OF TLB-SPLITTING ON X86

Black Hat USA 2014

Presented by: Jacob Torrey
Date: Thursday August 07, 2014
Time: 11:45 - 12:45
Location: South Seas AB

This talk will cover the concept of translation lookaside buffer (TLB) splitting for code hiding and how the evolution of the Intel x86 architecture has rendered previous techniques obsolete and new techniques to perform TLB-splitting on modern hardware. After requisite background is provided, a timeline of how TLB-splitting was used for both defensive (PaX memory protections) and offensive purposes (Shadow Walker root-kit) and how the new Intel Core i-series processors fundamentally changed the TLB architecture, breaking those technologies. The talk will then move to the new research, the author's method for splitting a TLB on Core i-series and newer processors and how it can again be used for defensive (MoRE code-injection detection) and offensive purposes (EPT Shadow Walker root-kit).

After the timeline, details on how to perform and leverage TLB-splitting with the EPT Shadow Walker root-kit is used to present one version of memory to defensive tools for validation and a different (and possibly malicious) version to the CPU for execution, effectively hiding a root-kit from anti-virus or anti-patching systems. A demo of this memory changing and hiding will be shown and results from the research presented.

Jacob Torrey

Jacob Torrey is a Senior Research Engineer at Assured Information Security, Inc. where he leads the Computer Architectures group and acts as the site lead for the Colorado branch. Jacob has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS, hypervisor and SMM handler. His major interest is how to (mis)use an existing architecture to implement a capability currently beyond the limitations of the architecture.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats