In kernel-mode, buffer overflows and similar memory corruption issues in the internal logic are usually self-evident and can be detected with a number of static and dynamic approaches. On the contrary, flaws directly related to interactions with user-mode clients tend to be more subtle, and can survive unnoticed for many years, while still providing primitives similar to the classic bugs. One example of such flaws are so-called "double fetches" – repeated accesses to single user-mode memory units within the same semantic contexts, with the assumption that their values don't change in between the reads. These are race conditions which can be often exploited to achieve memory corruption, write-what-where conditions and other dangerous primitives; yet they never manifest themselves at runtime, unless being actively exploited. In 2013, Gynvael and I devised a project called "Bochspwn", which was used to discover at least 37 double fetches in the Windows kernel, by employing a custom full-system instrumentation built on top of the Bochs x86 emulator.
This presentation will introduce another subtle class of kernel vulnerabilities – disclosure of uninitialized stack and heap memory to user-mode applications. Since information leaks of this kind leave hardly any footprint, they are rarely noticed and reported to system vendors. However, we have found that it is still a prevalent problem in current kernels (especially Windows), and can be abused to defeat certain exploit mitigations or steal sensitive data residing in ring-0. In order to address this matter, we have developed a new Bochspwn-style instrumentation based on rudimentary kernel memory taint tracking, which we then used to discover 30 memory disclosure issues in Windows alone. In this talk, we will discuss the kernel design problems behind the bugs, the design of our tool, and the exploitation process of some of the most interesting findings.
Mateusz Jurczyk is a security researcher at Google Project Zero, and a vice- captain of the Dragon Sector CTF team. While being a big fan of memory corruption, his areas of interest are centered around low-level client software security, vulnerability exploitation and mitigation techniques. In his free time, Mateusz enjoys delving into the darkest corners of low-level kernel internals, with a strong emphasis on Microsoft Windows. He has spoken at numerous security conferences including Black Hat, REcon, SyScan, Ruxcon, PacSec and 44CON.