Bochspwn Reloaded: Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

by Mateusz Jurczyk Sept. 14, 2017 via

This presentation will introduce another subtle class of kernel vulnerabilities – disclosure of uninitialized stack and heap memory to user-mode applications. Since information leaks of this kind leave hardly any footprint, they are rarely noticed and reported to system vendors. However, we have found that it is still a prevalent problem in current kernels (especially Windows), and can be abused to defeat certain exploit mitigations or steal sensitive data residing in ring-0. In order to address this matter, we have developed a new Bochspwn-style instrumentation based on rudimentary kernel memory taint tracking, which we then used to discover 30 memory disclosure issues in Windows alone. In this talk, we will discuss the kernel design problems behind the bugs, the design of our tool, and the exploitation process of some of the most interesting findings.

Steven Ulm 4 weeks, 1 day ago

The idea itself is quite crazy - but I do see what you mean... only on BlackHat you could find such presentations, lol