More Shadow Walker: The Progression of TLB-Splitting on x86

by Jacob Torrey
Sept. 21, 2017 0 comments Black Hat belen_caty Pen Testing & Audits codeisolation codemeasurement Criticalsoftware hypervisor realtimeanalysis split-TLB TLB

This talk will cover the concept of translation lookaside buffer (TLB) splitting for code hiding and how the evolution of the Intel x86 architecture has rendered previous techniques obsolete and new techniques to perform TLB-splitting on modern hardware. After requisite background is provided, a timeline of how TLB-splitting was used for both defensive (PaX memory protections) and offensive purposes (Shadow Walker root-kit) and how the new Intel Core i-series processors fundamentally changed the TLB architecture, breaking those technologies. The talk will then move to the new research, the author's method for splitting a TLB on Core i-series and newer processors and how it can again be used for defensive (MoRE code-injection detection) and offensive purposes (EPT Shadow Walker root-kit).