SlideShare a Scribd company logo

BlueHat v18 || A mitigation for kernel toctou vulnerabilities

BlueHat Security Conference
BlueHat Security Conference

Mingbo Zhang, Rutgers University Saman Zonouz, Rutgers University Time-of-check-to-time-of-use (TOCTOU) also known as “race condition” or “double fetch” is a long standing problem. Since memory read/write is so common an operation, it barely triggers no security mechanisms. We leverage a CPU feature called SMAP(Supervisor Mode Access Prevention) to efficiently monitor the events of kernel accessing user-mode memory. When user pages being accessed by kernel, our mitigation kicks in and protect them against further modifications from other user-mode threads. We also leverage the same CPU feature to find double fetch errors in kernel modules. A simple hypervisor is used to confine a system wide CPU feature such as SMAP to particular process.

Technology
1 of 35
Download to read offline
A Mitigation for Kernel TOCTOU Vulnerabilities Mingbo Zhang, Saman Zonouz Rutgers University 1
CVE-2008-2252 CVE-2013-1248 ... CVE-2013-1280 CVE-2013-1283 CVE-2013-1284 CVE-2013-1291 CVE-2013-1294 2 CVE-2016-5728 CVE-2016-6130 CVE-2016-6136 CVE-2016-6156 CVE-2016-6480 CVE-2016-7624 Kernel TOCTOU (Time Of Check to Time Of Use) aka Double Fetches Race Conditions
Outline ● Background ● Mitigation ● Find More Bugs ● Conclusions 3
4 User Space 0xFF0x8FF
Why It Happens ● Kernel get data directly from user-mode memory ● User memory is a shared resource ● No mechanism to inform other users when it changes ● The kernel should “Capture” the value 5
Anything Kernel Touches, Stay the Same 6 syscall Thread 0 parameters passed in … pointer0 … pointer1 … … Thread 1 write kernel user kernel access
Supervisor Mode Access Prevention (SMAP) ● The kernel cannot access user-mode pages. ● It triggers page faults. ● Set CR4.SMAP to enable it. ● SMAP can be disabled when setting EFLAGS.AC=1. ● Two instructions STAC (Set AC Flag) and CLAC (Clear AC Flag) can be used to easily set or clear the flag. 7
SMAP in Linux Two gateway functions ● copy_to_user() ● copy_from_user() Where SMAP is temporarily disabled. When OS sees a SMAP exception, it panic. 8 copy_from_user(...) { stac(); .... copy; clac(); }
9 User Memory Kernel Memory kernel page #PF 0xFF Leverage SMAP Differently ● Any user page referenced by the kernel will be set as a kernel page until current system call ends. ● Page is protected from other user threads ● SMAP #PF being handled
What If Other Threads Need to Read The Same Page ● Simply change it back to userspace and set it to read-only. 10 User Memory kernel page thread user page 0xFF #PF
Implementation ● Hook page fault handler (0x0E). ● Hook Windows internal function KiSystemCallExit to know when the syscall ends. 11
Page Fault Handler We only handle exceptions that related to SMAP. Others are passed to the OS kernel. ● Page fault error code (stack) ● EIP, CS, ESP, SS, EFLAGS (stack) ● Current page directory base (CR3) ● Virtual address that caused the exception (CR2) 12
Exception Flooding ● SMAP is a system-wide feature. ● Windows kernel not SMAP ready. ● Syscall has user parameters. ● Win32k.sys 13
Reduce Exceptions ● Debugging page fault handler is not very convenient. ● To reduce exceptions, we want SMAP only effective on a particular process. ● Use virtualization to confine SMAP within a process. 14
Hypervisor ● Goal: Set CR4.SMAP bit when the CPU runs on the target process. ● Similar to what virtualization rootkit usually does, our thin hypervisor lifts the current system into VM guest mode. 15 Operating System Hypervisor driver Operating System (guest mode) HardwareHardware Hypervisor
16 Hypervisor Process Target process Process ... Process Target process Guest CR4.SMAP = 0 VM EXIT Set VMCS.GuestState.CR4.SMAP = 1 mov cr3, eax VM ENTER Target process SMAP Enabled Guest CR4.SMAP = 1 mov cr3, eax Process Set VMCS.GuestState.CR4.SMAP = 0 ● Monitor process context switches events. mov cr3, exx
Write Conflict 17 ● Idea 1: ○ Thread level CopyOnWrite split page tables when write conflict occurs. ○ Cons: How to merge more pages back. ● Idea 2: ○ Wait for the current protection to end (current syscall ends) ○ Wait inside the page fault exception handler
Page Fault Exception Handler ● #PF is an exception (faults). ● PASSIVE_LEVEL ● KeDelayExecutionThread() 18 Interrupt Descriptor Table Interrupt Exception An interrupt is an asynchronous event that is typically triggered by an I/O device. An exception is a synchronous event that is generated when the processor detects one or more predefined conditions while executing an instruction. Faults Traps Aborts External NMI
19 syscall Thread 0 Parameters passed in … pointer0 … pointer1 … … Thread 1 Access violation Kernel access … mov [eax], xxx (Cause exception) ... Page_fault_hander { ... while (try < 10) { sleep(some milliseconds); if (page.attr == user_writable) { return re-execute; } try++; } return access_violation; ... } Re-execute access
Flash TLB on SMP System ● We simply change User/Supervisor bit in PTE to switch the page between user and kernel space. ● Since each CPU core has its own cache (TLB), changing PTE alone in memory may not be sufficient on a multiprocessor system. 20 ● invlpg on local core ● Send IPI (Inter Processor Interrupt) to other cores ● KeFlushSingleTb
Set Interrupt Flag in Page Fault Handler 21 ● In page fault handler, the processor clears the IF(Interrupt enable flag) in EFLAGS register and it will be set back when interrupts "IRET". ● After getting there faulting virtual address from CR2, set IF flag. Interrupt Descriptor Table Interrupt gate Trap gate Clears the interrupt enable (IF) flag in the EFLAGS register.
Evaluation ● Intel Core I5-6400 (6 GEN CPU Skylake), ASUS H110M-C motherboard(Intel H110 Chipset, Realtek RTL8111H Network Controller), 8GB ram and 500GB hard disk. ● CVE-2008-2252 fixed in MS08-061. ● Simple POC code that crashes the system. 22
23 ... cmp [eax+8], ebx ; ① eax=0x0 ... mov ebx, [eax+4] ; ② eax=0x0 add ebx, 0Ch ... call UserAllocPoolWithQuota ... mov ecx, [eax+4] ; ③ eax=0x0 mov esi, [eax+8] ... (Syscall ends) Page 0Page 0 ... mov eax, 0x4 xor [eax], 0x80000 mov eax, 0x4 xor [eax], 0x80000 CVE-2008-2252 Attacking thread mov eax, 0x4 xor [eax], 0x80000 ... (blocked in page fault handler) ... cmp [eax+8], ebx ; ① eax=0x0 ... mov ebx, [eax+4] ; ② eax=0x0 add ebx, 0Ch ... call UserAllocPoolWithQuota ... mov ecx, [eax+4] ; ③ eax=0x0 mov esi, [eax+8] ... (Syscall ends) #PF
Evaluation 24
Try to Find More Bugs ● Inspired by Bochspwn (Mateusz Jurczyk, Gynvael Coldwind) “Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns” 25 ● Observe kernel-to-user memory access patterns more efficiently ● Same hardware feature -- SMAP
Use SMAP only for Monitoring 1. The kernel triggers SMAP exception. 2. Record information. 3. Let the kernel go. 26 ● SMAP exception once triggered, it’s too late to disable it. (EFLAGS.AC)
First Try: SMAP + Single-step Trap ● Set Trap flag. ● Debug software must set Resume flag in the EFLAGS image on the stack just prior to returning to the interrupted program with IRETD. ● It seems that Resume flag doesn’t work in page fault context. 27 TRAP FLAGRESUME FLAG
Set Breakpoints Manually ● In page fault handler ○ Parsing the length of the current instruction to locate the beginning of the next instruction. ○ Write a breakpoint (byte 0xcc). ● Intercept breakpoint trap event in the hypervisor. ○ The current process is SYSTEM. Switch to the target process that triggers the breakpoint. ○ Write back the original byte. ○ Release the protected page. ○ Re-execute the faulting instruction. 28
Memory Access Patterns ● Same user-mode virtual address accessed more than once. ● Within one syscall. ● Same thread. 29
Results PREV SMAP CR3 0x6d40320, EIP 0xbf812de4, Address 0x4808c4, TEB 0x7ffdd000 SMAP CR3 0x6d40320, EIP 0xbf812e4b, Address 0x4808c4, TEB 0x7ffdd000 PREV SMAP CR3 0x6d40320, EIP 0xbf812dea, Address 0x4808c8, TEB 0x7ffdd000 SMAP CR3 0x6d40320, EIP 0xbf812e55, Address 0x4808c8, TEB 0x7ffdd000 PREV SMAP CR3 0x6d40320, EIP 0xbf812daf, Address 0x480750, TEB 0x7ffdd000 SMAP CR3 0x6d40320, EIP 0xbf812e21, Address 0x480750, TEB 0x7ffdd000 PREV SMAP CR3 0x6d40320, EIP 0xbf80c04d, Address 0x7ffdd206, TEB 0x7ffdd000 SMAP CR3 0x6d40320, EIP 0xbf812ebe, Address 0x7ffdd206, TEB 0x7ffdd000 . . . . . . 30 ● Access user memory without try-catch ● Double fetches
31 bf812ddf 8b03 mov eax,dword ptr [ebx] bf812de1 8b502c mov edx,dword ptr [eax+2Ch] bf812de4 8bb284010000 mov esi,dword ptr [edx+184h] bf812dea 8b9288010000 mov edx,dword ptr [edx+188h] bf812df0 899518ffffff mov dword ptr [ebp-0E8h],edx bf812df6 8b511c mov edx,dword ptr [ecx+1Ch] bf812df9 3bf2 cmp esi,edx ... bf812e42 8b482c mov ecx,dword ptr [eax+2Ch] bf812e45 8d8184010000 lea eax,[ecx+184h] bf812ebe 6683790203 cmp word ptr [ecx+2],3 bf812ec3 0f84e1feffff je win32k!GreBatchTextOut+0x3d (bf812daa) bf812ec9 898500ffffff mov dword ptr [ebp-100h],eax bf812ecf 8b5120 mov edx,dword ptr [ecx+20h] PREV SMAP CR3 0x6d40320, EIP 0xbf812de4, Address 0x4808c4, TEB 0x7ffdd000 SMAP CR3 0x6d40320, EIP 0xbf812e4b, Address 0x4808c4, TEB 0x7ffdd000 0x4808c4
32 win32k!NtGdiFlushUserBatch+0xdf: bf80c04d 0fb75302 movzx edx,word ptr [ebx+2] bf80c051 899514ffffff mov dword ptr [ebp-0ECh],edx bf80c057 0fb70b movzx ecx,word ptr [ebx] bf80c05a 894dc8 mov dword ptr [ebp-38h],ecx …. win32k!GreBatchTextOut+0x32: bf812ebe 6683790203 cmp word ptr [ecx+2],3 bf812ec3 0f84e1feffff je win32k!GreBatchTextOut+0x3d (bf812daa) bf812ec9 898500ffffff mov dword ptr [ebp-100h],eax bf812ecf 8b5120 mov edx,dword ptr [ecx+20h] PREV SMAP CR3 0x6d40320, EIP 0xbf80c04d, Address 0x7ffdd206, TEB 0x7ffdd000 SMAP CR3 0x6d40320, EIP 0xbf812ebe, Address 0x7ffdd206, TEB 0x7ffdd000 0x7ffdd206
Further Work ● x64 33
Conclusions ● Provides a real-time mitigation for kernel TOCTOU vulnerability. ● Provides a tool that monitoring kernel-to-user memory access patterns. 34
35 Thank you! Mingbo Zhang mingbo.zhang@rutgers.edu Saman Zonouz saman.zonouz@rutgers.edu Questions >

Recommended

BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat Security Conference
 
BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat Security Conference
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCanSecWest
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
Kernel crashdump
Kernel crashdumpKernel crashdump
Kernel crashdumpAdrien Mahieux
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCanSecWest
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCanSecWest
 

Recommended

BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat Security Conference
 
BlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat v18 || Hardening hyper-v through offensive security research
BlueHat v18 || Hardening hyper-v through offensive security researchBlueHat Security Conference
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCanSecWest
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
Kernel crashdump
Kernel crashdumpKernel crashdump
Kernel crashdumpAdrien Mahieux
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCanSecWest
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCanSecWest
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureKernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureAnne Nicolas
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Mem forensic
Mem forensicMem forensic
Mem forensicChong-Kuan Chen
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCanSecWest
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
kdump: usage and_internals
kdump: usage and_internalskdump: usage and_internals
kdump: usage and_internalsLinuxCon ContainerCon CloudOpen China
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Gavin Guo
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxMeder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxDefconRussia
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLubomir Rintel
 
Varnish presentation for the Symfony Zaragoza user group
Varnish presentation for the Symfony Zaragoza user groupVarnish presentation for the Symfony Zaragoza user group
Varnish presentation for the Symfony Zaragoza user groupJorge Nerín
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Anne Nicolas
 
Advanced Root Cause Analysis
Advanced Root Cause AnalysisAdvanced Root Cause Analysis
Advanced Root Cause AnalysisEric Sloof
 
Analisis_avanzado_vmware
Analisis_avanzado_vmwareAnalisis_avanzado_vmware
Analisis_avanzado_vmwarevirtualizacionTV
 

More Related Content

What's hot

Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureKernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureAnne Nicolas
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCanSecWest
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Gavin Guo
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxMeder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxDefconRussia
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLubomir Rintel
 
Varnish presentation for the Symfony Zaragoza user group
Varnish presentation for the Symfony Zaragoza user groupVarnish presentation for the Symfony Zaragoza user group
Varnish presentation for the Symfony Zaragoza user groupJorge Nerín
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Anne Nicolas
 

What's hot (20)

Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureKernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architecture
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysis
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизора
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and Analysis
 
kdump: usage and_internals
kdump: usage and_internalskdump: usage and_internals
kdump: usage and_internals
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxMeder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshop
 
Varnish presentation for the Symfony Zaragoza user group
Varnish presentation for the Symfony Zaragoza user groupVarnish presentation for the Symfony Zaragoza user group
Varnish presentation for the Symfony Zaragoza user group
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
 

Similar to BlueHat v18 || A mitigation for kernel toctou vulnerabilities

Advanced Root Cause Analysis
Advanced Root Cause AnalysisAdvanced Root Cause Analysis
Advanced Root Cause AnalysisEric Sloof
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with XenTamas K Lengyel
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
XPDS16: Xen Live Patching - Updating Xen Without Rebooting - Konrad Wilk, Ora...
XPDS16: Xen Live Patching - Updating Xen Without Rebooting - Konrad Wilk, Ora...XPDS16: Xen Live Patching - Updating Xen Without Rebooting - Konrad Wilk, Ora...
XPDS16: Xen Live Patching - Updating Xen Without Rebooting - Konrad Wilk, Ora...The Linux Foundation
 
Дмитрий Вовк: Векторизация кода под мобильные платформы
Дмитрий Вовк: Векторизация кода под мобильные платформыДмитрий Вовк: Векторизация кода под мобильные платформы
Дмитрий Вовк: Векторизация кода под мобильные платформыDevGAMM Conference
 
A close encounter_with_real_world_and_odd_perf_issues
A close encounter_with_real_world_and_odd_perf_issuesA close encounter_with_real_world_and_odd_perf_issues
A close encounter_with_real_world_and_odd_perf_issuesRiyaj Shamsudeen
 
Secrets of building a debuggable runtime: Learn how language implementors sol...
Secrets of building a debuggable runtime: Learn how language implementors sol...Secrets of building a debuggable runtime: Learn how language implementors sol...
Secrets of building a debuggable runtime: Learn how language implementors sol...Dev_Events
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
Vectorization on x86: all you need to know
Vectorization on x86: all you need to knowVectorization on x86: all you need to know
Vectorization on x86: all you need to knowRoberto Agostino Vitillo
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightLinaro
 

Similar to BlueHat v18 || A mitigation for kernel toctou vulnerabilities (20)

Advanced Root Cause Analysis
Advanced Root Cause AnalysisAdvanced Root Cause Analysis
Advanced Root Cause Analysis
 
Analisis_avanzado_vmware
Analisis_avanzado_vmwareAnalisis_avanzado_vmware
Analisis_avanzado_vmware
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with Xen
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Java Memory Model
Java Memory ModelJava Memory Model
Java Memory Model
 
XPDS16: Xen Live Patching - Updating Xen Without Rebooting - Konrad Wilk, Ora...
XPDS16: Xen Live Patching - Updating Xen Without Rebooting - Konrad Wilk, Ora...XPDS16: Xen Live Patching - Updating Xen Without Rebooting - Konrad Wilk, Ora...
XPDS16: Xen Live Patching - Updating Xen Without Rebooting - Konrad Wilk, Ora...
 
Дмитрий Вовк: Векторизация кода под мобильные платформы
Дмитрий Вовк: Векторизация кода под мобильные платформыДмитрий Вовк: Векторизация кода под мобильные платформы
Дмитрий Вовк: Векторизация кода под мобильные платформы
 
A close encounter_with_real_world_and_odd_perf_issues
A close encounter_with_real_world_and_odd_perf_issuesA close encounter_with_real_world_and_odd_perf_issues
A close encounter_with_real_world_and_odd_perf_issues
 
Secrets of building a debuggable runtime: Learn how language implementors sol...
Secrets of building a debuggable runtime: Learn how language implementors sol...Secrets of building a debuggable runtime: Learn how language implementors sol...
Secrets of building a debuggable runtime: Learn how language implementors sol...
 
XS Boston 2008 Network Topology
XS Boston 2008 Network TopologyXS Boston 2008 Network Topology
XS Boston 2008 Network Topology
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of Meltdowns
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
Arm architecture overview
Arm architecture overviewArm architecture overview
Arm architecture overview
 
Meltdown & Spectre
Meltdown & Spectre Meltdown & Spectre
Meltdown & Spectre
 
Vectorization on x86: all you need to know
Vectorization on x86: all you need to knowVectorization on x86: all you need to know
Vectorization on x86: all you need to know
 
Meltdown & spectre
Meltdown & spectreMeltdown & spectre
Meltdown & spectre
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
 

More from BlueHat Security Conference

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Security Conference
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Security Conference
 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Security Conference
 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Security Conference
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Security Conference
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Security Conference
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Security Conference
 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Security Conference
 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Security Conference
 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Security Conference
 
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Security Conference
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat Security Conference
 
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat Security Conference
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat Security Conference
 
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat Security Conference
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat Security Conference
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat Security Conference
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 

More from BlueHat Security Conference (20)

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
 
BlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || KeynoteBlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || Keynote
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
 
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
 
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
 
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without device
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 

Recently uploaded

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Recently uploaded (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

BlueHat v18 || A mitigation for kernel toctou vulnerabilities

  • 1. A Mitigation for Kernel TOCTOU Vulnerabilities Mingbo Zhang, Saman Zonouz Rutgers University 1
  • 3. Outline ● Background ● Mitigation ● Find More Bugs ● Conclusions 3
  • 5. Why It Happens ● Kernel get data directly from user-mode memory ● User memory is a shared resource ● No mechanism to inform other users when it changes ● The kernel should “Capture” the value 5
  • 6. Anything Kernel Touches, Stay the Same 6 syscall Thread 0 parameters passed in … pointer0 … pointer1 … … Thread 1 write kernel user kernel access
  • 7. Supervisor Mode Access Prevention (SMAP) ● The kernel cannot access user-mode pages. ● It triggers page faults. ● Set CR4.SMAP to enable it. ● SMAP can be disabled when setting EFLAGS.AC=1. ● Two instructions STAC (Set AC Flag) and CLAC (Clear AC Flag) can be used to easily set or clear the flag. 7
  • 8. SMAP in Linux Two gateway functions ● copy_to_user() ● copy_from_user() Where SMAP is temporarily disabled. When OS sees a SMAP exception, it panic. 8 copy_from_user(...) { stac(); .... copy; clac(); }
  • 9. 9 User Memory Kernel Memory kernel page #PF 0xFF Leverage SMAP Differently ● Any user page referenced by the kernel will be set as a kernel page until current system call ends. ● Page is protected from other user threads ● SMAP #PF being handled
  • 10. What If Other Threads Need to Read The Same Page ● Simply change it back to userspace and set it to read-only. 10 User Memory kernel page thread user page 0xFF #PF
  • 11. Implementation ● Hook page fault handler (0x0E). ● Hook Windows internal function KiSystemCallExit to know when the syscall ends. 11
  • 12. Page Fault Handler We only handle exceptions that related to SMAP. Others are passed to the OS kernel. ● Page fault error code (stack) ● EIP, CS, ESP, SS, EFLAGS (stack) ● Current page directory base (CR3) ● Virtual address that caused the exception (CR2) 12
  • 13. Exception Flooding ● SMAP is a system-wide feature. ● Windows kernel not SMAP ready. ● Syscall has user parameters. ● Win32k.sys 13
  • 14. Reduce Exceptions ● Debugging page fault handler is not very convenient. ● To reduce exceptions, we want SMAP only effective on a particular process. ● Use virtualization to confine SMAP within a process. 14
  • 15. Hypervisor ● Goal: Set CR4.SMAP bit when the CPU runs on the target process. ● Similar to what virtualization rootkit usually does, our thin hypervisor lifts the current system into VM guest mode. 15 Operating System Hypervisor driver Operating System (guest mode) HardwareHardware Hypervisor
  • 16. 16 Hypervisor Process Target process Process ... Process Target process Guest CR4.SMAP = 0 VM EXIT Set VMCS.GuestState.CR4.SMAP = 1 mov cr3, eax VM ENTER Target process SMAP Enabled Guest CR4.SMAP = 1 mov cr3, eax Process Set VMCS.GuestState.CR4.SMAP = 0 ● Monitor process context switches events. mov cr3, exx
  • 17. Write Conflict 17 ● Idea 1: ○ Thread level CopyOnWrite split page tables when write conflict occurs. ○ Cons: How to merge more pages back. ● Idea 2: ○ Wait for the current protection to end (current syscall ends) ○ Wait inside the page fault exception handler
  • 18. Page Fault Exception Handler ● #PF is an exception (faults). ● PASSIVE_LEVEL ● KeDelayExecutionThread() 18 Interrupt Descriptor Table Interrupt Exception An interrupt is an asynchronous event that is typically triggered by an I/O device. An exception is a synchronous event that is generated when the processor detects one or more predefined conditions while executing an instruction. Faults Traps Aborts External NMI
  • 19. 19 syscall Thread 0 Parameters passed in … pointer0 … pointer1 … … Thread 1 Access violation Kernel access … mov [eax], xxx (Cause exception) ... Page_fault_hander { ... while (try < 10) { sleep(some milliseconds); if (page.attr == user_writable) { return re-execute; } try++; } return access_violation; ... } Re-execute access
  • 20. Flash TLB on SMP System ● We simply change User/Supervisor bit in PTE to switch the page between user and kernel space. ● Since each CPU core has its own cache (TLB), changing PTE alone in memory may not be sufficient on a multiprocessor system. 20 ● invlpg on local core ● Send IPI (Inter Processor Interrupt) to other cores ● KeFlushSingleTb
  • 21. Set Interrupt Flag in Page Fault Handler 21 ● In page fault handler, the processor clears the IF(Interrupt enable flag) in EFLAGS register and it will be set back when interrupts "IRET". ● After getting there faulting virtual address from CR2, set IF flag. Interrupt Descriptor Table Interrupt gate Trap gate Clears the interrupt enable (IF) flag in the EFLAGS register.
  • 22. Evaluation ● Intel Core I5-6400 (6 GEN CPU Skylake), ASUS H110M-C motherboard(Intel H110 Chipset, Realtek RTL8111H Network Controller), 8GB ram and 500GB hard disk. ● CVE-2008-2252 fixed in MS08-061. ● Simple POC code that crashes the system. 22
  • 23. 23 ... cmp [eax+8], ebx ; ① eax=0x0 ... mov ebx, [eax+4] ; ② eax=0x0 add ebx, 0Ch ... call UserAllocPoolWithQuota ... mov ecx, [eax+4] ; ③ eax=0x0 mov esi, [eax+8] ... (Syscall ends) Page 0Page 0 ... mov eax, 0x4 xor [eax], 0x80000 mov eax, 0x4 xor [eax], 0x80000 CVE-2008-2252 Attacking thread mov eax, 0x4 xor [eax], 0x80000 ... (blocked in page fault handler) ... cmp [eax+8], ebx ; ① eax=0x0 ... mov ebx, [eax+4] ; ② eax=0x0 add ebx, 0Ch ... call UserAllocPoolWithQuota ... mov ecx, [eax+4] ; ③ eax=0x0 mov esi, [eax+8] ... (Syscall ends) #PF
  • 25. Try to Find More Bugs ● Inspired by Bochspwn (Mateusz Jurczyk, Gynvael Coldwind) “Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns” 25 ● Observe kernel-to-user memory access patterns more efficiently ● Same hardware feature -- SMAP
  • 26. Use SMAP only for Monitoring 1. The kernel triggers SMAP exception. 2. Record information. 3. Let the kernel go. 26 ● SMAP exception once triggered, it’s too late to disable it. (EFLAGS.AC)
  • 27. First Try: SMAP + Single-step Trap ● Set Trap flag. ● Debug software must set Resume flag in the EFLAGS image on the stack just prior to returning to the interrupted program with IRETD. ● It seems that Resume flag doesn’t work in page fault context. 27 TRAP FLAGRESUME FLAG
  • 28. Set Breakpoints Manually ● In page fault handler ○ Parsing the length of the current instruction to locate the beginning of the next instruction. ○ Write a breakpoint (byte 0xcc). ● Intercept breakpoint trap event in the hypervisor. ○ The current process is SYSTEM. Switch to the target process that triggers the breakpoint. ○ Write back the original byte. ○ Release the protected page. ○ Re-execute the faulting instruction. 28
  • 29. Memory Access Patterns ● Same user-mode virtual address accessed more than once. ● Within one syscall. ● Same thread. 29
  • 30. Results PREV SMAP CR3 0x6d40320, EIP 0xbf812de4, Address 0x4808c4, TEB 0x7ffdd000 SMAP CR3 0x6d40320, EIP 0xbf812e4b, Address 0x4808c4, TEB 0x7ffdd000 PREV SMAP CR3 0x6d40320, EIP 0xbf812dea, Address 0x4808c8, TEB 0x7ffdd000 SMAP CR3 0x6d40320, EIP 0xbf812e55, Address 0x4808c8, TEB 0x7ffdd000 PREV SMAP CR3 0x6d40320, EIP 0xbf812daf, Address 0x480750, TEB 0x7ffdd000 SMAP CR3 0x6d40320, EIP 0xbf812e21, Address 0x480750, TEB 0x7ffdd000 PREV SMAP CR3 0x6d40320, EIP 0xbf80c04d, Address 0x7ffdd206, TEB 0x7ffdd000 SMAP CR3 0x6d40320, EIP 0xbf812ebe, Address 0x7ffdd206, TEB 0x7ffdd000 . . . . . . 30 ● Access user memory without try-catch ● Double fetches
  • 31. 31 bf812ddf 8b03 mov eax,dword ptr [ebx] bf812de1 8b502c mov edx,dword ptr [eax+2Ch] bf812de4 8bb284010000 mov esi,dword ptr [edx+184h] bf812dea 8b9288010000 mov edx,dword ptr [edx+188h] bf812df0 899518ffffff mov dword ptr [ebp-0E8h],edx bf812df6 8b511c mov edx,dword ptr [ecx+1Ch] bf812df9 3bf2 cmp esi,edx ... bf812e42 8b482c mov ecx,dword ptr [eax+2Ch] bf812e45 8d8184010000 lea eax,[ecx+184h] bf812ebe 6683790203 cmp word ptr [ecx+2],3 bf812ec3 0f84e1feffff je win32k!GreBatchTextOut+0x3d (bf812daa) bf812ec9 898500ffffff mov dword ptr [ebp-100h],eax bf812ecf 8b5120 mov edx,dword ptr [ecx+20h] PREV SMAP CR3 0x6d40320, EIP 0xbf812de4, Address 0x4808c4, TEB 0x7ffdd000 SMAP CR3 0x6d40320, EIP 0xbf812e4b, Address 0x4808c4, TEB 0x7ffdd000 0x4808c4
  • 32. 32 win32k!NtGdiFlushUserBatch+0xdf: bf80c04d 0fb75302 movzx edx,word ptr [ebx+2] bf80c051 899514ffffff mov dword ptr [ebp-0ECh],edx bf80c057 0fb70b movzx ecx,word ptr [ebx] bf80c05a 894dc8 mov dword ptr [ebp-38h],ecx …. win32k!GreBatchTextOut+0x32: bf812ebe 6683790203 cmp word ptr [ecx+2],3 bf812ec3 0f84e1feffff je win32k!GreBatchTextOut+0x3d (bf812daa) bf812ec9 898500ffffff mov dword ptr [ebp-100h],eax bf812ecf 8b5120 mov edx,dword ptr [ecx+20h] PREV SMAP CR3 0x6d40320, EIP 0xbf80c04d, Address 0x7ffdd206, TEB 0x7ffdd000 SMAP CR3 0x6d40320, EIP 0xbf812ebe, Address 0x7ffdd206, TEB 0x7ffdd000 0x7ffdd206
  • 34. Conclusions ● Provides a real-time mitigation for kernel TOCTOU vulnerability. ● Provides a tool that monitoring kernel-to-user memory access patterns. 34
  • 35. 35 Thank you! Mingbo Zhang mingbo.zhang@rutgers.edu Saman Zonouz saman.zonouz@rutgers.edu Questions >