Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns
Venue
Bochspwn: Exploiting Kernel Race Conditions Found via Memory Access Patterns, The Symposium on Security for Asia Network, 102F Pasir Panjang Road, #08-02, Singapore 118530 (2013), pp. 69
Publication Year
2013
Authors
Mateusz Jurczyk, Gynvael Coldwind
BibTeX
Abstract
The overall security posture of operating systems’ kernels – and specifically the
Microsoft Windows NT kernel – against both local and remote attacks has visibly
improved throughout the last decade. In our opinion, this is primarily due to the
increasing interest in kernel-mode vulnerabilities by both white and black-hat
parties, as they ultimately allow attackers to subvert the currently widespread
defense-in-depth technologies implemented on operating system level, such as
sandboxing, or other features enabling better management of privileges within the
execution environment (e.g. Mandatory Integrity Control ). As a direct outcome,
Microsoft has invested considerable resources in both improving the development
process with programs like Secure Development Lifecycle, and explicitly hardening
the kernel against existing attacks; the latter was particularly characteristic to
Windows 8, which introduced more kernel security improvements than any NT-family
system thus far[11]. In this paper, we discuss the concept of employing CPU-level
operating system instrumentation to identify potential instances of local race
conditions in fetching user-mode input data within system call handlers and other
user-facing ring-0 code, and how it was successfully implemented in the Bochspwn
project. Further in the document, we present a number of generic techniques easing
the exploitation of timing bound kernel vulnerabilities and show how these
techniques can be employed in practical attacks against three exemplary
vulnerabilities discovered by Bochspwn. In the last sections, we conclusively
provide some suggestions on related research areas that haven’t been fully explored
and require further development.
