Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns
The overall security posture of operating systems’ kernels – and specifically the Microsoft Windows NT kernel – against both local and remote attacks has visibly improved throughout the last decade. In our opinion, this is primarily due to the increasing interest in kernel-mode vulnerabilities by both white and black-hat parties, as they ultimately allow attackers to subvert the currently widespread defense-in-depth technologies implemented on operating system level, such as sandboxing, or other features enabling better management of privileges within the execution environment (e.g. Mandatory Integrity Control ). As a direct outcome, Microsoft has invested considerable resources in both improving the development process with programs like Secure Development Lifecycle, and explicitly hardening the kernel against existing attacks; the latter was particularly characteristic to Windows 8, which introduced more kernel security improvements than any NT-family system thus far. In this paper, we discuss the concept of employing CPU-level operating system instrumentation to identify potential instances of local race conditions in fetching user-mode input data within system call handlers and other user-facing ring-0 code, and how it was successfully implemented in the Bochspwn project. Further in the document, we present a number of generic techniques easing the exploitation of timing bound kernel vulnerabilities and show how these techniques can be employed in practical attacks against three exemplary vulnerabilities discovered by Bochspwn. In the last sections, we conclusively provide some suggestions on related research areas that haven’t been fully explored and require further development.