|
PRESENTATION:
|
I know where your page lives: Derandomizing the latest Windows 10 Kernel
|
|
PRESENTER(S):
|
Enrique Nissim, Security Consultant for IOActive
|
|
CONFERENCE:
|
ZeroNights 2016
|
|
LOCATION:
|
Mira pr., 150,
|
|
DATE & TIME:
|
November 18, 2016 at 12:00 PM
|
The latest version of Windows 10 (Anniversary Update) has raised the bar again when it comes to successfully exploiting a kernel vulnerability. Microsoft made a step forward by killing the GDI Objects kernel pointers leakage which was widely used after the infamous hacking team exploit. Also, with the randomization of the paging structures, the system now boosts full KASLR, which leads to the requirement of a memory disclosure bug in order to get control of RIP either by ROPing or DKOM techniques.
This presentation will show the side-channel attack called DrK aka “De-randomizing Kernel Address Space” applied to the randomization of the PML4 structure. By combining the TSX instructions and several tricks to get reliability, one is able to determine the exact location of the “PML4 SelfRef Entry”. After this point, all the known attacks against the paging structures can be carried out as if the KASLR never existed.
About Enrique Nissim
Enrique Nissim is a Senior Consultant at IOActive. His experience and interests include reverse engineering, exploit development, programming and application security. He has also been a regular speaker at other international cybersecurity conferences, including Ekoparty and CansecWest, where he’s recently presented research on OS kernel exploitation.
About ZeroNights 2016
ZeroNights is an international conference devoted to practical aspects of cybersecurity. It is a perfect place to discuss new attack methods and threats. ZeroNights is intended to show attendees ways to both attack and defend, as well as suggest unorthodox approaches to solving cybersecurity problems.
About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.