Bochspwn: Identifying 0-Days via System-Wide Memory Access Pattern Analysis

Presented at Black Hat USA 2013, Aug. 1, 2013, 11:45 a.m. (60 minutes)

Throughout the last two decades, the field of automated vulnerability discovery has evolved into the advanced state we have today: effective dynamic analysis is achieved with a plethora of complex, privately developed fuzzers dedicated to specific products, file formats or protocols, with source code and binary-level static analysis slowly catching up, yet already proving useful in specific scenarios. Due to market demand and general ease of access, the efforts have been primarily focused around client software, effectively limiting kernel code coverage to a few generic syscall and IOCTL fuzzers. Considering the current impact of ring-0 security on the overall system security posture and number of kernel-specific bug classes, we would like to propose a novel, dynamic approach to locating subtle kernel security flaws that would likely otherwise remain unnoticed for years.

The presentation will introduce the concept of identifying vulnerabilities in operating systems' kernels by employing dynamic CPU-level instrumentation over a live system session, on the example of using memory access patterns to extract information about potential race conditions in interacting with user-mode memory. We will discuss several different ways to implement the idea, with special emphasis on the "Bochspwn" project we developed last year and successfully used to discover around 50 local elevation of privilege vulnerabilities in the Windows kernel so far, with many of them already addressed in the ms13-016, ms13-017, ms13-031 and ms13-036 security bulletins. The tool itself will be open-sourced during the conference, thus allowing a wider audience to test and further develop the approach.


  • Gynvael Coldwind - Google
    His main areas of interest are low-level security (kernel, OS, client), web security and reverse-engineering. Currently working as an Information Security Engineer at Google.
  • Mateusz Jurczyk / j00ru - Google   as Mateusz Jurczyk
    Mateusz is a big fan of memory corruption. His main areas of interest are client software security, vulnerability exploitation and mitigation techniques, and delving into the darkest corners of low-level kernel internals with a very strong emphasis on Microsoft Windows. He is currently working as an Information Security Engineer at Google.


Similar Presentations: