Hacking Like in the Movies: Visualizing Page Tables for Local Exploitation

Presented at Black Hat USA 2013, Aug. 1, 2013, 5 p.m. (Unknown duration).

A shiny and sparkling way to break user-space ASLR, kernel ASLR and even find driver bugs! Understanding how a specific Operating System organizes its Page Tables allow you to find your own ASLR bypasses and even driver vulnerabilities. We will drop one 0day Android ASLR bypass as an example; you can then break all your other expensive toys yourself. Page Tables are the data structures that map between the virtual address space your programs see to the actual physical addresses identifying locations on your physical RAM chips. We will visualize these data structures for: Windows 8 on x86_64 Windows 8 RT on ARMv7 Linux 3.8 on x86_64 Linux 3.4 on ARMv7 alias Android 4.2 XNU on x86_64 alias OS X XNU on ARMv7 alias iOS Besides showing pretty pictures, we will actually explain what they show and how to interpret commonalities and differences across the same kernel on different architectures.

By comparing the page table state on the same architecture across different runs, we will identify static physical mappings created by drivers, which can be useful for DMA attacks (think FireWire or Thunderbolt forensics). Static virtual mappings are even more interesting and can be used for (K)ASLR bypasses.

To make a final point, that this is not only nice to look at, we will show how we found a mitigated Android


Presenters:

  • Georg Wicherski - CrowdStrike, Inc.
    Georg Wicherski is a Senior Security Researcher with CrowdStrike, mostly analyzing advanced targeted threats but also putting himself in attackers' shoes from time to time. He loves to work on a low level, abandoning all syntactic sugar that HLL offer and working on instructions or bytecode. Recently, he has developed an interest for the ARM architecture in addition to his old x86 adventures.
  • Alexandru Radocea - CrowdStrike, Inc.
    Alex Radocea works for CrowdStrike, offering services, intelligence, and technologies to companies who want to turn the tides and bring pain to advanced adversaries. Previous employers include Apple where he worked on the Product Security team and Matasano, working as a consultant testing a wide variety of technologies. He is a cryptographic failure enthusiast and aspiring silicon chip reverser. Alex Rad has led the "lollerskaterz dropping from rofl copters" team a number of years to the Defcon CTF Finals where they consistently did everything but win, and remains a huge fan of computer security wargames. Prior noticeable speaking engagements include CodeGate '09, WWDC'11, and EkoParty'12.
  • Alex Ionescu - CrowdStrike
    Alex Ionescu is the founder of Winsider Seminars & Solutions Inc., specializing in low-level system software for administrators and developers as well as reverse engineering and security trainings for various organizations and is a coauthor of the Windows Internals series. From 2003-2007, Alex was the lead kernel developer for ReactOS, an open source clone of Windows XP/Server 2003 written from scratch, for which he wrote most of the Windows NT-based kernel. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, firmware, and drivers on the original core platform team behind the iPhone, iPad and AppleTV. Returning to his Windows security roots, Alex is now Chief Architect at CrowdStrike, a security startup focused on nation-state adversaries and other highly sophisticated actors. Alex continues to be very active in the security research community, discovering and reporting several vulnerabilities related to the Windows kernel and presenting talks at conferences such as Blackhat, Breakpoint, SyScan, and Recon. His work has led to the fixing of many critical kernel vulnerabilities, as well as to over a few dozen non-security bugs.

Links:

Similar Presentations: