Kernel Wars

Presented at DEF CON 15 (2007), Aug. 4, 2007, 10 a.m. (80 minutes).

Kernel vulnerabilities are often deemed unexploitable, or at least unlikely to be exploited reliably. Although it's true that kernel-mode exploitation often presents some new challenges for exploit developers, it still all boils down to "creative debugging" and knowledge about the target in question. This talk intends to demystify kernel-mode exploitation by demonstrating the analysis and reliable exploitation of several real-life kernel vulnerabilities. From a defender's point of view this could hopefully serve as an eye-opener, as it demonstrates the ineffectiveness of HIDS, NX, ASLR and other protective measures when the kernel itself is being exploited. The entire process will be discussed, including how the vulnerabilities were found, how they were analyzed to determine if and how they can be reliably exploited and of course the exploits will be demonstrated in practice. None of the vulnerabilities that will be used as examples had public exploits by the time they were exploited by us, and includes the (in)famous Windows 2000/XP GDI bug, the FreeBSD 802.11 bug and a local NetBSD vulnerability. We will also demonstrate a full exploit for the remote OpenBSD ICMPv6 vulnerability found by CORE SDI, and discuss the payload techniques we used for it. The NetBSD-bug is a new 0-day for Vegas and not the same bug that was disclosed at our BlackHat Europe presentation, and we will also throw in at least one more surprise 0-day to keep things interesting. ;) More info will be made available at: http://kernelwars.blogspot.com/

Presenters:

  • Joel Eriksson - Security Researcher and CTO of Bitsec
    Joel Eriksson is the CTO of Bitsec, a newly founded security company based in Sweden. Joel has been working in the computer security field since 1997 when he started out as an independent consultant. His primary focus is within vulnerability research, exploit development and reverse engineering. Joel has previously spoken at Black Hat Europe and UNCON.
  • Karl Janmar - Security Researcher, Bitsec
  • Claes Nyberg - Security Researcher, Bitsec
  • Christer Öberg - Security Researcher, Bitsec

Links:

Similar Presentations: