Cluck Cluck: On Intel's Broken Promises

Presented at BSidesLV 2014, Aug. 5, 2014, 5 p.m. (60 minutes)

Cluck Cluck presents an architectural, OS-independent method for accessing arbitrary physical memory from kernel shell-code or forensics memory acquisition tools where the virtual addresses of the paging structures are not known -- 'breaking out' of virtual memory. Currently, the virtual address for the page directory is hard coded in the kernel, but this is specific to each OS and version thereof. Cluck Cluck solves the chicken and egg problem (needing access to the page structures to gain access to the page structures) at an OS-independent, architectural level, highlighting how a newer Intel feature violated existing guarantees.

Presenters:

• Jacob Torrey
  Jacob Torrey is an Advising Research Engineer at Assured Information Security, Inc, where he leads the Computer Architectures group and acts as the site lead for the Colorado branch. Jacob has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS, hypervisor and SMM handler. His major interest is how to (mis)use an existing architecture to implement a capability currently beyond the limitations of the architecture.

Links:

• https://bsideslv2014.sched.com/event/1zUnTuF/cluck-cluck-on-intels-broken-promises
• https://infocon.org/cons/Security BSides/BSides Las Vegas/BSides Las Vegas 2014/cluck cluck on intels broken promises jacob torrey.mp4

Similar Presentations:

• Black Hat USA 2019 / Paging All Windows Geeks – Finding Evil in Windows 10 Compressed Memory
• Black Hat USA 2016 / Using Undocumented CPU Behavior to See into Kernel Mode and Break KASLR in the Process
• REcon 2017 / The HyperV Architecture and its Memory Manager