Meltdown's Aftermath: Leveraging KVA Shadow To Bypass Security Protections

Presented at BSidesLV 2019, Aug. 6, 2019, 5 p.m. (55 minutes).

Following the reveal of speculative execution vulnerabilities, Meltdown was mitigated in software by separating the address space to ring0 and ring3 views. Though it sounds simple, it changed the memory management in all major operating systems drastically and introduced a new hidden area between user-mode and the kernel where code can execute.

In this talk we cover the fundamental details of Meltdown, dive deep into KVA Shadow internals and show how we used it to bypass PatchGuard and HyperGuard.

Moreover, as the mitigation was implemented in all the major operating systems and on some it was even backported to all supported versions, we'll discuss the security issues it presents, new avenues it opens for rootkits and what countermeasures should be taken in light of them.


Presenters:

  • Omri Misgav
    Omri has a decade of experience in the security field leading the R&D of large-scale defensive security solutions, performing incident response and conducting low-level research. Nowadays, as the security research team leader at enSilo he digs into OS internals and exploits, reverse engineer malware and develops new offensive and defensive techniques. Omri is a past speaker in BSidesLV.
  • Udi Yavo
    Udi Yavo has more than 15 years of experience in cyber-security with a proven track record in leading cutting edge cyber-security R&D projects. Prior to enSilo, Udi spearheaded the direction of the cyber-security unit at the National Electronic Warfare Research & Simulation Center of Rafael Advanced Defense System and served as its CTO. Additionally, he developed and led Rafael's cyber training programs. Udi's achievements at Rafael have been recognized, winning him excellence and innovation awards on complex security projects. Prior to Rafael, Udi served as a system architect at the IDF. He holds a BA in Computer Science from the Open University. Udi is a past speaker in Blackhat, RSA conference and BSidesLV.

Links:

Similar Presentations: