You can use your favorite system monitoring drivers to gain code execution in the kernel by writing to a single register.
Model Specific Registers (MSRs) are little known outside of Kernel developer circles. Even among kernel hackers, the use of each register is not well known, with several registers being either partially or fully undocumented. This has led to a proliferation of low quality kernel mode drivers that expose primitives to read and write to these registers. While writing to a single register is seldom cause for celebration by the exploit developer, in several instances an understanding of these registers can lead kernel remote code execution allowing for privilege escalation. This talk will explore the purpose of these special registers, how we can use them to get kernel code execution, and how developers should be protecting themselves from these attacks.
This talk will introduce the audience to the concept of model specific registers, with a brief overview of their history and introduction. An overview of the commonly used model specific registers will be given, with examples in a vulnerable driver being used to illustrate how and where they are used. A sample driver will be reverse engineered to demonstrate the process of assessing a vulnerability with model specific register use, an example exploit will also be given to demonstrate how the registers can be successfully leveraged in order to gain kernel code execution. Finally, mitigation strategies for model specific register based attacks will be given for kernel mode driver developers.