(Collaborative post by Mateusz “j00ru” Jurczyk and Gynvael Coldwind) A few days ago we (Gynvael and I) gave a talk during the SyScan’13 conference in the fine city of Singapore, and as promised (though with a slight delay), today we are publishing both the slide deck and a white paper discussing memory access pattern analysis [...]

(Collaborative post by Mateusz "j00ru" Jurczyk and Gynvael Coldwind) A few days ago we (j00ru and I) gave a talk during the SyScan'13 conference in the fine city of Singapore, and as promised (though ...

In the most recent blog post (“Fun facts: Windows kernel and guard pages”), we have learned how the code coverage of kernel routines referencing user-mode memory can be determined by taking advantage of the fact that kernel-mode code triggers guard page exceptions in the same way as user-mode does. Today, I will present how the [...]

It has been a while since I last posted here, so I guess it’s high time to get back to work and share some more interesting Windows kernel internals goodies. Before we get to that, however, let’s start with a few announcements. First of all, there is a number of great infosec conferences coming up [...]

Just a quick self-advertising update. Recently I have been involved in two fun activities: first, I wrote an article about Ubuntu Autopilot for the Ubuntu User magazine. It has been published in the 16'th issue of Ubuntu User. It's loosely based on the Autopilot for Unity blog post I wrote some time ago, just this time not only targeting the Unity system but also normal Qt/GTK+ applications. I have also been asked to give a short interview related to display servers and the recent announcement of Mir, for a polish computer-oriented blog - Morfiblog. It's polish-only, sadly.

Recently I have been working a lot on making IBus autopilot tests more reliable. The design was simple: fetch the expected resulting characters from IBus and compare those with what actually got written in the Unity Dash/HUD text entry. Simple, right? Wrong. IBus doesn't really allow you to just ask him: hey, when I give you the string "abc", what output string will I get for the current engine? You can do it if you explicitly use the input_context, ok. Hell starts when you want to use Python and the gi.repository IBus bindings (not the old python-ibus ones). Why? Because someone made some essential methods Introspectable="0" for no reason. But let's see how we can actually do without those. This post is a quick report from my battle with gobject-introspection of IBus in Python - with all my other trials and approaches. A lot of those!

ARM platforms were always important for the Ubuntu ecosystem - even more so since the start of the 13.04 cycle. For testing Unity on ARM I'm using an OMAP Pandaboard from the EA3 series. It's a very interesting platform to play with - quite powerful, high-level and good-looking! By no means it's a novelty, but something I have only recently got my hands on. Here's my really quick look on the Panda in my possession.

(Collaborative post by Mateusz “j00ru” Jurczyk and Gynvael Coldwind) Almost five months ago, Gynvael Coldwind and I wrote about an effort to improve the security of popular PDF parsing and rendering software; back then, we were primarily focused on the Chrome PDF Renderer and latest Adobe Reader applications. In order to achieve our results, we [...]

(Collaborative post by Mateusz "j00ru" Jurczyk and Gynvael Coldwind)Almost five months ago, Gynvael Coldwind and I wrote about an effort to improve the security of popular PDF parsing and rendering so...

The PHP equality operator == is (based on my experience) probably the weirdest and most overused comparison operator in popular programming languages. Looking back I had my attempts at trying to work ...

Microsoft addressed several Windows kernel vulnerabilities in the MS12-075 security bulletin released in November this year, some of them residing in every version of the win32k.sys driver shipped with the NT family line systems. Apart from the obviously extremely interesting remote web browser => ring-0 arbitrary code execution issue, there have also been two other [...]

I hope you haven’t got bored with bypassing the Driver Signature Enforcement mechanism (present on all 64-bit Microsoft Windows operating systems since Vista) just yet – in either case, stay calm… this is going to be the last post of the series. After using multiple drivers shipped with the OS in the default configuration to [...]

First of all, it has been reported to me that the system call list for Microsoft Windows Vista SP0 available at http://j00ru.vexillium.org/ntapi was wrong, containing syscall numbers for beta2 version of the system instead of the actual RTM Service Pack 0. The issue has already been resolved – apologies for any confusion this might have [...]

I've published the newest version of NetSock, my simple C++ socket library (think TCP and UDP) for Windows and Linux, that's distributed under the terms of Apache License, Version 2.0. There aren't ma...

Regardless of whether you are a Windows exploitation guru, a professional win32 application developer or someone whose curiosity occasionally tells him to dig up the MSDN library looking for interesting quirks or undocumented functionality, the following examples of MSDN article excerptions are very likely to look familiar to you: Simply put, the operating system operates on an [...]

To stand by my claim that the Microsoft Windows operating system has been built on the fundamental assumption that administrative privileges would always be equivalent to granting the ability to run arbitrary ring-0 code, I have decided to briefly discuss yet another portion of some Windows internals and how they could be easily misused by [...]

One of the obvious things about the Windows operating system for anyone actively working on its kernel security is that the Driver Signature Enforcement (DSE in short) is not effective and can be bypassed with relative ease by any determined individual. From a historical perspective, the “feature” was introduced in the 64-bit build of Windows [...]

Unity currently uses a very interesting tool for functional testing: Autopilot. It's a custom solution created with Unity in mind, but can also be used for any other system as well. We have recently decided to start getting rid of all manual testing in Unity and related components, meaning no more running away from automated testing. This is a quick look on how we can use Autopilot to perform automatic testing for our convenience with the Unity stack. All related to Ubuntu 12.10 and later of course.

Parts of my latest interests tend to lean towards Android - both application and system development. There was one thing I noticed lately: whenever orientation changes, the activity gets restarted and might lose its state. This happens because Android has a strange policy of forcing the recreation of the activity whenever the configuration changes - such as orientation, language etc. So if we don't want our application starting off clean on every device tilt, well, we need to prepare it for this evil.

(Bug found by Gynvael Coldwind, exploit developed by Mateusz “j00ru” Jurczyk) Several months back we have been playing with different file systems on various system platforms, examining the security p...

(Bug found by Gynvael Coldwind, exploit developed by Mateusz “j00ru” Jurczyk) Several months back we have been playing with different file systems on various system platforms, examining the security posture and robustness of numerous device drivers’ implementations. One of the configurations we spent some time on was the commonly used NTFS on Microsoft Windows – [...]

Seems a new version - 0.8.2 - of cr-gpg (the GPG browser extension for Gmail for Chrome) was released today, so a brief note on a few bugs I reported in late August. The cr-gpg extension for Chrome...

(Collaborative post by Mateusz “j00ru” Jurczyk, Gynvael Coldwind and Adam Iwaniuk) Friday, the 7th of September 2012 we were supposed to play the securitytraps.no-ip.org CTF. Unfortunately, the competition was postponed for a later date at the last moment, due to some significant technical problems. Next day evening we accidentally discovered another CTF taking place – [...]

(Collaborative post by Gynvael Coldwind, Mateusz "j00ru" Jurczyk and Adam Iwaniuk)Friday, the 7th of September 2012 we were supposed to play the securitytraps.no-ip.org CTF. Unfortunately, the competi...

Today, I would like to start sharing some of the most amusing examples of the Windows kernel behavior that I often stumble upon while reverse-engineering its various areas, exploiting a particular vulnerability or just randomly exploring its code. Some of them might have certain implications for security, some are completely impractical and are presented for [...]