Abstract: The overall security posture of operating systems' kernels - and specif- ically the Microsoft Windows NT kernel - against both local and remote attacks has visibly improved throughout the last decade. In our opinion, this is primarily due to the increasing interest in kernel-mode vulnerabili- ties by both white and black-hat parties, as they ultimately allow attackers to subvert the currently widespread defense-in-depth technologies imple- mented on operating system level, such as sandboxing, or other features enabling better management of privileges within the execution environ- ment (e.g. Mandatory Integrity Control). As a direct outcome, Microsoft has invested considerable resources in both improving the development process with programs like Secure Development Lifecycle, and explicitly hardening the kernel against existing attacks; the latter was particularly characteristic to Windows 8, which introduced more kernel security im- provements than any NT-family system thus far. In this paper, we discuss the concept of employing CPU-level operating system instrumen- tation to identify potential instances of local race conditions in fetching user-mode input data within system call handlers and other user-facing ring-0 code, and how it was successfully implemented in the Bochspwn project. Further in the document, we present a number of generic tech- niques easing the exploitation of timing bound kernel vulnerabilities and show how these techniques can be employed in practical attacks against three exemplary vulnerabilities discovered by Bochspwn. In the last sec- tions, we conclusively provide some suggestions on related research areas that haven't been fully explored and require further development.
Download: bochspwn.pdf