John D Dunlap
John Dunlap (MrSynAckster) is a NYC based reverse engineer, exploit developer, and security engineer. He has presented at numerous conferences such as Bsides DC, Hope Conference, Ruxcon, and the Defcon villages. His research focuses on binary exploitation of low level software, but has also reached into the realms of machine learning based exploit tools and DNA based Biohacking. He has also done research on hacker history and lore, uncovering the hidden history of the team “Script Kiddy” in his 2018 Hope Conference presentation. John has worked with top NYC security firms Gotham Digital Science, Trail of Bits, and now works with Seatle based Leviathan Security.
You can use your favorite system monitoring drivers to gain code execution in the kernel by writing to a single register.
Model Specific Registers (MSRs) are little known outside of Kernel developer circles. Even among kernel hackers, the use of each register is not well known, with several registers being either partially or fully undocumented. This has led to a proliferation of low quality kernel mode drivers that expose primitives to read and write to these registers. While writing to a single register is seldom cause for celebration by the exploit developer, in several instances an understanding of these registers can lead kernel remote code execution allowing for privilege escalation. This talk will explore the purpose of these special registers, how we can use them to get kernel code execution, and how developers should be protecting themselves from these attacks.