10-12, 16:00–16:50 (US/Pacific), The Point
You can use your favorite system monitoring drivers to gain code execution in the kernel by writing to a single register.
Model Specific Registers (MSRs) are little known outside of Kernel developer circles. Even among kernel hackers, the use of each register is not well known, with several registers being either partially or fully undocumented. This has led to a proliferation of low quality kernel mode drivers that expose primitives to read and write to these registers. While writing to a single register is seldom cause for celebration by the exploit developer, in several instances an understanding of these registers can lead kernel remote code execution allowing for privilege escalation. This talk will explore the purpose of these special registers, how we can use them to get kernel code execution, and how developers should be protecting themselves from these attacks.
This talk will introduce the audience to the concept of model specific registers, with a brief overview of their history and introduction. An overview of the commonly used model specific registers will be given, with examples in a vulnerable driver being used to illustrate how and where they are used. A sample driver will be reverse engineered to demonstrate the process of assessing a vulnerability with model specific register use, an example exploit will also be given to demonstrate how the registers can be successfully leveraged in order to gain kernel code execution. Finally, mitigation strategies for model specific register based attacks will be given for kernel mode driver developers.
John Dunlap (MrSynAckster) is a NYC based reverse engineer, exploit developer, and security engineer. He has presented at numerous conferences such as Bsides DC, Hope Conference, Ruxcon, and the Defcon villages. His research focuses on binary exploitation of low level software, but has also reached into the realms of machine learning based exploit tools and DNA based Biohacking. He has also done research on hacker history and lore, uncovering the hidden history of the team “Script Kiddy” in his 2018 Hope Conference presentation. John has worked with top NYC security firms Gotham Digital Science, Trail of Bits, and now works with Seatle based Leviathan Security.