Announcing Bochspwn Reloaded and my REcon Montreal 2017 slides

A few days ago at the REcon conference in Montreal, I gave a talk titled Bochspwn Reloaded: Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking. During the presentation, I introduced and thoroughly explained the core concept, inner workings and results of my latest research project: a custom full-system instrumentation based on the Bochs x86 emulator, designed to detect instances of uninitialized kernel memory disclosure to user-mode applications. This work was largely based on the original Bochspwn research, conducted by Gynvael and me in 2013, whose goal was to identify so-called double fetch conditions in the kernels of various popular operating systems (see SyScan slides and whitepaper, Black Hat slides and source code on GitHub). Bochspwn Reloaded repeated the success of its predecessor, so far having found nearly 30 infoleak vulnerabilities in Windows, and more than a dozen lesser issues in Linux.

The most relevant part of the abstract is as follows:

This presentation will introduce another subtle class of kernel vulnerabilities – disclosure of uninitialized stack and heap memory to user-mode applications. Since information leaks of this kind leave hardly any footprint, they are rarely noticed and reported to system vendors. However, we have found that it is still a prevalent problem in current kernels (especially Windows), and can be abused to defeat certain exploit mitigations or steal sensitive data residing in ring-0. In order to address this matter, we have developed a new Bochspwn-style instrumentation based on rudimentary kernel memory taint tracking, which we then used to discover 30 memory disclosure issues in Windows alone. In this talk, we will discuss the kernel design problems behind the bugs, the design of our tool, and the exploitation process of some of the most interesting findings.

Without further ado, the full slide deck presented at REcon can be downloaded below:

The trophy case of bugs indicated by Bochspwn Reloaded thus far is as follows:

  • Details and proof-of-concept programs for all 29 Windows kernel memory disclosure vulnerabilities fixed by Microsoft in April – June 2017, hosted in the Project Zero bug tracker.
  • Bugs detected in Linux kernel 4.8:
    • Kernel stack memory disclosure, llcp_sock_connect in net/nfc/llcp_sock.c (report)
    • Kernel stack memory disclosure (root-only), ctl_ioctl at drivers/md/dm-ioctl.c (external fix)
    • Use of uninitialized stack memory, bind() and connect() handlers in multiple sockets:
    • Use of uninitialized stack memory, deprecated_sysctl_warning in kernel/sysctl_binary.c (report, fix)
    • Use of uninitialized stack memory, SYSC_epoll_ctl in fs/eventpoll.c (external fix)
    • Use of uninitialized heap memory, devkmsg_read in kernel/printk/printk.c (refactored out on 4.10+ kernels)
    • Use of uninitialized heap memory, dnrmg_receive_user_skb in net/decnet/netfilter/dn_rtmsg.c (report, fix)
    • Use of uninitialized heap memory, nfnetlink_rcv in net/netfilter/nfnetlink.c (report)
    • Use of uninitialized stack memory, ext4_update_bh_state in fs/ext4/inode.c (external report)
    • Use of uninitialized heap memory, nl_fib_lookup in net/ipv4/fib_frontend.c (external fix)
    • Use of uninitialized heap memory, fuse_release_common in fs/fuse/file.c (report, fix)
    • Use of uninitialized stack memory, apply_alternatives in arch/x86/kernel/alternative.c (report, fix)

During the presentation, I also showed animated visualizations of tainted memory layouts of Windows 7, Windows 10 and Ubuntu 16.04 (slides 67, 68 and 117). Since they ended up exported as static images in the PDF, I’m including the original GIFs below. These are 1024×512 (or 1024×256 in case of Linux) views of the entire kernel address space, with lower addresses at the top and higher ones at the bottom. Each pixel represents one 4 kB memory page, and is colored green for stack taint, or red for heap/pool taint. Other characteristics such as the total visualized run time, intervals between subsequent frames (memory state snapshots), and actions performed on the systems are listed next to each specific animation.


Windows 7, 40 minutes of run time, 20s. interval, boot + initial ReactOS tests


Windows 10, 120 minutes of run time, 60s. interval, boot + initial ReactOS tests


Ubuntu 16.04, 60 minutes of run time, 20s. interval, boot + trinity fuzzer + linux test project