Turning (Page) Tables - Bypassing advanced kernel mitigations using page tables manipulations

BSidesLV 2018

Presented by: Omri Misgav, Udi Yavo
Date: Wednesday August 08, 2018
Time: 18:00 - 18:55
Location: Breaking Ground

Over the past several years Microsoft introduced many new kernel exploit mitigations techniques to Windows 10, most notable are: page table randomization, Kernel Control-Flow-Guard and VBS based protections such as KMCI (Kernel-Mode Code Integrity). All these protections make local privilege escalation vulnerabilities significantly harder to exploit. Moreover, most of the kernel exploitation techniques assume KMCI is disabled, in coming releases of Windows 10 this assumption will no longer be true as KMCI will be enabled by default. In this talk we will present a new novel exploitation technique based on page-tables manipulations that allows an attacker to bypass all the above mitigations and achieve privilege escalation, even when KMCI is enabled. The concept behind this new technique is not limited to Windows and the ideas behind it can also be leverages on other modern operating systems.

Omri Misgav

Udi Yavo


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats