googleprojectzero/bochspwn googleprojectzero/bochspwn

  • Stars
    star
    307
  • Rank 131,587 (Top 3 %)
  • Language
    C++
  • License
    Apache License 2.0
  • Created almost 11 years ago
  • Updated about 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
googleprojectzero/bochspwn
github

googleprojectzero

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Bochs-based instrumentation project designed to log kernel memory references, to identify "double fetches" and other OS vulnerabilities

Bochspwn

Bochspwn is a system-wide instrumentation project designed to log memory accesses performed by operating system kernels and examine them in search of patterns indicating the presence of certain bugs, such as "double fetches". Information about memory references is obtained by running the guest operating systems within the Bochs IA-32 emulator with the custom instrumentation component compiled in. It was written in 2013, and was used to discover over 50 race conditions in the Windows kernel, fixed across numerous security bulletins (MS13-016, MS13-017, MS13-031, MS13-036). For further information, see Read more.

Support status

The toolset is not actively maintained, and its source code is released "as is", mostly for reference purposes. It was originally released as kfetch-toolkit in 2013 after the Black Hat USA talk, together with a comprehensive documentation at DOCUMENTATION.old.md (now partially obsolete). In 2017, we revised the source code of the project and implemented several new features:

  1. Information about the address space layout of kernel drivers is stored in a separate file (modules.bin by default), and each driver is referenced by its index in the main log file. This was done to save disk space, by preventing the reduntant information (image names and base addresses) from being needlessly saved for every stack trace item in the log.
  2. Information about the presence of an active exception handler in each stack frame was added to the access log protocol buffer, allowing us to detect a number of local Windows DoS vulnerabilities (see examples 1, 2, 3, 4).
  3. Information about the value of PreviousMode at the time of the memory access in Windows was added to the protocol buffer.
  4. The "online" double-fetch detection mode was removed from the code, as it was deemed too slow to be practically useful.
  5. Some symbolization-related and other minor bugs were fixed in the code.

The instrumentation was also ported to Bochs version 2.6.9, the latest one at the time of this writing.

Building and usage

For general instructions, see DOCUMENTATION.old.md.

You may wish to use more recent versions of the referenced software (e.g. Bochs 2.6.9, libprotobuf 3.4.1 etc.), and update the Bochspwn configuration file to account for the 2017 changes. When in doubt, please refer to the source code or contact us with any questions.

Example report

------------------------------ found double-read of address 0x00000000001ef766
Read no. 1:
[pid/tid/ct: 000000fc/00000100/01d27c3a91e567e6] {        smss.exe} 0000001e, 00000042: READ of 1ef764 (5 * 4 bytes), pc = 82a75263 [ rep movsd dword ptr es:[edi], dword ptr ds:[esi] ]
[previous mode: 1]
#0  0x82a75263 ((0026a263) ntoskrnl!SeCaptureSecurityDescriptor+00000067) <===== SEH enabled (#0)
#1  0x82a36a23 ((0022ba23) ntoskrnl!ObpCaptureObjectCreateInformation+000000c2) <===== SEH enabled (#0)
#2  0x82a45de2 ((0023ade2) ntoskrnl!ObOpenObjectByName+0000009b)
#3  0x82a3c7db ((002317db) ntoskrnl!IopCreateFile+00000673) <===== SEH disabled
#4  0x82a60402 ((00255402) ntoskrnl!NtCreateFile+00000034)
#5  0x82848db6 ((0003ddb6) ntoskrnl!KiSystemServicePostCall+00000000)

Read no. 2:
[pid/tid/ct: 000000fc/00000100/01d27c3a91e567e6] {        smss.exe} 0000001e, 00000042: READ of 1ef766 (1 * 2 bytes), pc = 82a752ad [           movzx edx, word ptr ds:[eax+2] ]
[previous mode: 1]
#0  0x82a752ad ((0026a2ad) ntoskrnl!SeCaptureSecurityDescriptor+000000b1) <===== SEH enabled (#1)
#1  0x82a36a23 ((0022ba23) ntoskrnl!ObpCaptureObjectCreateInformation+000000c2) <===== SEH enabled (#0)
#2  0x82a45de2 ((0023ade2) ntoskrnl!ObOpenObjectByName+0000009b)
#3  0x82a3c7db ((002317db) ntoskrnl!IopCreateFile+00000673) <===== SEH disabled
#4  0x82a60402 ((00255402) ntoskrnl!NtCreateFile+00000034)
#5  0x82848db6 ((0003ddb6) ntoskrnl!KiSystemServicePostCall+00000000)

Read more

Bochspwn Reloaded

In 2017, we implemented a new type of full-system instrumentation on top of the Bochs emulator, named Bochspwn Reloaded. The instrumentation performs taint tracking of the guest kernel address space, and detects the disclosure of uninitialized kernel stack/heap memory to user-mode. It helped us identify over 70 bugs in the Windows kernel, and more than 10 lesser bugs in Linux in 2017 and early 2018.

The tool was discussed at the REcon Montreal, Black Hat USA, and INFILTRATE conferences, as well as in the
Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking whitepaper. It is also an open-source project, and its source code can be found in the bochspwn-reloaded repository.

Disclaimer

This is not an official Google product.

More Repositories

1

winafl

A fork of AFL for fuzzing Windows binaries
C
2,226
star
2

sandbox-attacksurface-analysis-tools

Set of tools to analyze Windows sandboxes for exposed attack surface.
C#
1,939
star
3

weggli

weggli is a fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases.
Rust
1,857
star
4

fuzzilli

A JavaScript Engine Fuzzer
Swift
1,766
star
5

domato

DOM fuzzer
Python
1,628
star
6

TinyInst

A lightweight dynamic instrumentation library
C++
1,103
star
7

Jackalope

Binary, coverage-guided fuzzer for Windows, macOS, Linux and Android
C++
980
star
8

halfempty

A fast, parallel test case minimization tool.
C
923
star
9

symboliclink-testing-tools

C++
709
star
10

0days-in-the-wild

Repository for information about 0-days exploited in-the-wild.
HTML
693
star
11

p0tools

Project Zero Docs and Tools
C
655
star
12

ktrw

An iOS kernel debugger based on a KTRR bypass for A11 iPhones; works with LLDB and IDA Pro.
C
636
star
13

functionsimsearch

Some C++ example code to demonstrate how to perform code similarity searches using SimHashing.
C++
553
star
14

BrokenType

TrueType and OpenType font fuzzing toolset
C++
424
star
15

iOS-messaging-tools

Python
354
star
16

SockFuzzer

C
351
star
17

SkCodecFuzzer

Fuzzing harness for testing proprietary image codecs supported by Skia on Android
C++
328
star
18

bochspwn-reloaded

A Bochs-based instrumentation performing kernel memory taint tracking to detect disclosure of uninitialized memory to ring 3
C++
272
star
19

Street-Party

Street Party is a suite of tools that allows the RTP streams of video conferencing implementations to be viewed and modified.
C++
237
star
20

DrSancov

DynamoRIO plugin to get ASAN and SanitizerCoverage compatible output for closed-source executables
C++
199
star
21

CompareCoverage

Clang instrumentation module for tracing variable and buffer comparisons in C/C++ and saving the coverage data to .sancov files
C++
199
star
22

Hyntrospect

PowerShell
174
star
23

reil

C++
58
star
24

.allstar

1
star
25

.github

1
star