Unrestricted or improperly validated access to the privileged Model Specific Register (MSR) instructions

Ryan Warns
This talk is a case study of a systemic security issue when developing a subset of device drivers based on a previously unexplored exploitation vector: unrestricted or improperly validated access to the privileged Model Specific Register (MSR) instructions. The talk will begin with a review of how to audit device drivers for potential vulnerabilities and how to reliably exploit them if an issue is found, including a discussion of Supervisor Mode Execution Protection (SMEP) and other mitigation bypasses. We will then discuss the specific mechanics of how attacker-controlled MSR access can be exploited and how developers and security vendors can prevent these attacks.

The exploit primitive discussed in this talk was found in over 15 separate device drivers from different vendors and software packages. Often the software performs similar functionality, and in many cases the code written to exploit one of these device drivers can be reused without any modification to successfully exploit the others. The code similarity across software packages suggests either a lack of industry understanding of the security impact of these privileged operations, or a single piece of incorrect code that has propagated throughout it.