Cluck Cluck presents an architectural, OS-independent method for accessing arbitrary physical memory from kernel shell-code or forensics memory acquisition tools where the virtual addresses of the paging structures are not known -- 'breaking out' of virtual memory. Currently, the virtual address for the page directory is hard coded in the kernel, but this is specific to each OS and version thereof. Cluck Cluck solves the chicken and egg problem (needing access to the page structures to gain access to the page structures) at an OS-independent, architectural level, highlighting how a newer Intel feature violated existing guarantees.

Bio: Jacob Torrey is a Sr. Research Engineer at Assured Information Security, Inc, where he leads the Computer Architectures group and acts as the site lead for the Colorado branch. Jacob has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS, hypervisor and SMM handler. His major interest is how to (mis)use an existing architecture to implement a capability currently beyond the limitations of the architecture.

Back to BSides Las Vegas 2014 video list