As promised I am starting to write a series of 3 blog posts regarding my visit to NoSuchCon conference here in Paris…
I have just attended the first of the three days of this good Security conference.
Researchers from all over the world have presented some interesting topics.
In my opinion the most important and useful (for at least this first day) is the one showed by Mateusz Jurczyk. He has discussed some “weakness” in Intel x86 architecture, mixed with Windows Os kernel frail implementations, that let an attacker crash target system with only 2 ASM instructions: “xor ebp, ebp – jmp KiSystemServiceAccessTeb”. This behavior is binded with a bad trust of user-mode data done by Windows kernel exception handling routine.
For all nitty-gritty details I advise readers to explore Mateusz blog available at http://j00ru.vexillium.org/.
Even Alex Ionescu presentation was really interesting: it has found an exploitable implementation in every MAC SMC chips. The System Management Controller I/O Chip is a 200 Mhz 16-bit processor present in every MAC systems tied with its UEFI boot loader. It manages light sensors, FAN, stores FileVault key, regulates current and voltage, and so on… Everyone can update it, but you can’t read from it. It works in this manner: you read, write, execute access to “Keys”. Alex has found 2 nasty keys (KPPW and KPST), that if exploited well, using “Harry potter” spell (yes, you have read the good term), allow you to reprogram entire SMC chip. However this research is still in progress…
I’m quite sure that I would like to present some of my works in one of the future conference like this one. Speaking with conference organizers (and even with researchers) has pinpointed that I could be a good candidate for showing my works done in Saferbytes labs.. I really hope that this idea can be right! (I need just the time to perfect my english 😉 )
Attached this post there is even a screenshot of my present work… However I can’t still say no words about it now… Stay tuned!