I will be speaking at this year's BlackHat conference in Las Vegas August 6-7 about some of my DARPA Cyber Fast Track work "MoRE: Measurement of Running Executables". Below is a short synopsis of the briefing:
This talk will cover the concept of translation lookaside buffer (TLB) splitting for code hiding and how the evolution of the Intel x86 architecture has rendered previous techniques obsolete and new techniques to perform TLB-splitting on modern hardware. After requisite background is provided, a timeline of how TLB-splitting was used for both defensive (PaX memory protections) and offensive purposes (Shadow Walker root-kit) and how the new Intel Core i-series processors fundamentally changed the TLB architecture, breaking those technologies. The talk will then move to the new research, the author's method for splitting a TLB on Core i-series and newer processors and how it can again be used for defensive (MoRE code-injection detection) and offensive purposes (EPT Shadow Walker root-kit).
After the timeline, details on how to perform and leverage TLB-splitting with the EPT Shadow Walker root-kit is used to present one version of memory to defensive tools for validation and a different (and possibly malicious) version to the CPU for execution, effectively hiding a root-kit from anti-virus or anti-patching systems. A demo of this memory changing and hiding will be shown and results from the research presented.
Hope to see you out there for either BlackHat, BSidesLV or Defcon; I have submitted some other work to Defcon so I may be speaking there as well and should hear in the next few weeks. If you are attending any of the above and would like to meet up for a bite or a drink to chat, please do not hesitate to ping me on my Twitter (@JacobTorrey).
Cyber-security Philosopher and Boffin