Infiltrate Security Conference OPEN CFP


Bochspwn Revolutions: Further Advancements in Detecting Kernel Infoleaks with x86 Emulation

Exploit Development

In modern operating systems, most interactions between user-mode applications and the kernel take place on a very low level, using shared ring-3 memory and native C/C++ constructs like structures, unions, arrays and pointers. While very efficient, this makes the kernel code prone to a multitude of serious but well-concealed vulnerability classes, such as double fetches or disclosure of uninitialized memory. Thankfully, both types of issues can be effectively discovered with full-system instrumentation built on top of an x86 emulator. This was illustrated in 2013 by the original Bochspwn research – with over 30 exploitable double fetches reported to Microsoft together with Gynvael Coldwind – and later in 2017, by a revived version of the project, used to identify over 50 Windows kernel infoleaks so far. In this talk, we will discuss our latest advancements in the area of memory disclosure detection. The subjects will include the technical details behind implementing support for x64 kernel builds; an overview of a few dozen Windows infoleaks that have been found on the 64-bit platform; an analysis of kernel memory leaks to filesystems on mass storage devices; and finally an introduction of a relatively new and little-known type of infoleaks – double writes (as opposed to double fetches) – with real-life examples.

Back to Open CFP


Interested in Speaking?

We are pleased to announce the Call For Papers for INFILTRATE 2018 is now open. If you would like to present and have an offense-focused-fresh-content presentation, please submit an abstract, Bio and headshot to This information will be included on our Open CFP site, here, where the public can vote on which presentations they are most interested in seeing at INFILTRATE. Call for papers will close on December 14th, 2017. Shortly after this date, the winning speakers will be notified.

Some of the benefits of speaking at INFILTRATE are: