The registry is a very prominent but largely unexplored local attack surface in the Windows kernel. It has all the qualities of an attractive research target: it is over 30 years old, written in C, highly complex, and generally reachable from unprivileged user-mode contexts. Furthermore, due to its design and role in the system, it features some interesting properties such as a custom memory allocator or a x86 page table-like structure (so-called cell map) used to allow references between chunks of data in the hive. This opens up the potential for a new type of memory safety violation, a "hive-based memory corruption", which corrupts the internal representation of an actively loaded hive in the system.
Over the course of the last two years, I have audited most of the registry-related code and identified over 50 security vulnerabilities, many of which resulted in hive memory corruption. All of them have been reported to Microsoft in line with the Google Project Zero disclosure policy and fixed accordingly. In this talk, I will focus on the offensive aspects of exploiting such bugs for local privilege escalation, showing how they can be effectively abused to achieve a reliable, arbitrary read/write capability, and compromise the system despite all modern kernel mitigations.
Mateusz works as a security researcher in the Google Project Zero team. His main areas of interest are client software security, vulnerability exploitation and mitigation techniques, and delving deep into operating system internals with a special emphasis on Microsoft Windows. He has spoken at numerous security conferences including Black Hat, REcon, Infiltrate, PacSec and 44CON.
