MORE SHADOW WALKER: THE PROGRESSION OF TLB-SPLITTING ON X86 presented at BlackHatUS 2014

by Jacob Torrey,

Summary : This talk will cover the concept of translation lookaside buffer (TLB) splitting for code hiding and how the evolution of the Intel x86 architecture has rendered previous techniques obsolete and new techniques to perform TLB-splitting on modern hardware. After requisite background is provided, a timeline of how TLB-splitting was used for both defensive (PaX memory protections) and offensive purposes (Shadow Walker root-kit) and how the new Intel Core i-series processors fundamentally changed the TLB architecture, breaking those technologies. The talk will then move to the new research, the author's method for splitting a TLB on Core i-series and newer processors and how it can again be used for defensive (MoRE code-injection detection) and offensive purposes (EPT Shadow Walker root-kit).
After the timeline, details on how to perform and leverage TLB-splitting with the EPT Shadow Walker root-kit is used to present one version of memory to defensive tools for validation and a different (and possibly malicious) version to the CPU for execution, effectively hiding a root-kit from anti-virus or anti-patching systems. A demo of this memory changing and hiding will be shown and results from the research presented.