UNFORTUNATELY, INTEL HAS DISALLOWED NIKITA AND RODRIGO FROM PRESENTING THIS PAPER
Graphics technologies expose a large number of APIs in kernel mode drivers that need to be accessible by ring 3 code. Whether you are creating a resource for a video game or a video player you will end up using one of the low level functions that the Windows Display Driver Model provides for interaction with kernel driver. Graphics operations are intensive, complex and accessible as unprivileged user. This research focuses on how to find vulnerabilities in low level, common ring 3 to ring 0 interactions as defined by WDDM and exposed through GDI user mode library. On this presentation we will show you fuzzing statistics, methodologies, and vulnerabilities found on Intel, NVIDIA and ATI drivers.
By dumb fuzzing we have already found several BSODs on ATI, NVIDIA and Intel drivers. Currently we are moving on to a better fuzzing strategy along with continuing RE of such drivers to find other exploitable flaws. This analysis was done on interface between gdi32 and kernel but DirectX runtimes are the actual target for this. We will present the riskiest interactions from DX runtime that end up in kernel processing of user-supplied data.
DX, and, in general graphics processing libraries that make use of GPU to do their job share and move a lot of information between user and kernel mode code, such as surfaces, configurations for render operations or pixel formats, a lot of these operations require allocations in GPU memory and have vendor-specific handlers which need to be carefully validated. Another attack vector is the structure defined by microsoft in their public documentation named pPrivateDriverData which is a buffer especially given to drivers so that they can communicate with the drivers in a closed, vendor-specific implementation which the DX/MS runtime cannot check. This is also a place where we will present results from our research.