In this paper, the author discusses the many challenges and problems concerning user-mode callbacks in win32k. In particular, they show how win32k’s dependency on global locks in providing a thread-safe environment does not integrate well with the concept of user-mode callbacks. Although many vulnerabilities related to user-mode callbacks have been addressed, their complex nature suggests that more subtle flaws might still be present in win32k. Thus, in an effort to mitigate some of the more prevalent bug classes, they conclusively provide some suggestions as to how users may protect themselves against future kernel attacks.
You can download it from the following link: https://packetstormsecurity.com/files/download/120548/mandt-win32k-paper.pdf
Source: https://packetstormsecurity.com/files/120548/Kernel-Attacks-Through-User-Mode-Callbacks.html