attacking the windows kernel
play

Attacking the Windows Kernel Below The Root Jonathan Lindsay, - PowerPoint PPT Presentation

Aug 29, 2022 •305 likes •672 views

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis Introduction Limited to Windows, and aimed at IA32: Outline of protected mode and the kernel Attack vectors Useful tools Examples

  1. Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

  2. Introduction Limited to Windows, and aimed at IA32: • Outline of protected mode and the kernel • Attack vectors • Useful tools • Examples • Defensive measures • Future directions

  3. Architecture Overview

  4. A long time ago in a galaxy far, far away… The progression from Intel’s 8088 to 80386, via the 80286, added: • Page and segment level protection • Call, interrupt and task gates • Privileged and sensitive instructions • Four privilege levels underlying the protection mechanisms above • 32bit support

  5. The supervisor The NT kernel provides: • Segregation of user mode processes • Protection of the kernel from user mode • Provide services to user mode and other kernel mode code • Session management and the Windows graphics subsystem

  6. The NT kernel • System call and DeviceIoControl covered • Graphics drivers – Display driver – Miniport driver • NDIS and TDI • Port objects • Windows Driver Framework • Kernel mode callbacks • Hardware interfaces – Talking to hardware – Listening to hardware

  7. A plan of attack • Directly from user mode? – CPU bugs – Operating system design • Public APIs – StartService, DeviceIoControl, ExtEscape • Undocumented APIs – ZwSystemDebugControl, ZwSetSystemInformation • Architectural flaws • Bugs in code • Subverting operating system initialization • Modifying kernel modules on disk – Viruses – DLL (export driver) injection

  8. Tools of the trade

  9. Two different approaches • Dynamic analysis – Will not guarantee results – Fuzzing awkward to automate • Static analysis – Can be complicated and time consuming – Source code very helpful • Best results achieved by combining both

  10. Static analysis • Static driver verifier • PREFast • Disassembler • Windows Driver Kit – Documentation and header files

  11. Dynamic analysis • WinDbg • Driver verifier • Miscellaneous – WinObj – NtDispatchPoints – Rootkit Hook Analyzer

  12. Getting our hands dirty

  13. I have the tools, now what? • Poor access control • Trusting user supplied data – Pointers and lengths • Typical coding bugs – Boundary conditions – Off-by-one errors • Design flaws – Expose kernel functionality or data

  14. Reverse engineering • Knowing the correct entry points means code coverage can be guaranteed • Subtle bugs are easier to find - signedness • Memory overwrites are very easy to find • Highlight areas of code more suited to fuzzing • No need to analyze a crash dump • Lack of symbolic information may prove awkward

  15. CDFS DispatchDeviceControl

  16. Source code analysis • Access to source is not common • Source code and a suitable IDE will greatly improve auditing speed • Assumptions made by the coder may help hide subtle bugs • Tools are available to help speed up the process even further • grep FIXME –r *.*

  17. CDFS DispatchDeviceControl

  18. Getting a foot in the door Kernel targets we are interested in: • Static or object function pointers • Kernel variables - MmUserProbeAddress • Descriptor tables • Return address • Code from a kernel module • I/O access map from TSS • Kernel structures – process token, loaded module list, privilege LUIDs

  19. Real world examples

  20. NT kernel compression support • Kernel runtime library exports functions to support compression – Used by SMB and NTFS • Support routines take a parameter indicating what algorithm to use – Used as an index into a function table • The table only has 8 entries, whereas the maximum index allowed is 15 – We can treat code or data as a function pointer, potentially to a user mode address

  22. Trusting user input • The following code takes a pointer from a buffer supplied by the user and trusts it – Either a sign-extended kernel stack address or an internal handle will be written there • This can be used to overwrite other code or data, allowing arbitrary code execution • User supplied pointers into: – user mode should be validated – kernel mode should be opaque, e.g. a handle

  24. An architectural flaw • A function designed to allow the modification of arbitrary memory • Exposed to unprivileged users • Provided the internal data structure can be figured out, it is then easy to exploit • Either access control to the driver, or a different architecture is needed

  26. Defensive measures

  27. Current architecture • Parameter validation • Code signing – quality control? • PatchGuard • Moving functionality into user mode – UMDF, display drivers in Vista • Restricting access to APIs – User restrictions – Privilege restrictions – Process restrictions

  28. Alternative approaches • Hypervisor – Designed to help virtualization – Provides a layer beneath the supervisor – It could be used to provide a microkernel architecture • Microkernel – Does not require virtualization hardware – Minimizes the attack surface provided by the kernel – Increases flexibility with respect to service implementation – Microsoft’s Singularity microkernel is strongly typed and uses software based protection

  29. Future work

  31. Fuzzing • Application fuzzing unlikely to crash the OS • We need to automate crash recovery and analysis: – Run in a VM, but what about real hardware? – Have bugcheck callbacks – Modify the kernel itself • Fuzzing interfaces is greatly aided by some form of static analysis

  32. Virtualizing the kernel • Provide a user mode environment that looks the same as the kernel • Implement user mode compatible APIs where necessary • Provide basic I/O, PnP, Process Support and executive functionality • Trap and handle protected and privileged code execution • Add instrumentation for analysis and logging

  33. Automated binary analysis • Model basic CPU functionality – Instead of processing a specific value, instructions work on a defined range – Instructions can modify the range stored in a register • Allows all code paths to be assessed – Large state space • Determine ranges of values that will hit certain pieces of code • Heuristic bug detection

  34. In conclusion …

  35. Summary • Current NT kernel architecture increases the likelihood of security issues • Debatable how much effort has gone into securing kernel code • Some areas of the kernel have not received much attention • There is plenty of scope for further research and tool development

  36. Questions? Thanks

Recommend

System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles

System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles

CSCE Intro to Computer Systems System Programming in Windows System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles Processes, Jobs, Threads Synchronization Kernel Objects Whenever you want to

416 views • 13 slides
A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos

A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos

A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos CVE-2013-3660 Conclusion LSE July 18, 2013 Plan A look inside the

1.55k views • 95 slides
GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee Ministry of Science, Technology and Innovation Agenda Agenda Introduction TrueType Font (.TTF) TTF Fuzzer Exploit Demonstration MS11

788 views • 65 slides
Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang

Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang

Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang Zhong (@zhong_sf) @360Vulcan Team About US Member of 360 vulcan team. Windows kernel security researcher Pwn2Own winners 2015 .pwned IE pwn2own

1.29k views • 54 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014 tm@azimuthsecurity.com @kernelpool About Me Senior Security Researcher at Azimuth Security Masters degree in Information Security

1.24k views • 76 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @

Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @

Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @ ZeroNights E.0x02 November 2012 PS C:\Users\j00ru> whoami nt authority\system Microsoft Windows internals fanboy Also into reverse

976 views • 80 slides
Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security Researcher at Norman Malware Detection Team (MDT) Interests Vulnerability research Operating systems internals Exploit mitigations

2.17k views • 100 slides
Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz "j00ru"

Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz "j00ru"

Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz "j00ru" Jurczyk ZeroNights 2013 E.0x03 Moscow, Russia Introduction Mateusz j00ru Jurczyk Information Security Engineer @ Extremely into Windows

1.11k views • 110 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged

Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged

Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged OS kernel Windows Embedded 8.1 Windows Embedded 8 Converged app model Windows 10 Windows Embedded 8.1 Windows Embedded 8 Handheld Handheld

792 views • 29 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
Rainbow over the Window(s) ... more colors than you could expect $whoami Peter Daniel

Rainbow over the Window(s) ... more colors than you could expect $whoami Peter Daniel

Rainbow over the Window(s) ... more colors than you could expect $whoami Peter Daniel @zer0mem @long123king Windows kernel research at Windows kernel research at KeenLab, Tencent KeenLab, Tencent pwn2own winner (2015

1.12k views • 52 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel

0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel

0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel developer(Windows/Linux/Own)/Microarchitecture geek (Intel)/Security Researcher (Lenovo, Microsoft, Mysql, Python etc.)/ Software Engineer Architect/Hardware Engineer (FPGA, ASIC,

300 views • 12 slides
Public FPGA based DM Public FPGA based DMA Atta A Attacking king UlfFrisk Agenda Background

Public FPGA based DM Public FPGA based DMA Atta A Attacking king UlfFrisk Agenda Background

Public FPGA based DM Public FPGA based DMA Atta A Attacking king UlfFrisk Agenda Background and Previous work Transmit and Receive PCIe TLPs DUMP memory FPGA Design Attack vulnerable vanilla Linux system Attack vulnerable UEFI Windows

359 views • 19 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
Emulating Windows file serving on POSIX Jeremy Allison Samba Team jra@samba.org But isn't it

Emulating Windows file serving on POSIX Jeremy Allison Samba Team jra@samba.org But isn't it

Wider World Opening Windows to a Emulating Windows file serving on POSIX Jeremy Allison Samba Team jra@samba.org But isn't it easy ? Wider World Opening Windows to a Just take a kernel, add your own file system and.. Not if you don't own

549 views • 30 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS introduced a mess of new terms for Windows 8, and I have to go through them so we dont get confused. Windows RT: An edition of Windows 8 that runs on

389 views • 8 slides

More recommend