Thursday, October 19, 2006

Vista RC2 vs. pagefile attack (and some thoughts about Patch Guard)

Eventually, after I got back home from some traveling, I had a chance to download Vista RC2 x64 and test it against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pagefile attack...

It quickly turned out that our exploit doesn’t work anymore! The reason: Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are executed with elevated administrative rights.

In my Subverting Vista Kernel speech, which I gave at several major conferences over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past few months, I discussed three possible solutions to mitigate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pagefile attack. Just to remind you, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 solutions mentioned were cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:
1. Block raw disk access from usermode.
2. Encrypt pagefile (alternatively, use hashing to ensure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 integrity of paged out pages, as it was suggested by Elad Efrat from NetBSD).
3. Disable kernel mode paging (sacrificing probably around 80MB of memory in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 worst case).

And I also made a clear statement that solution #1 is actually something which is a bad idea. I explained that if MS decided to disable write-access to raw disk sectors from usermode, not only that might cause some incompatibility problems (think about all those disk editors, un-deleters, etc…), but also that would not be a real solution to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem…

Imagine a company wanting to release e.g. a disk editor. Now, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blocked write access to raw disk sectors from usermode, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company would have to provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own custom, but 100% legal, kernel driver for allowing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir, again 100% legal, application (disk editor), to access those disk sectors, right? Of course, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 disk editor's auxiliary driver would have to be signed – after all it’s a legal driver, designed for legal purposes and ideally having neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r implementation nor design bugs! But, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is nothing which could stop an attacker from “borrowing” such a signed driver and using it to perform cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pagefile attack. The point here is, again, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no bug in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 driver, so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no reason for revoking a signature of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 driver. Even if we discovered that such driver is actually used by some people to conduct cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attack!

But it seems that MS actually decided to ignore those suggestions and implemented cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 easiest solution, ignoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that it really doesn’t solve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem…

Actually, if we weren't such nice guys, we could develop a disk editor togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r with a raw-disk-access kernel driver, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n sign it and post it on COSEINC's website. But we're cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 good guys, so I guess somebody else will have to do that instead ;)

Kernel Protection vs. Kernel Patch Protection (Patch Guard)


Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r thing - lots of people confuse kernel protection (i.e. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 policy for allowing only digitally signed kernel drivers to be loaded) with Kernel Patch Protection, also known as Patch Guard.

In short, pagefile attack, which I demoed at SyScan/BackHat is a way to load unsigned code into kernel, thus it’s a way to bypass Vista kernel protection. Bypassing kernel patch protection (Patch Guard) is a different story. E.g. Blue Pill, a piece of malware which abuses AMD Pacifica hardware virtualization, which I also demoed during my talk, “bypasses” PG. The word “bypass” is a little bit misleading here though, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BP does not make any special effort to disable or bypass PG explicitly, it simply doesn’t care about PG, because it’s located above (or below, depending on where your eyes are located) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole operating system, including PG. Yes, it’s that simple :)

Also, almost any malware of type II (see my BH Federal talk for details about this malware classification) is capable of “bypassing” PG, simply because PG is not designed to detect changes introduced by type II malware. So, e.g. deepdoor, backdoor which I demonstrated in January at BH Federal, is undetectable by PG. Again, not a big deal – it’s just that PG was not designed to detect type II malware (nor type III, like BP). So, I'm a little bit surprised to hear people talking about "how hard would it be to bypass PG...", as that is something which has been done already (and I'm not referring to Metasploit's explicit technique here) - you just need to design your malware as type II or type III and your done!

But even that all being said, I still think that PG is actually a very good idea. PG should not be thought as of a direct security feature. PG's main task is to keep legal programs from acting like popular rootkits. Keeping malware away is not it's main task. However, by ensuring that legal applications do not introduce rootkit-like tricks, PG makes it easier and more effective to create robust malware detection tools.

I spent a few years developing various rootkit detection tools and one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest problems I came across was how to distinguish between a hooking introduced by a real malware and... a hooking introduced by some A/V products like personal firewalls and Host IDS/IPS programs. Many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 well known A/V products do use exactly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same hooking techniques as some popular malware, like rootkits! This is not good, not only because it may have potential impact on system stability, but, and this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most important thing IMO, it confuses malware detection tools.

Patch Guard, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technology introduced in 64 bit versions of Windows XP and 2003 (yes, PG is not a new thing in Vista!) is a radical, but probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only one, way to force software vendors to not use undocumented hooking in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products. Needles to say, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, documented ways to implement e.g. a personal firewall or an A/V monitor, without using those undocumented hooking techniques.

Just my 2 cents to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ongoing battle for Vista kernel...