Breaking VSM by Attacking SecureKernel
0Saar Amar | Security Researcher, MSRC
Daniel King | Security Researcher, MSRC
Date: Thursday, August 6 | 10:00am-10:40am
Format: 40-Minute Briefings
Tracks: Exploit Development, Cloud & Platform Security
Virtualization based security technologies (VBS) continue to increase the world's dependency on the security of virtualization stacks. But like all software stacks, virtualization stacks are prone to vulnerabilities too.
In this talk, we will explain how we found and fixed two vulnerabilities in SecureKernel in Windows 10, which is a critical component of the core of the TCB (Trusted Computing Base) for Microsoft's VBS model. The vulnerabilities could allow an attacker to gain arbitrary code execution in VTL1, compromising the entire VBS model. We will also walk through our process to exploit both vulnerabilities on the latest version of Windows (at the time of writing).
To understand these vulnerabilities, we will first discuss the technical differences in Windows between normal world (VTL0) and secure world (VTL1). Normal world is used for general application use, while secure world is designed to be smaller yet securer, which is used to ensure the integrity and security of the entire system. This difference in design is finally reflected on implementations, i.e. secure mode kernel customizes its memory and pool management, process management and even security mitigations. State-of-the-art exploitation techniques in normal mode kernel may not find their way here in secure kernel, novel techniques suitable for VSM exploit will be demonstrated in our talk.
Finally, we will share the takeaways Microsoft had from this research, and explain our approach to harden SecureKernel and VSM.
Black Hat - USA - 2020 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security