Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces

Presented at Black Hat Europe 2018, Dec. 5, 2018, 11:45 a.m. (50 minutes)

In Windows 10, Microsoft is introducing a new memory protection concept: Windows Defender Device Guard, which provides code integrity for all modules in the kernel-mode, while PatchGuard prevents patching the kernel. These features do not protect the kernel-mode memory completely. Malware can steal and modify allocated memory of third-party drivers without any BSOD. Also, elevating process privileges by patching EPROCESS.Token does not cause a BSOD. The reason for that is that kernel-mode drivers share the same memory space with the rest of the kernel. Security researchers are trying to fill this gap. For example "LKRG" provides only code integrity without any protection of allocated memory, while AllMemPro protects allocated memory but not the code. "LKM guard" does not restrict the OS kernel. "Hypernel" provides kernel integrity, but only for limited kernel objects. The goal is to move kernel-mode drivers into separate memory enclosures. This is possible by applying VT-x and EPT features. As a result, guest-physical addresses are translated by traversing a set of EPT paging structures. The EPT feature provides trapping memory access attempts, redirecting them, as well as allocating several EPT structures with various access configurations. This idea is implemented in MemoryRanger (MR) in the following way: Initially MR allocates the default EPT structure and puts all loaded drivers and kernel inside it. After a new driver is loaded, MR allocates and configures a new EPT structure so that only this new driver and OS kernel are executed here. Each time after this driver allocates memory MR updates all EPTs: the allocated memory is accessible only for this driver, while all other EPTs exclude this memory. MR skips the legal memory access attempts and prevents the illegal ones. MR isolates execution of drivers by switching between EPTs. The source code and demo of MemoryRanger are here – https://github.com/IgorKorkin/MemoryRanger, https://www.youtube.com/watch?v=IMePtijD3TY&vq=hd1080.

Presenters:

• Igor Korkin - Independent Researcher, \
  Igor Korkin, Ph.D. is a security researcher from Moscow, Russia. He graduated from National Research Nuclear University MEPhI (Moscow Engineering Physics Institute), Department of Cryptology and Cyber Security (#42). His thesis dealt with the detection of hidden hardware-based hypervisors. He has been in cybersecurity for about 10 years researching rootkits detection, memory forensics, and Windows OS Kernel security. His results were presented at five ADFSL conferences in the USA and once at REcon in Canada. He is a fan of cross-disciplinary academic research in cybersecurity and he is looking for a team to do new research and present the results.

Links:

• https://www.blackhat.com/eu-18/briefings/schedule/#divide-et-impera-memoryranger-runs-drivers-in-isolated-kernel-spaces-12668
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2018/Divide et Impera MemoryRanger Runs Drivers in Isolated Kernel Spaces.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2018/Divide et Impera MemoryRanger Runs Drivers in Isolated Kernel Spaces.eng.srt (subtitles)
• https://www.youtube.com/watch?v=NK_h9nwa3Vo

Similar Presentations:

• REcon 2006 / Subverting Windows 2003 SP1 Kernel Integrity Protection
• DEF CON 27 (2019) / Get off the Kernel if you can't Drive
• REcon 2016 / Monitoring & controlling kernel-mode events by HyperPlatform