Analysis of the Attack Surface of Windows 10 Virtualization-Based Security

Presented at Black Hat USA 2016, Aug. 4, 2016, 11 a.m. (50 minutes).

In Windows 10, Microsoft introduced virtualization-based security (VBS), the set of security solutions based on a hypervisor. In this presentation, we will talk about details of VBS implementation and assess the attack surface - it is very different from other virtualization solutions. We will focus on the potential issues resulting from the underlying platform complexity (UEFI firmware being a primary example). Besides a lot of theory, we will also demonstrate actual exploits: one against VBS itself and one against vulnerable firmware. The former is non-critical (provides bypass of one of VBS features), the latter is critical. Before attending, one is encouraged to review the two related talks from Black Hat USA 2015: "Battle of the SKM and IUM: How Windows 10 Rewrites OS Architecture" and "Defeating Pass-the-Hash: Separation of Powers."

Presenters:

  • Rafal Wojtczuk - Bromium
    Rafal Wojtczuk has over 15 years of experience with computer security. Specializing primarily in kernel and virtualization security, over the years, he has disclosed many security vulnerabilities in popular operating system kernels and virtualization software. He is also well known for his articles on advanced exploitation techniques, including novel methods for exploiting buffer overflows in partially randomized address space environments. Recently, he was researching advanced Intel security-related technologies, particularly TXT and VTd. He is also the author of libnids, a low-level packet reassembly library. He holds a master's degree in Computer Science from University of Warsaw.

Links:

Similar Presentations: