The Linux Kernel Hidden Inside Windows 10

Presented at Black Hat USA 2016, Aug. 3, 2016, 10:20 a.m. (50 minutes)

Initially known as "Project Astoria" and delivered in beta builds of Windows 10 Threshold 2 for Mobile, Microsoft implemented a full blown Linux 3.4 kernel in the core of the Windows operating system, including full support for VFS, BSD Sockets, ptrace, and a bonafide ELF loader. After a short cancellation, it's back and improved in Windows 10 Anniversary Update ("Redstone"), under the guise of Bash Shell interoperability. This new kernel and related components can run 100% native, unmodified Linux binaries, meaning that NT can now execute Linux system calls, schedule thread groups, fork processes, and access the VDSO! As it's implemented using a full-blown, built-in, loaded-by-default, Ring 0 driver with kernel privileges, this not a mere wrapper library or user-mode system call converter like the POSIX subsystem of yore. The very thought of an alternate virtual file system layer, networking stack, memory and process management logic, and complicated ELF parser and loader in the kernel should tantalize exploit writers - why choose from the attack surface of a single kernel, when there's now two? But it's not just about the attack surface - what effects does this have on security software? Do these frankenLinux processes show up in Procmon or other security drivers? Do they have PEBs and TEBs? Is there even an EPROCESS? And can a Windows machine, and the kernel, now be attacked by Linux/Android malware? How are Linux system calls implemented and intercepted? As usual, we'll take a look at the internals of this entirely new paradigm shift in the Windows OS, and touch the boundaries of the undocumented and unsupported to discover interesting design flaws and abusable assumptions, which lead to a wealth of new security challenges on Windows 10 Anniversary Update ("Redstone") machines.

Presenters:

• Alex Ionescu - CrowdStrike, Inc.
  Alex Ionescu is the founder of Winsider Seminars & Solutions Inc., specializing in low-level system software for administrators and developers as well as reverse engineering and security training for various organizations. He was a coauthor of the Windows Internals series for the last two editions. From 2003-2007, Alex was the lead kernel developer for ReactOS, an open source clone of Windows XP/Server 2003 written from scratch, for which he wrote most of the Windows NT-based kernel. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, firmware, and drivers on the original core platform team behind the iPhone, iPad, and AppleTV. Returning to his Windows security roots, Alex is now Chief Architect at CrowdStrike, a security start-up focused on nation-state adversaries and other highly sophisticated actors. Alex continues to be very active in the security research community, discovering and reporting several vulnerabilities related to the Windows kernel and presenting talks at conferences such as Black Hat, SyScan, and Recon. His work has frequently led to the discovery of kernel/firmware/hypervisor vulnerabilities and design flaws, as well as to dozens of non-security bugs.

Links:

• https://www.blackhat.com/us-16/briefings.html#the-linux-kernel-hidden-inside-windows-10
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2016/The Linux Kernel Hidden Inside Windows 10.mp4
• https://www.youtube.com/watch?v=36Ykla27FIo

Similar Presentations:

• Black Hat Europe 2016 / Attacking Windows by Windows
• REcon Brussels 2018 / Linux Vulnerabilities, Windows Exploits: Escalating Privileges with WSL
• Black Hat USA 2015 / Battle of the SKM and IUM: How Windows 10 Rewrites OS Architecture