Breaking VSM by Attacking SecureKernel

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 10 a.m. (40 minutes)

Virtualization based security technologies (VBS) continue to increase the world's dependency on the security of virtualization stacks. But like all software stacks, virtualization stacks are prone to vulnerabilities too. <br /> <br /> In this talk, we will explain how we found and fixed two vulnerabilities in SecureKernel in Windows 10, which is a critical component of the core of the TCB (Trusted Computing Base) for Microsoft's VBS model. The vulnerabilities could allow an attacker to gain arbitrary code execution in VTL1, compromising the entire VBS model. We will also walk through our process to exploit both vulnerabilities on the latest version of Windows (at the time of writing).<br /> <br /> To understand these vulnerabilities, we will first discuss the technical differences in Windows between normal world (VTL0) and secure world (VTL1). Normal world is used for general application use, while secure world is designed to be smaller yet securer, which is used to ensure the integrity and security of the entire system. This difference in design is finally reflected on implementations, i.e. secure mode kernel customizes its memory and pool management, process management and even security mitigations. State-of-the-art exploitation techniques in normal mode kernel may not find their way here in secure kernel, novel techniques suitable for VSM exploit will be demonstrated in our talk.<br /> <br /> Finally, we will share the takeaways Microsoft had from this research, and explain our approach to harden SecureKernel and VSM.

Presenters:

• Daniel King - Security Researcher, MSRC
  Daniel King (@long123king) is now an MSRC Senior Security Engineer. He does hypervisor and kernel pen-test mainly by fuzzing and he invents small wheels related to security. Before Microsoft, he worked at Tencent Keen Lab and Trend Micro. He has been in the security industry for over eight years. He won Pwn2Own 2016 Edge project, which made him a member of "Master of Pwn." He won MSRC Nano Server Bounty and he has spoken at ZeroNights, Ruxcon, CodeBlue, and OffensiveCon.
• Saar Amar - Security Researcher, MSRC
  Saar Amar is an e<span>xpert security researcher in</span><strong> </strong><span>MSRC and is proficient in vulnerability research and exploitation. He is highly experienced in reverse engineering, low-level/internals, and cloud security. He found and reliably exploited major vulnerabilities in different operating systems, hypervisors, and browsers. He currently is focusing on mitigations research and VBS. He speaks at international cybersecurity conferences around the world, and regularly publishes original research and findings.</span>

Links:

• https://www.blackhat.com/us-20/briefings/schedule/#breaking-vsm-by-attacking-securekernel-20382

Similar Presentations:

• Black Hat Asia 2017 / Fried Apples: Jailbreak DIY
• Still Hacking Anyway (SHA2017) / Parkour communications: How you can communicate, free running style, using nothing but the 'fixtures' of the Internet.
• Black Hat USA 2016 / Analysis of the Attack Surface of Windows 10 Virtualization-Based Security