Unknown Known DLLs and other Code Integrity Trust Violations: Breaking Signature Guarantees in Windows

Presented at REcon 2018, June 16, 2018, 4 p.m. (60 minutes)

This talk will go over a number of code integrity technologies in Windows and their implementation and guarantees as well as the various system components that take dependencies on them. Numerous flaws in the robustness of code integrity checks against a privileged Administrator will be shown, and we’ll be hustling backwards to showcase a few demos and their implications for vendors and users taking similar dependencies (as well as the OS’s own components). To mount our attacks, we’ll be visiting a plethora of Windows Internals concepts, such as Protected Processes and their Light brethren, Trust SIDs and Trust ACEs, Trust Links in Tokens, Known DLLs and Section Object Mappings, as well as NTFS Extended Attributes and the USN Change Journal. Implications for Anti-Cheat, Anti-Malware, Licensing (Anti-User) and Anti-Exploit technologies will be focused on.

Presenters:

• James Forshaw
  James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1 researcher for MSRC, as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate. He’s also the author of the book “Attacking Network Protocols” available from NoStarch Press.
• Alex Ionescu
  Alex Ionescu is the Vice President of EDR Strategy at CrowdStrike, Inc., where he started as its Chief Architect almost six years ago. Alex is a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering. He is coauthor of the last three editions of the Windows Internals series, along with Mark Russinovich and David Solomon. His work has led to the fixing of many critical kernel vulnerabilities, as well as over a few dozen non-security bugs. <br> Previously, Alex was the lead kernel developer for ReactOS, an open source Windows clone written from scratch, for which he wrote most of the Windows NT-based subsystems. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, and drivers on the original core platform team behind the iPhone, iPad and AppleTV. Alex is also the founder of Winsider Seminars & Solutions Inc., a company that specializes in low- level system software, reverse engineering and security trainings for various institutions.

Links:

• https://recon.cx/2018/montreal/schedule/events/120.html

Similar Presentations:

• HOPE Number Six (2006) / Breaking Down the Web of Trust
• TROOPERS18 (2018) / Subverting Trust in Windows
• Black Hat USA 2018 / ZEROing Trust: Do Zero Trust Approaches Deliver Real Security?