Function overrides, from a Security mitigation to a fully-fledged Performance Feature in Windows

Presented at REcon 2022, June 4, 2022, 1 p.m. (60 minutes)

Function Overrides is a new technology developed in collaboration with multiple teams in Microsoft and distributed as a part of the new Windows 11 SV2 (Sun Valley 2), also known as 22H2. It started as a Security mitigation and slowly became a fully-fledged performance feature implemented in the entire Windows Kernel. This talk will describe it, giving an introduction about the base problem that the OS Engineers wanted to solve (memory safety bugs) and a detailed description of its implementation and future evolution.

The talk will discuss how Microsoft deals with performance-related problems while developing Security mitigations. For example, in certain scenarios, Control Flow Guard (CFG) would cause global performance penalties, which, even if minimal, can be a problem. The talk will give an overview of the performance issues brought by CFG and how a new security mitigation evolved and became “Function Overrides”, a new feature implemented in the entire Windows 11 (22H2) Kernel. After the introduction, the talk will discuss the Function Overrides internal implementation in the NT and Secure Kernel, the issues encountered while implementing it, and how it has been used for improving the OS performance. In particular, the talk will present also a section explaining how the Visual C++ and ASM compilers have been modified for Function Overrides and how a developer can use the new technology while writing high-performance and secure applications. The talk will end with a demo showing the new technology working on the latest Windows 11 system.

Presenters:

• Andrea Allievi
  Andrea Allievi is the main author of the new Windows Internals 7th Edition (Part 2). He is a system-level developer and security research Engineer with over 15 years of experience. He graduated in the University Milano Bicocca (in the year 2010) with a Bachelor’s degree in Computer Science. For his thesis, he developed a Master Boot Record (MBR) Bootkit entirely in 64-bits capable of defeating all the Windows 7 kernel-protections (Patchguard and Driver Signing enforcement). Andrea is also a Reverse Engineer, specialized in operating systems internals, from kernel-level code all the way to user-land code. He is the original designer of the first UEFI Bootkit (developed for research purposes), published in the year 2012, multiple Patchguard bypasses, and many other research papers and articles. He is the author of multiple system tools and software used for removing malware and advanced persistent threads. In his career, he has worked in various computer security companies, from the Italian TgSoft, Saferbytes (now MalwareBytes), to the Talos group of Cisco Systems Inc. He originally joined Microsoft back in the beginning of year 2016, starting as a Security Research engineer in the Microsoft Threat Intelligence Center (MSTIC) group. Since January 2018, Andrea is a Senior Core OS Engineer in the Kernel Security Core team of Microsoft, where he mainly maintains and develop new features for the NT and Secure Kernel (like Retpoline or the Speculation Mitigations for example). Pravan Kant is an Engineer in the Visual C++ team of Microsoft, where he develops and maintain compiler features.

Links:

• https://cfp.recon.cx/2022/talk/J3MDAN/

Similar Presentations:

• CarolinaCon 12 (2016) / Dynamic Analysis with Windows Performance Toolkit
• Black Hat Asia 2018 / Back To The Epilogue: How to Evade Windows' Control Flow Guard with Less than 16 Bytes
• Black Hat USA 2016 / The Linux Kernel Hidden Inside Windows 10