David Weston leads the Windows Device Security and Offensive Security Research teams at Microsoft in Redmond, Washington, United States of America.Really cool paper on protecting kernel memory with a Hypervisor: https://t.co/vXOVZ2a5I3— Dave dwizzzle Weston (@dwizzzleMSFT) May 21, 2018
Thank you, Dave!
In addition, these results have been used in the research Kernel Mode Threats and Practical Defenses presented at the Black Hat USA 2018.
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel from Igor Korkin
One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64.
AllMemPro details are here:
Korkin, I. (2018, May 17-18). Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel. Paper presented at the Proceedings of the 13th annual Conference on Digital Forensics, Security and Law (CDFSL), University of Texas at San Antonio (UTSA), San Antonio, Texas, USA. Retrieved from https://commons.erau.edu/adfsl/2018/presentations/13/