One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64.
Details are here:
- The paper in PDF and in DOCX is here.
- The speech in PDF and DOCX is here.
- AllMemPro source code is here and will be updated soon
- Two demos with AllMemPro will be here very soon
Korkin, I. (2018, May 17-18). Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel. Paper presented at the Proceedings of the 13th annual Conference on Digital Forensics, Security and Law (CDFSL), University of Texas at San Antonio (UTSA), San Antonio, Texas. Retrieved from https://commons.erau.edu/adfsl/2018/presentations/13/