April 16, 2019
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
Windows OS kernel memory is one of the main targets of cyber-attacks. By launching such attacks, hackers are succeeding in process privilege escalation and tampering with users' data by accessing kernel-mode memory.
This paper considers a new example of such an attack, which results in access to the files opened in an exclusive mode. Windows built-in security features prevent such legal access, but attackers can circumvent them by patching dynamically allocated objects. The research shows that the Windows 10, version 1809 x64 is vulnerable to this attack. The paper provides an example of using MemoryRanger, a hypervisor-based solution to prevent such attacks by running kernel-mode drivers in isolated kernel memory enclaves.
The details about how MemoryRanger protects FILE_OBJECTs are here:
This paper considers a new example of such an attack, which results in access to the files opened in an exclusive mode. Windows built-in security features prevent such legal access, but attackers can circumvent them by patching dynamically allocated objects. The research shows that the Windows 10, version 1809 x64 is vulnerable to this attack. The paper provides an example of using MemoryRanger, a hypervisor-based solution to prevent such attacks by running kernel-mode drivers in isolated kernel memory enclaves.
The details about how MemoryRanger protects FILE_OBJECTs are here:
- • paper: my.paper.pdf, my.paper.docx and proceeding version
- • slides: slides.pdf, slides.pptx
- • speech: speech.pdf, speech.docx
- • source code and two demos
This research is evaluated and discussed by famous security leads:๐ก๐๐๐๐๐๐ ๐๐๐๐๐๐๐ is the Director of Security Research, Oracle Cloud; previously Research Lead at Cisco Talos. Thank you, ๐ก๐๐๐๐๐๐ ! |
Alex Matrosov is the Offensive REsearch Lead at @NVIDIA and "Rootkits and Bootkits" book co-author (bootkits.io) Matt Suiche ia a hacker, Microsoft MVP, Founder of @ComaeIo — Co-Founder of @CloudVolumes (now @VMWare) Thank you, Alex and Matt! |
- Here are the slides with YouTube demos: the attack and its prevention:
Korkin, I. (2019, May 15-16). MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel. Paper presented at the Proceedings of the 14th annual Conference on Digital Forensics, Security and Law (CDFSL), Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA. Retrieved from https://commons.erau.edu/adfsl/2019/paper-presentation/7/ |
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment