Battle Of The SKM And IUM: How Windows 10 Rewrites OS Architecture

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you are currently in jasmine and the session you are in is Battle of the skm and you are um how Windows 10 rewrites OS architecture and your speaker is Alex in sq thank you for putting your phone on vibrate in advance this session will probably take the full allocation so I don't know if there will be Q&A time here but Alex is kindly offered to stay around so if anyone wants to approach him during coffee break please do thank you very much thank you so welcome to my talk about skm and I um what those words mean and what the changes are in Windows 10 regarding that brief little bi about myself i'm currently chief architect at craft strike which is secured to startup but most of my OS experience comes from having worked at Apple on the iOS core team as well as having reverse engineered Windows for pretty much the last 15 years which led me to be a co-author of the Windows internals books which are really great sleeping material if you ever have time problems going to bed so I like to focus a lot on design issues design flaws but also sometimes things that are really well implemented and that don't actually have any of the above which is what this talk is gonna be about so I'm not gonna be dropping any o days of vulnerabilities rather I'm gonna talk about some dramatic I find changes the OS architecture and kind of open up some questions and some thoughts about what that means for the future of platform security so Microsoft is basically investing a lot of resources into what they call virtualization based security or VBS and Windows 10 and serve thousand sixteen are implementing three features to cover that which are device guard credential guard virtual TPM which they take part of feature called guarded fabric or shielded VM now there's very little documentation so far on a lot of these features it is slowly starting to come up live there's a few blog posts there are a few presentations from Microsoft and there was a talk yesterday actually on credential guard so those of you attended that talk credential guard does use basically what I'm going to be talking about in this talk now I'm not gonna be talking about device guard credential guard or fabric guard those are things that Microsoft will market themselves I'm gonna talk and go deep into the actual architecture that makes all those features work which is called virtual secure mode or VSM massive last night there's also really good talk on channel 9 on a going deep series that also covers some of what I'll be talking about and here so I have a few references throughout the presentation for those of you that want to go deeper into that so I'll start with a very brief recap of what those guard features are and then we're gonna take a look at how VSM is architected how it starts up and then how s cam and I um function both being the kind of the privileged side of the VSM and the user note side and then we'll talk about something called trust let's have iran how they execute and also I'll show you kind of a demo of you know a third-party trust LED which is not supported by the architecture but just to kind of show you what that would look like and how Trust lets are developed and then we'll wrap up with some kind of thoughts about what this really means and potential avenues of attack or things that could be a little bit better improved on here so let's talk about some of the new things that are coming up which you may hear about one of them is device guard and those are presentation RSA about that so with the visor guard essentially it's an enterprise you can now decide what's going to run on you machines using code signing policies and create your own certificates and sign your own binaries and determine what's gonna run and what's not gonna run now this sounds similar to a blocker but what's different is that signing checks are actually done by a component that's supported through virtualization so it's not the kernel that's doing the signature checks anymore it's actually a component through the hypervisor at the Otaka credential guard which was presented yesterday here at blackhat uses the same virtualization technology but in this case to actually guard cryptographic secrets so like your L SAS secrets for example your ntlm hash your Kerberos TGT ticket those things can now be hidden away and guarded fabric and virtual TPM is a feature that was talked about at ignite conference in Chicago in May and that to do with the ability to protect the VM that's running in a fabric provider for example the cloud provider from the actual host so you can now have a VM that's encrypted that uses BitLocker running on Azure let's say and whoever actually owns the virtualization infrastructure can't attack your VM so you can read about all these features in official Microsoft publications but I'll talk about kind of what powers on all these things working together and you can turn all of these on today in Windows 10 Tudor registry there's a few Reggie keys to do that there's Windows Features then you can able to turn this on in his group policy as well so there's different ways to kind of enable this dysfunctionality we're here to talk about VSM specifically virtual secure mode which is what provides all this functionality so how does all work well as of the new hypervisor that's in Windows 10 and serve 2012 a virtual processor now has an attribute called a VTL or virtual trust level now today there's two V TLS there can be more in the future and the higher the VTL is the more privileged you're going to be and then the nice thing here is since you're going up you're not going to end up with those ring- one bring minus two problems you can just keep creating higher and higher VT else so VT l0 is what you can call normal world or normal mode this is where kind of standard code can execute and VT l1 is when you can call secure world or secure mode and it is a more privileged level above ETL 0 provided by the hypervisor now these V TLS there are thuggin all the ring levels so you can be ring zero which is kernel mode in VTL zero that doesn't give you access over VTL one unless your ring 0 and VTL one as well so you've got your ring levels that are kind of your traditional users and curl boundaries but those ring levels are within a vgl and then horizontally you scale to other V TLS that provide their own ring levels within themselves as well so now I can kind of think of security asks kind of local within a VTL which is your ring level and then spreading across details as well now this essentially uses what you probably know is slide or EPT or NBT and that's the page tables extended page tables or second level address translation which is what CPUs support harder virtualization allow hypervisors to have their own view of what physical pages correspond what virtual pages correspond to what physical pages and you're probably familiar with page table entries which is where the OS defines this virtual address is readable or writable and points to this physical address but with a hypervisor even though the OS things that a page exists and is executable for example the hypervisor can say well actually no it doesn't exist or yes it exists but it's not executable so the hypervisor can basically provide its own additional layer of translation that overrides with the OS thinks so now you can do interesting things like for example blocking read to a page that even the OS can't touch now and credential guard uses that if I store your secrets in a page that only lets say the hypervisor can read or something at v-tail one can read then nothing can read those secrets even if they're running and ring zero because they're in ring zero and v TL zero not in VT l one and so this lets you guard and protect data you can block execution permissions which is what device guard uses so you can say sure the OS kernel things that this page is executable but when we verify the code integrity through the hypervisor functionality it did not match the signature that the enterprise wanted so I'm not actually going to make the page executable in the extended page tables so the CPU actually won't execute that code even though the OS thinks it's executable or your exploit flips a bit to mark the page executable that doesn't matter EPT still say the page isn't and you can block writes as well so you can have critical data that even the kernel can't touch because the kernel is running in BTL zero which is normal world and so basically the by segregating memory access we can now provide two separate privilege levels through the hypervisor now the hypervisor doesn't actually implement all of this logic to provide device guard and credential guard and and guard VM this would make the hypervisor too complex and we want to keep the complexity of high browser low so that doesn't have too much kind of surface of attack now within hyper-v there's something that's called a partition and typically when you enable hyper-v your host OS boots in what's called the routes partition and then your guest VMs have child partitions unless you actually boot up other VMs all you have those over partition now before hyper-v fully trusted the root partition and the root partition could do everything it wanted to the hypervisor into everything else with VSM though now your root partition first search starts out in VT l1 so you start out in the more privileged mode in the secure mode now code that's running there can then set up the EPT entries as needed and then we drop down to VT l0 and everything now runs in bt l 0 which is less privileged kind of like your machine starts up in ring 0 and then you lower it down to ring 3 same thing happens at hypervisor so with the SM now the hypervisors are no longer implicitly trust the root partition there's this VTL attribute that tells us how privileged you are within that world so instead of loading your normal kernel and all of its drivers and with their ketosis and all the mess that comes in your visual rings or environment we don't actually load all of NT inside of ETL one now so what's actually gonna happen is we're gonna create two environments of execution the secure carmel environment or skm which runs that ring zero in bt l1 and the isolated user-mode environment which runs at ring 3 in VTL one so skm is basically the kernel VT l1 I um is the user mode environment at a VT l1 now the secure kernel mode includes a little kernel which is called SK to secure kernel or sometimes you'll see it called the smart kernel the secure mode application runtime and it only has two modules SK CI which provides code integrity and CNG which provides cryptography there's nothing else there's no how there's no win through catalysis there's no other drivers and the kernel itself is only about 300 kilobytes it's not your standard 8 megabyte Anki kernel in isolated user mode you run what are called trustless trustless we're going to see our little processes that run in VCO 1 and they're isolated from each others and they're limited in what they can do when they do system calls their system calls first go through sk m yes secure kernel and then it decides which of those system costs to implement and we'll see there's a real limited number of system calls that are allowed for trustless they don't talk to see a star assess for example there's no shimming there's no app engine and they can only load dll's that are approved for execution in this environment and we're gonna see how the approval process works everything else the VTL zero remains the same so you've got your ante colonel and toss and it runs through it you can sometimes call the high level of us H loss now it's important to note that the usermod environment is essentially identical across VT l1 and BTL zero so it's the same kernel32 binary the same at Value 32 binary but you are limited in what yellows you can load but you don't get a separate user loan environment in the kernel though you do have a separate kernel which which runs which is different from the ante kernel so this is basically what it looks like you've got your VT LS they're kind of horizontal and your ring levels that are basically vertical and you have your binary that's running asset trust lit here and it's importing the standard Windows dll's which talk to the standard Windows kernel 32 which talks at a standard and key yellow but now those system calls go through the secure kernel and we're gonna see doesn't implement the system calls the ones that it does allow you to use it'll proxy them to end task to do them there on the other hand you in this environment also will have access to what we're gonna see are called secure system calls which go through a separate DLL which goes through another DLL which then goes to the SK m and these are additional facilities that are provided if you're a trust let I'm gonna see what some of those facilities are now for this to actually be secure the bootloader which is setting all this up needs to trust the firmware in the platform because otherwise if I boot up when I'm setting all the sub the thing that runs the VTL one is malicious well then it's running like it's like running we'll just go to ring zero but only worse so secure boot provides this guarantee now the hypervisor also needs to trust that you can't use the MA to attack VTL on pages because DMA is direct memory access through physical pages and it bypasses whatever EPT protections you may have put into place so we rely on iommu or vtd to provide this guarantee that the ma cannot attack us and the hypervisor also need to make sure that as its storing credentials and secrets it can store them in a safe place and seal them and measure them and a TPM provides this guarantee now with all these three functionalities secure boot I am mu and TPM you have a secure route of chain of trust as you can and VBS kind of requires all these to be there to provide and guarantee security now VSN will work if these are not all there you can run without secure boot you can run without an MMU you can run without a TPM but then I can't guarantee those things anymore now your secrets have to be on disk now DMA can attack me now booth loader code can be malicious so really if these things are not all on you don't have the same kind of layer of protection so part of what's running in the secure kernel mode is that secure kernel but also this SK CI library and that's your hypervisor based code integrity or age v CI this is kind of an identical ish a version of CI DLL which runs in V tl0 as part of the normal kernel and it's what basically checks for certificates checks for digital signing and when you enable what are call strong strong code guarantees through advice guard it's gonna be the thing that checks is this binary allowed to load by the way even if your kernel is exploited it's not the exploited kernel is gonna say yeah yeah this is allowed to load you have to exploit skm which is a different VTL level and I need a hypervisor bypass or something like that and so with device guard or with strong code guarantees if you under run code skm has to say yes make the page executable and it's only going to do that if HBC I validate the signature is being valid now you can also turn on what are called hard code guarantees because the strong code guarantees that come with device guard they only apply to kernel drivers and the kernel itself with hard code guarantees you can make user mode behave this way as well and you can have an enterprise that says any executable any DLL and even any powershell script that's ever gonna run on this machine has to be signed and skm will validate if the signature is there or not and so if someone were to turn us on well a almost nothing would run anymore but you'd have the most secure Windows environment you could ever dream of because everything including even anonymous executable memory would have to be signed and it'll be impossible to execute any kind of unsigned code here other than a DMA vulnerability or attacking secure boot or you know going to ring -1 or something like that so there's a lot of information so that's a little view normal world secure world normal mode secure mode those are kind of two environments VSM are smart that's basically the runtime the architecture that provides this isolation and the smart kernel or secure kernel is the kernel runs inside VT l1 s km/h loss to the high-level OS the normal world and and tosses the kernel that runs in the normal world I um use your isolated user mode which is your secure world and ring 3 sk m is your secure and ring 0 both of these in bt l1 and the VTL is again their your virtual trust level VT l 0 is your normal mode you kill 1 is your secure mode and VBS is the set of technologies of features that are going to leverage what's there in vs m so how does this thing start up well it's all done through the bootloader and so the hypervisor has VSM built into it and when you launch the hypervisor with the BCD option hypervisor launch type this will start up the hypervisor which will kind of initialize the VSM functionality but nothing will be running a detail one yet when hypervisor is ready to launch there's a function that's gonna basically load a hypervisor loader the hypervisor loader then initializes the hypervisor then we drop back it down on the bootloader and now the bootloader runs hypervisor as well now the hypervisor bootloader checks vsms strength if v sm is turned on and enabled for IM functionality which is another BCD variable called v sm launch type if it is we're then going to load a secure kernel which is secure kernel dot XE secure kernel lot XE imports s KCI dll and CNG dot sis we load those binaries up we verify the signatures and we also basically set up everything that's needed for this then we call the secure colonel so the first thing I was going to load in this environment is the secure kernel is the bootloader and then a secure kernel add vgl one and this is why secure boot is critical because if the bootloader is compromised in some way then this whole process can be compromised another thing that runs the VTL one is no longer trusted but barring secure boot vulnerabilities or you turning off secure boot this whole process is validated through the signature checking that secure boot provides now ask what are doing they were going to check your VSM policy and that comes from your group policy settings its come from the registry essentially there's this ready I've got on the slide here device guard and that's gonna be fine shoe to enable VBS should we require secure boot should we require an iommu and should we use hypervisor based code integrity and base on whatever features are set this is gonna be passed on to the hypervisor through VSM and a secure kernel which are going to decide what mechanisms to adapt and so there's a bunch of options they're gonna be set as this policy is happening now two interesting options that were not very well documented when I did my research is MSR filtering a 10 X mm i/o and these are kind of two attacks you could do if you have the hypervisor code integrity turned on the first one is device mapped memory until Windows 10 there was no API to basically get non-executable device map memory so when you called mm map i/o space you got executable memory and we understand they added a feature to basically have the drivers request to be non-executable but in Windows 8.1 for example chances are your video cards frame buffer is actually executable so if you put code in there it can run now with the hypervisor and VSM turned on even if the drivers request those pages to be executable because that was a default the EPT pages will not be executable so now a frame buffer won't be executable even though your drivers not updated the second type of attack is using MSRs for model specific registers on a CPU and these lets you mess with a TLB and do things like TLB splitting and other kinds of Kashyap pollution attacks and poisoning well Microsoft has a list of MSRs they consider dangerous and if you try to either read or write them there's policies are gonna prevent you from doing that even from the house based LS so they actually did a really good job at figuring out what are all the attacks that you could implement and try to mitigate against most of those so let's take a look at a little bit of the internals of the skm so its first similar to n toss it's basically got keet wrt l DB g SC or usual kind of suspects but it's also got some specific I um functions what are called normal calls and KS and it's got its own kind of object managers own memory manager its own process management functions but these don't actually manage resources I'm gonna mention a little bit later these are basically just kind of micro components to provide basic functionality but the secure carnal doesn't actually have a lot of kind of it doesn't have any resource management and doesn't have a lot of functionalities it's very very small it also exports some functions so that's CNG disk and load so things like allocating from the pool are now managed through skm some locking functionalities are provided by the secure kernel as well now if you're familiar with NT you know there's a PC R @ GS 0 well secure kernel has a structure there as well which you know we can call the SK PC R again auntie has a K thread structure well here we have an S key thread structure so for every thread is running secure mode there's a structure for that and every time there's a process running in secure mode there's a structure for that as well and we'll call that SK process now unfortunately like the kernel where you have symbols for these structures there are no symbols so there's some offsets I put here through reverse engineering but they might change and obviously these are not things are gonna be touching anyway but just to point out there are similar structures that mirror what you have in a normal NT kernel now s game does provide a few kind of things that are not there in a normal kernel one of the things called mailboxes and mailboxes allow you to basically communicate between I um and code that's running inside of Pentos so every process has eight mill box slots and you can fill a slot with up to a page of data then on the normal side there's a kernel API VSL retrieve mailbox and you can read one of these mailboxes so it allows a trust lit or an I um component to basically push some data that can be read from the other side and we're gonna see what uses this now there's also something called capabilities that s game provides and capabilities determine which I um system calls that an IM component might call are a lot by whom so there's an allow all policy a check trusted ID policy or check trusted instance gooood policy every time you launch something in i um it has a unique ID and the capabilities are gonna determine which ids are allowed to make which calls so basically they can further lockdown and say this trust lit can't do that thing now today the only thing that uses that r2 API is called secure storage get and secure storage put and the get can only be called by trusted ID to the put can only be called by trusted id3 and when I mentioned what those trust let's actually are so there is some knowledge and skm about what trust that should exist and what are the things they should be doing those storage get and those storage put functions there social that are called storage blobs and storage blobs essential allow to trust let's that's share a different ID but a same instance to basically communicate between each others and we're gonna see what storage blobs are actually used for so a mailbox is allowed to communicate from secure to normal storage blob is allowed to trust us to basically put and get data on the secured way now what that scan provides are secure mode calls and secure mode calls are things that are in the secure kernel that NT may need to call so those are defined by an operation code in a service code and there's three operation as possible resuming a thread doing a secure service call or flushing a TLB and from anta's from normal world you perform a secure call through the vm call instruction so you basically use the hypervisor the hardware extension to basically do this you put 11 into RCX and this now takes you in VCO 1 and you can do one of those operations so those service calls are basically things that Anne toss needs to query for and toss needs skm to do or end toss needs to tell a scam about something so you can't allocate example memory with a GC I turned on so Anne toss has to ask skm can you please allocate execute well memory and s game will decide to do that based on the signatures if you want to load an image in I um mode that has to be done by a scam if you want to flush a TLB without that has to go through a scam as well because it he'll be effect CPT's as well hibernation crash dump has to go through a scam as well because now we want to encrypt those pages so anytime NT needs something from SKM the secure mode service call is gonna let us do that now there's some specialized ones as well they're kind of interesting so there is a special call for doing egw so you can actually trace from an IM component and you can turn tracing on in normal mode and see your traces that are coming from secure mode obviously Microsoft needs a way to actually debug these things and there's also a fairly a failure log pages that you can turn on which gives you some limited information about what could gone wrong in skm mode when it tried to load an image so you can then later on analyze that so these are kind of debugging features that exist now there's also normal mode calls normally what calls are the opposite of secure mode calls these are when the secure kernel needs something from anta's and there's four possible operations there there's normal service calls and normal system costs and normal system calls are when I um applications need to do a system call and we want to implement a system call in a normal kernel not a secure kernel and normal service calls are when a scheme itself needs something from anta's and again these are done through a VM call instruction and these KQ from VTL one now to VTL zero you drop down in privilege and you do the operation as being asked here and there's a number of operations like allocating physical pages see memory management is still owned by the normal kernel so when skm needs some physical pages it's gonna ask the normal kernel to do that to terminate a thread or a process process management thread scheduling that's still owned by the normal kernel so as scam has to ask and toss to do that wait synchronization copying virtual memory or allocating virtual memory and user mode debugging tracing all those things still have to be done in normal mode and skm does a normal mode call to perform any of those actions the last kind of call that's needed here are efi runtime calls now when you have an EFI bias there are certain runtime calls that can be called by the OS so for example your variables if you want to set or get a efi variable this has to go through efi now for an user mode there are api to do this there's a get firmer environment variable and a set form environment variable those calls from user mode eventually go into how which eventually calls efi but what about a trustless what about something that's running in isolated user mode and it wants to touchy if i well VSM can also basically virtualize the efi runtime calls now this means though that when you're doing an EFI runtime call with this turn on the AFI runtime code will run a DPL one and this is again where why secure boot is so important because if you don't trust the firmware now when you're trying to get a variable the get variable code runs of each one and it now has access to all the pages that normally would be invisible to VTL 0 so firmware could attack this that secure blue provides guarantees against that if it's turned on if it's not buggy so that's kind of how the kernel side works let's look at the user side a little bit which is IU n so s game provides three basic services to trust let's that are not available when you're not a trust lit secured identification security communication a secure cryptography these are all provided as system calls so you do them through a normal Cisco instruction well they all have the high bit set so you probably know that Anki calls you know their index 0 index 1 index to these calls are 80 million 118 million to 80 million 3 and the trust lit basically doesn't do the system calls directly just like a Windows application doesn't it the system calls directly there is a base library that implements some api's those API then call the low-level library which is the I um DLL and then it does the system calls just like a normal application s kernel32 we do then calls ntdll which then does the system call the trust that's work in the same way and so there's 6 system calls that are provided these are the indices for them so there's a system call to get the identification key and to set your instance those are basically to identify yourself or the Machine there's a cryptographic system call crypto and then there's the system calls for mailbox and storage which are part of the communications package now the crypto API itself has five different sub calls so there's five different things that can do the other API is you call them and they just do their action so what can the crypto API do it can encrypt data decrypt data it can decrypt data that's been bound specifically to the machine with the identification key it can generate a seat and it can check if we're in FIPS mode or not since all this is fips-compliant but you never have to call these api's directly if you I mean if you're writing a trust lip which you can't now anyway there's another base API that provides that and so these are the EP eyes that are kind of provided to trust let's today which match those system calls so I so decrypt the crypt bound data and crypt get FIPS mode get yet any key get the seed post the mailbox secure storage get put set your instance so basically czar kind of the I don't want to say documented but the high-level interface that trust let's are going to be able to call now outside of those specific skm system calls you have obviously trust it's or normal windows codes so they're gonna be calling things like Creed event Creech file the standard API is you might have the standard API is then are converted to system calls but skm only allows you to do 48 of the 2000 system calls at the kernel house there's some synchronization api's that are allowed semaphores events and alerts which allow critical sections to work and user mode for example there's no mutex sees worker factories through api way completion packets which are all used by the thread pool which in turn allows RPC to work and a LPC functions are allowed as well which is required by RPC it's work as well there's some api's to allocate virtual memory and section objects which is how you can map a dll and allocate from the heap trust sets obviously need to do that and there's some random little api's for exception handling and for querying a few things but note for example there's no registry pianist list there's no file a pianist list so you can't do any of those things you can't do a registry area from a trust let you can't do file i/o from a trust lid you can't do any of the things that are not exposed through a system call that's accessible at VT l1 so if you want to do any of those things you need an agent you need something in normal mode that's gonna do those things for you and for example and the else and the else ask case there's LSA iso which is the isolated trust let in video 1 and there's still else ass which is the standard process in VT l0 and how do they communicate through RPC that's why the thread pool and a LPC is implemented aloud so that you can communicate across VT LS by using RPC so the block of functionality you might kind of see there and that's because for us let's are really designed for the functionality of Microsoft needs credential guard device guard and virtual TPM now whenever you do a system call now you have a risk because you have something to beat still one calling normal mode what if normal mode has been compromised and it wants to lie to you about the data I wants to screw up the structures you get back give you a fake handle give you a fig buffer so every time you need you call into normal mode gonna sanitize the output that you get back when you call into it though you have another problem which is that all your pages now are VTL one pages they can't be read necessarily from VTL zero so there's some shared buffers that are used so I can actually allocate some memory that VTL Zoo is gonna see Marshall structures in those buffers safely get rid of any pointers to pointers to pointers and some generic marshaling lets you do that then the normal mode sees the Marshall buffers does the action returns some data back the data sanitized and then copied back into a buffer that can be accessed by what VTL one can access it anyway so there's some marshalling and some sanitization that has to happen and so this is a diagram I stole from Microsoft from presentation it is a copy right I don't make nice diagrams like this but doesn't basically shows you the whole process we have the secure kernel trying to do a system call going through the Marshall er going through VT l0 we do then goes in a normal kernel which then runs a normal kernel function so all this is not running in isolation in a normal mode in VTL zero and then it all goes back back at Vitiello one now on Marshall everything sanitize that our harden it and return the data back so the secure kernel doesn't have a lot of functionality it's almost acting like a proxy just sending things through to the other side so how does the trusted use all this functionality well how do you first fall launch something has to trust lip and Windows Vista and later they added something called process attributes when you start up a process you can you find some attributes that are associated with it so one of the attributes you can now set is I want this thing to launch as a trust lip unfortunately that attribute is not exposed to the standard document windows API it's only exposed to the native API so you need to build a non documented application that will access the launcher to pass that undocumented features through the undocumented a piane and the attribute you have to specify the trust layer ID s cam recognizes that only some things should be trustless they need to pass an ID what for us that are you trying to execute when the trusted execute s-- we're then going to check is this binary actually allowed to launch asset rustling because you don't want random stuff to launch a Stressless as there is some strong signing guarantees here there gonna make sure that this has what's called a signature level of 12 now you can read my blog if you wanna know more about signature levels but they're basically cryptographic levels associated with ek use enhanced key usages that a cert can have and so an image that's allowed to run as a trust that has to have a special certificate with some special key usages in there one of them that says this is a Windows binary and one of the meth says this is an I um binary so it has to come from the windows team in Microsoft and it has to be signed to special shirts saying this is allowed to launch in asset wrestlin now even if you boot in debug mode or in test signing mode and you make your own fake cert and you add those ek use in test mode or in debug mode they won't be recognized so it has to be from a Microsoft certificate not a test certificate and it has to have those ek use so there's practically no way rather than corrupting the system in some way which requires an exploit which requires bypassing secure boot to actually change this functionality so only things that our signed as trust lets can run a Stressless so here's an example of what that would look like here the digital certificate properties of a trust lit and here it says isolated user mode and Windows system component verification and you need these two things there and if you want us to protect a process there's another EKU there but without those two we can use in a search from Microsoft you're not gonna be able to launch now when a trust that launches it has to have what's called a trusted Policy associated with it so you have to have a special exported variable that special exported variable has to have a special name in a special section it's a special set of flags obviously has to be signed because it's part of the binary and that policy has the trust that ID so you can't launch trusted ID for associated with binary X if binary X is signed saying I'm trusted ID 8 so the binary kind of signs its own identity and the launcher of the binary says I'm launching this binding with this identity and they have to match so you can't have arbitrarily trust let's we'll run and trust us a different identity so all this is checked by secure kernel to make sure this is a legitimate valid trust let the policy also says what can the trust lid do or what did it what will it allow itself to do so for example etw tracing the trust can say I don't want my tracing messages to be seen dumps the trust can say when I crash don't write a crash dump or when I crash I want to crash them but encrypted with this public key it's not only Microsoft which has a private key can then decrypt the crash dump so certain policy a tree was the trust can say another one is allow myself to be debugged or not so trust ik and say I do want to debugging facility to be available to normal mode or no I don't want normal mode to debug and depending on what the trusted is doing some of those options are gonna be set else has for example the isolated else ass won't allow itself to be debugged it will allow itself to crash and write a crash dump but the crash dump will be encrypted with the public key that is specified at rusta can also have an instance good that's something used by hyper-v because with virtual TPM you cannot have hyper-v virtual machines that essentially are protected from the host and that's using trusts as well and the instance of basica tells you what vm is this trusted associated with so what for us this exists today well trust let's zero is kind of the secure kernel process itself which hosts the Vice guard and when you have these features turned on you'll see if you look at task manager there's gonna be an entry there called switch this around secure system so that is basically an indication that skm is there now else to have credential guard turned on so i'm gonna have an LSA iso process this is trust lat ID number one and trust that ID number two and three or if you use guarded fabric or v TPM so trusted two sv MSP which lets you read what's in a TPM and trust that ID three is the provisioning tool which you would use to put secrets and seal things in a virtual TPM so those are the kind of the four trusters that exist today so LS AI still provides the credential guard feature you may have heard about yesterday it only does do things decrypt and encrypt data that's all it needs the cryptographic API the other trust lid vm SP is used for virtual TPM and for virtual TPM you need a bit of more complexity because now I need to use the mailboxes to basically identify yourself and pass data across normal mode and secure mode without using RPC or by adding another layer of security on top of RPC and vt p.m. data itself the secrets and TPM are used with that secure storage facility so those EPS are kind of specifically designed for V TPM only the other ApS to encrypt data and encrypt data those are used by the credential guard feature now when a trust lid loads it gets loaded like any other application in user mode there's the same ntdll that you have on the other normal side the difference is this entity L is gonna check a few things to basically prevent normal mode from messing with it so you probably familiar to shim engine which allows you to put application compatibility flags well we don't want LSD iso to have a shim that says you know and go do this we want its functionality to be non influenced non influenceable by normal mode so some things are disabled like image file execution options are ignored the ll redirection is ignored there's no communication of CS RSS there's no shim engine the basically sure a trust lid does what it's supposed to do and can be affected by the admin in some way now because you're gonna talk to CS RSS there's some structures that are missing as well so main TV l will basically freak out with CS RSS will normally do now since you can't talk to CS RSS though the key detail here is you can't have a UI and you can't even have a console so you don't have access to the command prompt interfaces there's no standard and/or standard out so you can't link a trust that's the asset console application because there's gonna try talking to a console driver or the console subsystem and that's not there so they have to be linked as Windows images not as console images so then how to trust let's talk well they can trace 3tw which I mentioned there's a debug print API and there's local RPC now the DES buck rate API is actually not enabled in retail builds anything W tracing can be disabled the trust that can't say I don't want to trace myself so the one thing that process can always do that's always permitted is RPC and so there's gonna be vulnerabilities here if they're gonna be an RPC or a LPC or basically this interface that allows the two things to talk to each other's if your trust lid is accidentally badly parsing an RPC message the trust that can crash the trusted me run code that it's not supposed to again though you have to work around the signing issues and all the other kind of hardening features that the virtualization brings on top of that but this RPC link is probably you know where people are going to be looking at now there also is on top of any RPC kind of server that trust lick introduced there's a special RPC server that's there on normal mode called I um trust lead dump server and when a trusted crashes if crashing is a lyft crash dumps are allowed this functions the secure kernel to talk to the trusted dump server and to write a dump out the disk so this is the one communications channel trust that's always have the enable crash dumps they can just shove encrypted data to the server and the server is gonna write it to disk so technically you could write to disk with this interface that's something that's not a dump if you somehow got into a trust let but it would be a limited path name and a limited location with a limited extension so the question is can you build your own trust label this sounds like really cool technology but it also allows me to basically hide my data if I'm malicious can I have a malware lit well there's a number of things that prevent you from doing this the first one is you have to have a write policy with the right Trussell ID with a right name and right section and has to be signed correctly and those signature checks are not things you can bypass without some sort of ring minus one exploit you have to be compiled and linked correctly and you have to be careful with dll's use not all dll's or signer that certificate not all the LS can be used inside the isolated environment and ultimately even if you wrote your own malicious trust let your trusted doesn't have access to stuff in normal mode everything it has access to has to be through one of those system calls and a trust that is protected from other trust --let's so malicious trust that can suddenly attack the credential guard trust look so you still have to kind of break out from I um into skm and we pretty complicated attack to do if you got there and you have to read it frosted in the first place anyway but there are ways to do that if there's exports of all abilities and so I'm gonna do a demo of an actual trust lit show you how that looks like and this is my own trust level so it's not one that comes from Microsoft now it is a very simple trust lit it essentially only does two things it initializes etw tracing it prints hello secure world it creates an event called demo let active to show you that it actually ran and then it basically sets up RPC and creates an RPC endpoint called demo let port so I've signed this correctly and everything and I'm going to try running it make sure it's not already active from earlier nope okay so got my oh that's assigning okay so got my own launcher and I've called this trust ID five it's got a policy that claims its ID five I'm launching it is ID five so it says it launched successfully let's see if it's actually in the process list it's seventy two hundred so this route rustling now how do you know this is actually a trust lit now I'm not lying to you so let's double click on it and first of all you can see that it has created the demo let port there is an event called demo let active so if I go inside we're knob in sessions one base named objects there should be an event here then while active so the trusted was able to create this event and if I go inside of RPC control there is the demo lat port so I have an RPC endpoint that I can talk to my trust like now but is it actually protected so let's look at the memory well I can see all of its memory well no I can see the memory allocations I can see the VATS because the kernel owns in my management so I can see what allocations exist but if I try to look at any of these oh yeah this is reserved let's look at a committed region invalid access to memory location even if I use the kernel debugger which normally should have all the powers bang process zero zero Trust latech C and attach through it from the kernel I'm which is ring zero so I should be able to do anything I want to it let's dump the VAT let's see the memory allocations so they're there these are all this is all trusted memory but if I take one of these allocations try to look at it well that one worked some of these can be shared so what I probably picked is the actually show that if I do a bank pet notice that you can see the environment variables there and that's because part of the pet is readable and the environment variables are readable otherwise things would just break if you didn't let that so I probably picked the memory that contains the environment just got unlucky let me pick a different address let's say I'll take this one it's all question marks if I take the code itself of the trust let's see let's see that one it's mapped DD one two three the code is there and that's not something that's necessarily hit it so the images can still be shared things can still be readable although things are not gonna be shown like the heap and the stack so it's not that everything is isolated some things can be shown and read but that code is not modifiable for example so if I try to modify the trust that's code from the high-level OS I won't actually be able to do that so you know if I take and one last another thing is let's say I too want to dump the modules so normally when I do a bank peb I should see the loaded dll's but notice here that it says no this isn't really null in the VTL one side but in this kind of fake peb it is and the real peb on the other side the loaded dll's are here but it will actually see that so I can't kind of investigate anything this environment and if I try to debug this or make a dump out of it it's just not going to work so this process is basically isolated and protected from me trying to read its secrets or its heap or modify its code that's actually running now now I want to be clear this is not something supported I had to do a lot of kind of hacks to the system to allow micro step to launch do but just to kind of show you what what provides now I can kill it it's not protect I didn't make it protect it so like I still kill the trust lit and now all these secrets are gone now so let's talk a little bit about kind of what all this means and what are some of the things that I found out so first of all is I um secure is VSM secure as far as I can see yes they're not any design flaws I was able to find there's no kind of ah ha they didn't think of that they really did an extremely good job at thinking of all these these avenues of attack now could there be RPC parsing vulnerabilities or marshaling bugs sure but it's a very small amount of code so chances are they took a really good look at that the attack surface is tiny the hypervisor is already very small piece of code adding V TLS adds complexity but it's still manageable secure kernel itself is only 300 50 kilobytes and yes sk CI does do a semi one parsing of signatures but that code has been in Microsoft for more than a decade it's been very well tested and it's not a full asn.1 parser it's very limited one which actually is a static state machine so this is all probably almost correct code that should have very very little tax surface on the on flip side though this does rely on platform features to work and to be well implemented now it's important to point out to mention a few times as well the secure kernel is very simple it doesn't do scheduling it doesn't marry management all the resource management is still done by the normal kernel there's no harder drivers there's no devices and system calls or proxy through normal mode there's no implementation for system calls in s game itself so this game doesn't rust and toss it does depend on it though so could you decide nope I'm not gonna give you that physical page sure and you could screw with this game this way so you could do the elves denial of service attacks but it doesn't give you access to the secrets and the information that's inside the secure world you also can't knock out cause you know sometimes so someone asked me will the device guard what if I just don't ask secure mode - is this sign or not what if I just law and I tell em fast yes is assigned you could like 10,000 say yes this is signed but then the EPTs are they gonna be executable no so ventas is gonna think this is executable memory but no one made them executable because you knocked out the call that's gonna make them executable if you don't knock out the call then we're also going to verify the signatures so there's no way to you can bypass communicating fiesque a.m. but then you don't get any features or needs that the s game has so how would you compromise this well again the reliance one of the weaknesses the reliance on secure boot and also the fact that not everyone has an IRA menu and so a black hat and other conferences have been lots of talks about vendor bugs design bugs flash bugs option and ROM bugs and other vulnerabilities in firmware and this is kind of the weak spot today and Microsoft is doing a lot of you know vendor kind of punching to make sure people get their bugs fixed windows up they can also now deliver BIOS updates as well but this is the weakness the other one is DMA attacks not everyone has an iommu not everyone turns it on and so with those attack event venues VSM can be compromised now kind of riskier is a compromise VSM can then be used against the user itself because now I can use the VSM facilities to hide malicious data but this is kind of a very limited risk because remember you still won't have access to the file system you don't have access to drivers don't have access to registry so if you really wanted to run a malware let you have to have an agent that's a malware agent - and that's something running a normal mode that I can detect so yes you could use this you can use a compromise you get sent to hide data but you could have built your own hypervisor anyway if secure boot is not there so it's not the assemble mobility it's just something I VSM might make easier if it gets compromised but if it's compromised it's game over anyway so you know these are kind of very fringe types of attacks so the real issue is if you don't execute you don't have secure boot then you can bypass all this so for example my laptop has a special version of SK CI where I made a one byte patch with that one byte patch I'm able to load any trusted that I want and so there's a DMA attack there's a secure boot attack and you pass that one line or that one byte then now you can run your own trust lists again that doesn't necessarily mean it's game over because the trust that still need a way to do malicious things so it's really important to make sure that all these platform features are turned off now given that there are a few things Microsoft could probably do make it harder to do what I did for example if skc I validated itself if the hypervisor had some code to make sure that I didn't you know patch it something like patch guard basically but in the hypervisor that could allow you to kind of detect some things that are going on all these would be defense and DEF though right because if secure boot is not working right you can't really protect the system in in a C in a true secure way but there could be little things that they do to make it harder to make the attack less than just less love a bite just like in kernel know there's patch guard and if you flip a bite you'll eventually crash the system so these are lightweight recommendations they're not really major things that affect the Scioto system it is designed to be secure but your platform has to be secure as well so with that I don't know if I'll have time for questions like I mentioned though I will be available at the coffee break and I also want to thank a few people from Microsoft that um helped out a lot with this presentation making shows accurate so kudos to all those people so thank you

Info

Channel: Black Hat

Views: 10,561

Rating: 4.9083967 out of 5

Keywords: Black Hat USA 2015, Information Security, InfoSec, Black Hat, BlackHat

Id: LqaWIn4y26E

Channel Id: undefined

Length: 51min 30sec (3090 seconds)

Published: Sun Dec 27 2015