Wirmaker Abbreviations: WIM, CSRSS, EMET, CCMP, EFS, SEHOP, ASLR, KPP, UAC, DEP and one more thing
From the most ancient times (it’s good that they were all in our memory) IT specialists adore reductions - both in everyday life (all these are AFK, BTW, AFAIK) and in professional communication. Therefore, sometimes when reading professional literature on safety, the brain, even a well-trained hacker, can get into a river scorpion pose. To prevent this from happening, we prepared an article for you in which we took out a few of the most common abbreviations and acronyms (our literary editor says that these are different things, you will have to google the difference), meaning something that makes life difficult for an honest hacker or wirmeyker.
UAC (User Account Control)
What?
Let's start with the easiest. The control of user accounts, as everyone remembers, was first introduced in Vista and a similar Windows Server 2008 server system. Yes, that was a long time ago. UAC was added to prevent attacks that were possible on Windows due to the inadequacy of its messaging subsystem. An application with lower privileges could send a message (with embedded shell-code) to an application running as an administrator, and it could easily have started the bait, since it has permissions.
This order is preserved from the old operating systems based on MS-DOS. There was no separation between the user and the administrator, and although the situation was corrected in Windows NT, the users worked in the old manner under the administrator account. For the time being, this situation suited everyone, but then (after the famous publication of independent information security expert Chris Padget), exploits began to appear that exploit the vulnerability of a subversive attack. And when the problem became threatening, in the new version of its operating system at that time, Microsoft tried to correct the situation by implementing UAC. Strictly speaking, the latter is only a shell - the user interface, while all work is actually performed by the UIPI (User Interface Privilege Isolation) mechanism. Through the use of MIC (Mandatory Integrity Control, this is a key security feature that controls the access levels of processes) UIPI prohibits a process with low rights to send messages to a process with high. In the case of UAC, the choice between a ban or permission is given to the user. But the problem is that many users, without going into details, allow the execution of the application that caused the issue.
')
UAC raises the alarm not only when starting an untrusted process, but also when performing many other tasks, including changing the settings of the native firewall, adding / removing user accounts, installing drivers, starting disk defragmentation and others. For this reason, work with the system has become slower, and there have been many negative messages from users.
As a result, UAC did not become a panacea for all ills, but still prevented some of the attacks and comes with all subsequent versions of Microsoft operating systems.
How do they break off?
Mark Russinovich also noted that UAC should not be viewed as a security mechanism - if the user permits, any code will be executed, therefore, malware is most often bypassed by malware hidden behind a beautiful label. That is, the user allows to perform some kind of innocuous at first glance application obtained from an unreliable source, while the destructive code is executed along with the application.
UAC - setting the issuance of notifications
DEP (Data Execution Prevention)
What?
Behind the abbreviation DEP is the security feature of modern operating systems. It allows an application to execute code only in the memory area marked as executable, that is, the code thrown by malware in the data area — the heap or stack (which is marked as non-executable) will not work. Although there are two ways to prevent code execution — software and hardware — modern operating systems began to support DEP only after such a possibility appeared in processors. A virtual memory page, in which data is not intended to be executed, is marked with the NX bit (in AMD terminology) and the XD bit (according to Intel). DEP prevents not only attacks, but also operating system errors, simply by terminating the application.
If the stone does not support the NX bit, then the software implementation of DEP enters the battle. It is significantly inferior to the hardware, as it protects only certain system files of the operating system, but it works on any processors.
In addition to desktop operating systems, DEP is also included in Android since version 4.1 Jelly Bean.
How do they break off?
Methods of attack on DEP are described in detail by Chris Kaspersky in his book The Art of Disassembling. A hacker can break DEP both locally and remotely. And although there are many heap and stack control mechanisms, they do not do their job well: a hacker can still, due to lack of control of local buffers, wipe the return address from a function to place a pointer to a shell code here or use heap overflow to overwrite any modifiable cell in the address space of the vulnerable process.
KPP (Kernel Patch Protection)
What?
Protection of the kernel against modification appeared with the release of the 64-bit version of Windows in 2005 (the first service pack for Windows XP). Therefore, it is missing in 32-bit versions. Further more. In the 64-bit seven, the protection mechanism has been improved to support the ACPI interface of modern processors, including the execution and sleep modes of processors in a multiprocessor system. Modification of the kernel is carried out by internal system calls and undocumented features to replace code in the critical structures of the Windows kernel.
Kernel modification is directed to the following nuclear objects: system call table, global descriptor table, interrupt descriptor table, kernel images, HAL, NTFS, BOOTVID, TCPIP and others, nuclear stacks, process lists, MSR set, KdpStub, and so on.
Specifically, in Windows, the technology for protecting the kernel from modification is called PatchGuard .
For example, without kernel protection, a programmer could change a pointer to a function in the system call table, which, in essence, is an array of pointers to the functions of system services. Consequently, when a call to the kernel occurs and it accesses the pointer, which, in theory, should indicate a nuclear function, the kernel with all its privileges turns not to understand where (and executes — the slipped, possibly malicious code).
Kernel modification is used not only by malware, but also by useful applications. For example, an antivirus can modify the kernel for the needs of its work, so that a nuclear call passes through it. However, now it is forbidden, the fighters with Malvar have to look for workarounds. Nevertheless, even when it was allowed, kernel modification was an extreme measure and a bad idea: at the same time, three critical properties of the operating system were violated: reliability, performance, security. Reliability suffered for the simple reason that otherworldly code was introduced, which in principle could not be tested. Since the added code was wedged in among the nuclear calls, this did not have the best effect on performance. Modification of the kernel code clearly led to unknown consequences, as a result of which the threat of an attack by malware was increasing.
In modern versions of Windows, if you try to patch the kernel, the operating system will display a blue screen and reboot, since it considers it a critical fault without the ability to continue execution.
How do they break off?
Meanwhile, it is still possible to hack KPP, but in this case, the hacker will need a fairly high qualification in the field of system programming and writing drivers in particular. To break KPP, you need to write a driver that will consistently and selectively use attack techniques, such as, for example, Firing a patchguard check (for more details in the report from Positive Technologies - www.ptsecurity.com/press/Windows_81_Kernel_Patch_Protection_Analysis.pdf ), and thus, it will completely block the mechanisms of Kernel Patch Protection. If successful, the hacker will be able to freely modify the structure and code of the kernel.
ASLR (Address space layout randomization)
What?
Address space randomization is used in modern operating systems to place critical data structures (such as heap, stack, executable files, libraries) in a random, independent way. The use of this technology greatly complicates the writing of malware and the exploitation of vulnerabilities. This is mainly due to the fact that a hacker, while developing malware, cannot bind his code to certain addresses where the attacked data structure may be located, since during the next load of the “studied” system all objects will change their location in the address space. The most developed ASLR received in recent versions of Microsoft OSes - Windows 8.0 / 8.1. ASLR is the last frontier that can stop malaria that has bypassed DEP.
In order for ASLR to be used in a specific application, it must be compiled with the appropriate parameters.
How do they break off?
On 32-bit machines with randomization of the address space, it is quite possible to fight: since only about 16 bits are available for adding randomness, the required address can be selected by brute force. Hence the possibility of applying the return to the library when the address of the function in the stack is replaced by the address of another function in the program through a buffer overflow. On the x64 platform, the situation for the hacker is complicated.
Memory Randomization Algorithm
SEHOP (Structured Exception Handler Overwrite Protection)
What?
The SEHOP technology (protection against overwriting a structural exception handler) in Windows is designed to combat exploits that implement an attack on the structural exception handler (SEH).
SEH, in turn, provides structured exception handling, which allows applications to get control of software and hardware failures. These exceptions can be a violation of memory access, division by zero and other prohibited instructions. After receiving control, the application can attempt to handle the exception itself, without resorting to the services of the operating system. It follows that SEH not only allows you to control error handling, but is also a debugging tool. SEH is implemented by using the keywords __try, __finally, __except instead of analogs of C ++, and also by applying the / SAFESEH flag during compilation.
How do they break off?
The following attack scenario using SEH is common. The hacker, using, for example, a buffer overflow, injects malicious code, and to transfer control to it, rewrites pointers to SEH handlers. They are overwhelmingly stored in SEH frames, which are also overwritten with a buffer overflow. Such attacks have the laconic name SEH overwrite .
SEHOP is intended only for protection of 32-bit applications, since in a 64-bit code, it will not be possible to implement an attack with overwriting the structural exception handler. By default, SEHOP is enabled only in server systems, because in client versions of Windows, incompatibilities with old software that does not know anything about it are possible due to SEHOP.
Attacks on SEHOP are similar to attacks on ASLR, that is, they are performed through a buffer overflow and rewriting of function addresses.
Seh
EMET (Enhanced Mitigation Experience Toolkit)
What?
EMET is a Microsoft system program that prevents software vulnerabilities from being exploited through risk mitigation techniques. These technologies do not provide one hundred percent protection; nevertheless, they make the tasks of a virmeaker as difficult as possible. Although occasionally there are incompatibilities between the EMET and protected software, in most cases, with the help of EMET, you can protect any software from any manufacturer. EMET requires .NET Framework 4.0 for its work.
EMET can protect the entire system or specific applications. As the defense mechanisms, it uses the technologies described above (DEP, ASLR, SEHOP). For example, EMET can protect against the following threats: ROP - bypassing DEP, executes mixed-up code on a stack using code features; SEH overwriting (discussed above, we will not repeat); Stack pivoting - moves the register of the ESP stack to the desired address of the malware; heap spray - multiple memory allocation to place a Malvari code there, in the calculation that at least one of the placed images will be executed.
After installing, EMET immediately begins to perform its protective functions against Internet Explorer, Office, Java VM, Adobe Acrobat. Additional applications can be and should be included in this list, first of all those that can be used remotely: various data and messaging applications, browsers and so on.
However, EMET does not replace antivirus software or HIPS and does not serve as a panacea for exploits.
How do they break off?
Since EMET serves only as a configurator for the security technologies described above, it does not make sense to crack it.
EMET
CSRSS
What?
Client / Server Runtime Subsystem is a Windows NT operating system module that ships with Windows 2000. Since many components of the Win32 subsystem have been rendered into kernel mode, this system component is a way to control the system console from user mode, it works as a user-mode system service . In fact, this is a critical component of the operating system, the forced completion of which will certainly lead to the collapse of the axis.
WIM (Windows Integrity Mechanism)
What?
Integrity is a key component in Windows security. It limits the ability of the user and / or application based on his list of rights. In Whist, this mechanism has been extended - an Integrity Level has been added to it. The integrity level is the confidence level of the executed process and objects belonging to it, for example, the files or streams created by it.
The integrity mechanism enables resource managers, such as file systems, to use predefined security policies in such a way that processes with lower integrity can neither read, nor write, nor execute objects created by a process with higher integrity. The integrity mechanism allowed the Windows operating system to increase the level of security, since before (before its implementation) it was impossible to define rights using access control lists so flexibly (it was limited to distributing rights to users and groups).
Security in the Windows environment is mainly ensured by issuing certain rights to users to read, write, and execute (the same rights are inherited by the data generated by the user, for example, applications that are started). The list of permissions for each user is stored in SID (Security Identifier) structures, which are created along with user accounts and attached to them. The security identifier, in turn, stores all user data, starting with its name, group of ownership and ending with the network domain and rights to manage system objects. When the user accesses a specific object, the information of this object is compared with the information stored in the security identifier of the user. In modern versions of Windows, in addition to rights, the level of integrity is involved in the game. As I noted above, Windows security has been improved by adding an integrity level, the value of which is stored in the Access Control List (ACL). The latter is stored in the access token - Access Token. When attempting to access an object, in addition to comparing access rights, the security reference monitor compares the level of integrity in the security descriptor and access token using the AccessCheck function. If the user has rights to the requested action, and also if the access level is higher than the object to which access is requested, the operating system satisfies it, otherwise prohibits it.
How do they break off?
Windows Integrity Mechanism is a complex of security components, therefore, they hack it not “as a whole”, but in parts. Divide and rule!
Appcontainer
What?
Starting with Windows 8, AppContainer is a sandbox for running Windows Store apps. When developing an application, the programmer indicates which operating system tools his application needs, and after the application is deployed on the user's device, the program will be limited to only the specified rights to use the environment. In addition, the sandbox restricts the application to use system resources, so even if it is cracked, the attacker will get very limited interaction with the attacked system. It can neither read, nor write, nor execute outside the directory of the hacked application. In addition, restrictions are imposed on the interaction of processes. And who could doubt, this is a sandbox! In general, the Windows Store app running in the AppContainer is the same sandbox as mobile operating system apps or browser tabs. That is, a certain level of power of attorney is assigned to each sandbox (Integrity Level; for details, see the previous section).
How do they break off?
By default, AppContainer gets Low Integrity Level. This means that he can do quite a few things. However, a classic application with the highest permissions can help the code get out of the AppContainer sandbox. If a Windows Store app is associated with a classic app, then for the first one, you can achieve privilege escalation. To do this, a classic application needs to create a global named object, from which one or more Windows Store applications with lower confidence levels can inherit. This named object can be, for example, a mutex shared between all processes of the current user.
AppContainer interaction with the operating system
EFS (Encrypting File System)
What?
Encrypting file system comes as a component of the operating system since Windows 2000. It was with the latter that the NTFS 3.0 file system was released, where EFS is part of it. Initially, EFS does not encrypt anything, but it can protect individual files, folders, and disk volumes. All this is intended to protect information from hackers (hijackers) who have physical access to a computer. In connection with the proliferation of powerful mobile platforms, the need for total encryption has only increased (Captain Obviousness explains that a smartphone or tablet is much easier than a PC or laptop, to fall into the wrong hands).
Although Windows prevents an unauthorized user from entering the system by requesting a password, a hacker, having physical access to a computer, can easily remove a hard disk and, connecting it to another system, read the information. Encrypting file system protects information from such attacks. In this case, a password is used to protect information, and the more reliable it is, the more reliable the protection.
How do they break off?
There are two types of threats here. The first threat is related to the fact that the original file is not immediately deleted after encryption. The attacker can use the tools to edit the disk at the physical level and recover the unencrypted information. The second threat is that a certificate is created for each user at the time of the first use of the encoder; This certificate contains both public and private keys of the user. In addition to user certificates, a recovery agent certificate is created during the installation of the operating system, its public key is also used to encrypt the FEK and is stored in the Data Recovery Field (DEF). By default, the recovery agent is the administrator. Therefore, in order to decrypt any files of any user, you need to log in with the administrator account.
CCMP
What?
A block encryption protocol with a message authentication code and block concatenation and counter mode is part of the 802.11i standard. Moreover, it is an encryption protocol for the Web and WPA2. For encryption, it uses the AES (Advanced Encryption Standard) algorithm, which manages the integrity of keys and messages using a 128-bit block and the same key according to the FIPS-197 standard.
CCMP is based on the AES CCM encryption algorithm, in contrast to the outdated TKIP. The CCM uses the CTR algorithm to ensure confidentiality, while the CBC-MAC algorithm is used for authentication and data integrity.
How do they break off?
For six years, it was considered unbreakable, but in 2010, information about the vulnerability of Hole 196 in the WPA2 protocol was published. If a hacker succeeds in logging in to the network, then he can use this vulnerability to decrypt data from other users, while neither hacking keys nor brute force is used.
Conclusion
Any of the information security specialists has to constantly work with documents on information security, and, of course, in each of them there are various abbreviations. Today we reviewed the eleven most common abbreviations and found out what is behind them.
First published in Hacker Magazine # 197.
Posted by: Yuri "yurembo" Yazev
Subscribe to "Hacker"
Source: https://habr.com/ru/post/260877/
All Articles