Microsoft has added another exploit protection feature in Windows 10
We are talking about the same Windows 10 Insider Preview Build 14316, which we mentioned several times in previous posts on the Ubuntu Linux subsystem. In the new build of Windows 10, the changes did not bypass the core. Microsoft added a new kernel object called RegistryTransaction with corresponding API functions for working with it like [NtCommit / NtCreate / NtOpen / NtRollback] RegistryTransaction . As it is not difficult to guess, we are talking about atomic operations with registry data.
Another improvement was the emergence of a long-awaited feature called Win32k syscalls filtering at the Windows kernel level. Since it is still in the pre-build of Windows 10, not much is known about it. Its main purpose is to completely close the sandbox for the processes of the corresponding applications, such as browsers, and eliminate the issue of exploiting the LPE vulnerabilities in win32k.sys for them. Today, such vulnerabilities are the main opportunity for an exploit to get maximum SYSTEM rights when it enters a system through a web browser.
')
Fig. The general scheme of Win32k syscalls filtering on the example of AppContainer-sandboxed web browser Edge, which can completely close AppContainer from external influence.
It is worth noting that the authors of the Google Chrome web browser last year added to it a function that protects sandboxed processes (renderer processes using Google terminology) from the harmful effects of win32k.sys. Since Chrome delegates work with graphics and windows to the main parent process, child sandboxed processes are completely exempt from the need to implement GUI operations, such as drawing windows and other GUIs. Previously, the configuration of the web browser -enable_win32k_renderer_lockdown was used for this.
Disabling win32k.sys completely is a sufficient security measure only for a web browser like Chrome, which has a well-defined model of the distribution of functions between the parent and renderer processes (GUI functions do not overlap with sandboxed). Microsoft offers a more flexible way; the Win32k syscalls filtering function ( PsAttributeWin32kFilter ) will help selectively filter those functions that are not needed by the process, for example, Edge, and leave only the most necessary ones.
The Win32k syscalls filtering feature seamlessly complements another Windows 10 security feature that was first added by Microsoft to protect against LPE exploits. This is the Block Untrusted Fonts function, which also appeared in EMET (see kernel32! SetProcessMitigationPolicy with the ProcessFontDisablePolicy argument).
Fig. EMET allows you to forcefully enable the Block Untrusted Fonts feature for a selected process, thus blocking another attack surface by LPE-exploits that use specially crafted font files to exploit Win32k.sys vulnerabilities.
Microsoft is known for its attentive approach to exploit protection features that are integrated into Windows. DEP, SEHOP, ASLR, IE11-EPM, IE11-64bit_tabs, HEASLR consistently appeared there. The free EMET tool made it possible to force these settings for processes. At the same time, only with Windows 10, Microsoft began to take the above steps to close the vulnerabilities used by LPE-exploits.
Earlier, we also wrote about the Edge web browser in Windows 10, in which Microsoft abandoned all obsolete technologies like COM or ActiveX, which were used to inject malware into the web browser (the same will happen to Flash Player). It also closed other possible places for the introduction (injection) of malicious code at run-time, the running process, and also uses the AppContainer and 64-bit tabs by default. Using the Win32k syscalls filtering feature will make this web browser even more secure.
Another improvement was the emergence of a long-awaited feature called Win32k syscalls filtering at the Windows kernel level. Since it is still in the pre-build of Windows 10, not much is known about it. Its main purpose is to completely close the sandbox for the processes of the corresponding applications, such as browsers, and eliminate the issue of exploiting the LPE vulnerabilities in win32k.sys for them. Today, such vulnerabilities are the main opportunity for an exploit to get maximum SYSTEM rights when it enters a system through a web browser.
')
Fig. The general scheme of Win32k syscalls filtering on the example of AppContainer-sandboxed web browser Edge, which can completely close AppContainer from external influence.
It is worth noting that the authors of the Google Chrome web browser last year added to it a function that protects sandboxed processes (renderer processes using Google terminology) from the harmful effects of win32k.sys. Since Chrome delegates work with graphics and windows to the main parent process, child sandboxed processes are completely exempt from the need to implement GUI operations, such as drawing windows and other GUIs. Previously, the configuration of the web browser -enable_win32k_renderer_lockdown was used for this.
Disabling win32k.sys completely is a sufficient security measure only for a web browser like Chrome, which has a well-defined model of the distribution of functions between the parent and renderer processes (GUI functions do not overlap with sandboxed). Microsoft offers a more flexible way; the Win32k syscalls filtering function ( PsAttributeWin32kFilter ) will help selectively filter those functions that are not needed by the process, for example, Edge, and leave only the most necessary ones.
The Win32k syscalls filtering feature seamlessly complements another Windows 10 security feature that was first added by Microsoft to protect against LPE exploits. This is the Block Untrusted Fonts function, which also appeared in EMET (see kernel32! SetProcessMitigationPolicy with the ProcessFontDisablePolicy argument).
Fig. EMET allows you to forcefully enable the Block Untrusted Fonts feature for a selected process, thus blocking another attack surface by LPE-exploits that use specially crafted font files to exploit Win32k.sys vulnerabilities.
Microsoft is known for its attentive approach to exploit protection features that are integrated into Windows. DEP, SEHOP, ASLR, IE11-EPM, IE11-64bit_tabs, HEASLR consistently appeared there. The free EMET tool made it possible to force these settings for processes. At the same time, only with Windows 10, Microsoft began to take the above steps to close the vulnerabilities used by LPE-exploits.
Earlier, we also wrote about the Edge web browser in Windows 10, in which Microsoft abandoned all obsolete technologies like COM or ActiveX, which were used to inject malware into the web browser (the same will happen to Flash Player). It also closed other possible places for the introduction (injection) of malicious code at run-time, the running process, and also uses the AppContainer and 64-bit tabs by default. Using the Win32k syscalls filtering feature will make this web browser even more secure.
Source: https://habr.com/ru/post/281481/
All Articles