Microsoft improves Windows 10 kernel security mechanisms
A well-known Windows internal device guru, Alex Ionescu , revealed new features of the Windows 10 kernel, which appeared in the new Windows 10 Insider Preview 14332 build. Earlier in our blog, we repeatedly mentioned Insider Preview versions of Windows 10 that are used by software developers and drivers for testing. The updates that appear in them will then be released to all users of Windows 10 as one big update of this OS.
This time we are talking about ASLR in kernel mode (Kernel ASLR), which is known not so much, unlike its counterpart for Ring3 components of Windows. Prior to Windows 10 14332, Windows used only a partial implementation of KASLR only for system images (drivers) and starting with Windows Vista SP1. Now, with each reboot, Windows will change the virtual addresses of the location not only of the drivers, but also, practically, of all the OS structures and components operating in the system virtual address space.
')
The main goal pursued by Windows (like Apple OS X, iOS, Google Android) when implementing ASLR is to move important data structures and system images in the system part of the virtual address space to new addresses with each reboot. In addition, Windows kernel data structures, which it, in one form or another, can pass to Ring3, should not contain direct or indirect pointers to kernel objects. This is also a requirement for the implementation of ASLR.
Fig. According to Ionescu, for Windows Virtual Memory Manager, something previously unheard of happens, the directory and page table mapping addresses will be dynamic. Local Privilege Escalation (LPE) exploits that relied on fixed addresses in the system virtual address space will no longer work correctly. The only exception is the used HAL memory regions, as well as the still relevant pointers in PEB.GdiSharedHandleTable . This loophole can still be used to partially bypass KASLR in exploits.
Starting from Win10 14332, Windows will be able to change virtual base addresses of such critical virtual memory manager data structures as a page table directory (PDE), page table (PTE), system PTE addresses, hyperspace, PFN database, etc. In the concepts of virtual distribution the Windows kernel address space has always been implied by the base starting address of the beginning of the page tables and the structures listed above, the addresses were protected at the kernel compilation stage and could differ only in the case of a 32-bit or 64-bit virtual address space, and the use of PAE addressing.
New measure Microsoft will significantly increase the immunity of Windows to LPE-exploits, which are based on fixed virtual addresses in the virtual address space of the kernel. Earlier, we wrote about a Microsoft added measure to protect against LPE exploits, which will allow applications to filter access to Win32k system services ( Win32k syscalls filtering ), often used by exploits when vulnerabilities are triggered in win32k.sys. Both of these features will be available to users of Windows 10 in the new large OS update.
This time we are talking about ASLR in kernel mode (Kernel ASLR), which is known not so much, unlike its counterpart for Ring3 components of Windows. Prior to Windows 10 14332, Windows used only a partial implementation of KASLR only for system images (drivers) and starting with Windows Vista SP1. Now, with each reboot, Windows will change the virtual addresses of the location not only of the drivers, but also, practically, of all the OS structures and components operating in the system virtual address space.
')
The main goal pursued by Windows (like Apple OS X, iOS, Google Android) when implementing ASLR is to move important data structures and system images in the system part of the virtual address space to new addresses with each reboot. In addition, Windows kernel data structures, which it, in one form or another, can pass to Ring3, should not contain direct or indirect pointers to kernel objects. This is also a requirement for the implementation of ASLR.
Fig. According to Ionescu, for Windows Virtual Memory Manager, something previously unheard of happens, the directory and page table mapping addresses will be dynamic. Local Privilege Escalation (LPE) exploits that relied on fixed addresses in the system virtual address space will no longer work correctly. The only exception is the used HAL memory regions, as well as the still relevant pointers in PEB.GdiSharedHandleTable . This loophole can still be used to partially bypass KASLR in exploits.
Starting from Win10 14332, Windows will be able to change virtual base addresses of such critical virtual memory manager data structures as a page table directory (PDE), page table (PTE), system PTE addresses, hyperspace, PFN database, etc. In the concepts of virtual distribution the Windows kernel address space has always been implied by the base starting address of the beginning of the page tables and the structures listed above, the addresses were protected at the kernel compilation stage and could differ only in the case of a 32-bit or 64-bit virtual address space, and the use of PAE addressing.
New measure Microsoft will significantly increase the immunity of Windows to LPE-exploits, which are based on fixed virtual addresses in the virtual address space of the kernel. Earlier, we wrote about a Microsoft added measure to protect against LPE exploits, which will allow applications to filter access to Win32k system services ( Win32k syscalls filtering ), often used by exploits when vulnerabilities are triggered in win32k.sys. Both of these features will be available to users of Windows 10 in the new large OS update.
Source: https://habr.com/ru/post/282744/
All Articles