DIVIDE ET IMPERA: MEMORY RANGER RUNS DRIVERS IN ISOLATED KERNEL SPACES · 2019-01-02 · WHOAMI...
Transcript of DIVIDE ET IMPERA: MEMORY RANGER RUNS DRIVERS IN ISOLATED KERNEL SPACES · 2019-01-02 · WHOAMI...
WHOAMI
MEPhI Alumni, PhD in Cyber Security, published 23 papers
Area of interest is Windows Kernel security:
Memory Forensics
Rootkits Detection
Bare-Metal Hypervisors
Fan of academic cross-disciplinary research - igorkorkin.blogspot.com
Love traveling and powerlifting - igor.korkin
AGENDA
Attacking the kernel-mode memory
Existing protection: Windows built-in security and research projects
MemoryRanger hypervisor: idea, details, demos
ATTACKS ON KERNEL MODE MEMORY
allocate
read / write
Windows
OS kernel
Kernel-mode
drivers
Allocated
Memory DataAllocated
Memory DataAllocated
Memory Data
OS structuresOS structuresOS structures
ATTACKS ON KERNEL MODE MEMORY
allocate
read / write
Malware
Windows
OS kernel
Kernel-mode
drivers
privilege escalation
reverse engineering stealing users data
damaging sensor reading
Allocated
Memory DataAllocated
Memory DataAllocated
Memory Data
OS structuresOS structuresOS structures
TWO HOUSES WITH PRIVATE ART COLLECTIONS
Stars by
Wassily KandinskyGirl with Balloon
by Banksy
Hi all! I am a hacker-attacker!
I will inspect these houses to
steal and damage painting!
Allocator
OS Kernel Structures
OS Kernel Code
Allocator cmd
Driver
Driver
Driver
Allocated Data
Allocated Data
Attacker
DEMO: THE ATTACK
DEMO: THE ATTACK
The online version is here –
https://www.youtube.com/embed/HNxc-tjy3QA?vq=hd1080
TWO HOUSES WITH PRIVATE ART COLLECTIONS
Stars by
Wassily KandinskyGirl with Balloon
by Banksy
Yo Ho Ho!
The both collections
are mine!
1 1 1 1 2222
THE ATTACK HAS NOT BEEN PREVENTED
Allocator
OS Kernel Structures
OS Kernel Code
Allocator cmd
Driver
Driver
Driver
Allocated Data
Allocated Data
Attacker
BACKGROUND ANALYSIS
Memory
protection
projects
Malware attacks on
Code of OS &
third-party drivers
OS data:
internal structures
Data of third-
party drivers
Read Write Read Write Read Write
Windows
Security-
BSOD 0xBE by
Device Guard-
BSOD 0x109 by
PatchGuard- -
PrivGuard - - - + - -
LAKEED + + + + - -
LKMG - + + + + +
rR^X + + - - - -
AllMemPro - - + + + +
Memory
Ranger+ + + + + +
IDEA OF DRIVERS EXECUTION ISOLATION
Driver A
The same kernel memory space
Data A
Driver B Data B
Now all drivers share the same memory space
IDEA OF DRIVERS EXECUTION ISOLATION
Driver A
The same kernel memory space
Let s execute these two drivers into separate memory enclosures
Data A
Driver B Data B
Driver A
Memory enclave only for Driver A
Data A
Memory enclave only
for Driver B
Driver B Data B
Now all drivers share the same memory space
PROCESSING MEMORY ACCESS: EPT FEATURE
Host Physical Address H
Guest OS
Hypervisor
VT-x without EPT
= G
Guest Physical Address
Paging
structures
V
G
Guest Virtual Address
Host
Memory
PROCESSING MEMORY ACCESS: EPT FEATURE
Host Physical Address H
Guest OS
Hypervisor
EPT Paging structures
VT-x without EPT
=
EEPT Physical Address
Host Physical Address
VT-x with EPT
G
=EPT( )G
E
Guest Physical Address
Paging
structures
V
G
Guest Virtual Address
Guest Physical Address
Paging
structures
V
G
Guest Virtual Address
H =Host
Memory
INSIDE EPT PAGING STRUCTURES. EPT PFN
Host Memory
Protected Page
EPT Paging structures
EPT Page Table Entries
Memory
Access Bits
EPT TablesGuest
Physical
Address
Page Frame
Number
Memory
Access Bits
Page Frame
Number
INSIDE EPT PAGING STRUCTURES. EPT PFN
Host Memory
Protected Page
EPT Paging structures
EPT Page Table Entries
Memory
Access Bits
EPT TablesGuest
Physical
Address
Page Frame
Number
Memory
Access Bits
Page Frame
Number
Fake Page
Host Memory
Page
INSIDE EPT PAGING STRUCTURES. EPT BITS
Hypervisor traps all
these access attempts
Memory Access Bits:
• exec = true
• read = true
• write = true
read/write access
execute access
Host Memory
Page
Memory Access Bits:
• exec = false
• read = false
• write = false
Memory Page
Hypervisor does not care
Memory Pageread/write access
execute access
INSIDE EPT PAGING STRUCTURES
EPT structures #1 EPT structures #2 EPT structures #3
EPT Pointer
Other fields
VMCS for hypervisor
APPLYING EPT FOR DRIVERS ISOLATIONCurrent Situation
OS Kernel Code
exe=truerw=true
OS Kernel Structuresexe=truerw=true
Other Drivers
exe=truerw=true
Other Dataexe=truerw=true
APPLYING EPT FOR DRIVERS ISOLATIONCurrent Situation
OS Kernel Code
exe=truerw=true
Driver Aexe=truerw=true
OS Kernel Structuresexe=truerw=true
Allocated data A
exe=truerw=true
Other Drivers
exe=truerw=true
Other Dataexe=truerw=true
APPLYING EPT FOR DRIVERS ISOLATIONCurrent Situation
OS Kernel Code
exe=truerw=true
Driver Aexe=truerw=true
OS Kernel Structuresexe=truerw=true
Allocated data A
exe=truerw=true
Other Drivers
exe=truerw=true
Other Dataexe=truerw=true
Default EPT
OS Kernel Code
exe=truerw=true
OS Kernel Structuresexe=truerw=true
Other Dataexe=truerw=true
Other Drivers
exe=truerw=true
EPT pointer
APPLYING EPT FOR DRIVERS ISOLATIONCurrent Situation
OS Kernel Code
exe=truerw=true
Driver Aexe=truerw=true
OS Kernel Structuresexe=truerw=true
Allocated data A
exe=truerw=true
Other Drivers
exe=truerw=true
Other Dataexe=truerw=true
Default EPT
OS Kernel Code
exe=truerw=true
Driver Aexe=falserw=false
OS Kernel Structuresexe=truerw=true
Other Dataexe=truerw=true
EPT for new Driver A
OS Kernel Code
exe=truerw=true
Driver Aexe=truerw=true
OS Kernel Structuresexe=falserw=false
Other Drivers
exe=falserw=false
Other Dataexe=truerw=true
Other Drivers
exe=truerw=true
EPT pointer
APPLYING EPT FOR DRIVERS ISOLATIONCurrent Situation
OS Kernel Code
exe=truerw=true
Driver Aexe=truerw=true
OS Kernel Structuresexe=truerw=true
Allocated data A
exe=truerw=true
Other Drivers
exe=truerw=true
Other Dataexe=truerw=true
Default EPT
OS Kernel Code
exe=truerw=true
Driver Aexe=falserw=false
OS Kernel Structuresexe=truerw=true
Allocated data A
exe=falserw=false
Other Dataexe=truerw=true
EPT for new Driver A
OS Kernel Code
exe=truerw=true
Driver Aexe=truerw=true
OS Kernel Structuresexe=falserw=false
Allocated data A
exe=truerw=true
Other Drivers
exe=falserw=false
Other Dataexe=truerw=true
Other Drivers
exe=truerw=true
EPT pointer
That will
be a great
treasure!
Ha-ha!
Stars by
Wassily KandinskyGirl with Balloon
by Banksy
No.5 by
Jackson Pollock
THREE HOUSES WITH PRIVATE ART COLLECTIONS
THREE HOUSES WITH PRIVATE ART COLLECTIONS
Stars by
Wassily Kandinsky
Oh no!
I can
steal
nothing!
Girl with Balloon
by Banksy
No.5 by
Jackson Pollock
Allocator
OS Kernel Structures
OS Kernel Code
Allocator Allocator cmd
Driver
DriverDriver
Driver
Allocated Data
Allocated Data Allocated
Data
Attacker
DEMO: THE ATTACK PREVENTION
DEMO: THE ATTACK PREVENTION
The online version is here –
https://www.youtube.com/embed/vrm9cgn5DsU?vq=hd1080
DEMO: THE ATTACK PREVENTION
Allocator
OS Kernel Structures
OS Kernel Code
MemoryRanger
Hypervisor
Allocator Allocator cmd
Driver
Driver DriverDriver
Driver
Allocated Data
Allocated Data Allocated
Data
Attacker
MEMORY RANGER: PRINCIPLE OF LEAST PRIVILEGE
Kernel-
mode
drivers
Drivers Code
✔
✔
✔
✔
OS kernel ✔ ✔ ✔ ✔
MEMORY RANGER: PRINCIPLE OF LEAST PRIVILEGE
Kernel-
mode
drivers
Drivers Code Allocated Memory Data
EPROCESS
structures
✔ ✔
✔ ✔
✔ ✔
✔
OS kernel ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
MEMORY RANGER: PRINCIPLE OF LEAST PRIVILEGE
Kernel-
mode
drivers
Drivers Code Allocated Memory Data
EPROCESS
structures
✔ ❌ ❌ ❌ ✔ ❌ ❌ ❌
❌ ✔ ❌ ❌ ❌ ✔ ❌ ❌
❌ ❌ ✔ ❌ ❌ ❌ ✔ ❌
❌ ❌ ❌ ✔ ❌ ❌ ❌ ❌
OS kernel ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
MemoryMonRWX* DdiMon* Memory Access Policy
EPT violations:
read, write, exec
Process is
created
Memory is
allocated
* by Satoshi Tanda, @standa_t, https://github.com/tandasat
MEMORY RANGER ARCHITECTURE: THREE PARTS
Driver is
loaded
MemoryMonRWX* DdiMon* Memory Access Policy
EPT violations:
read, write, exec
Process is
created
Memory is
allocated
* by Satoshi Tanda, @standa_t, https://github.com/tandasat
List of
EPROCESSES
Information
MEMORY RANGER ARCHITECTURE: THREE PARTS
Driver is
loaded
MemoryMonRWX* DdiMon* Memory Access Policy
EPT violations:
read, write, exec
Process is
created
Memory is
allocated
* by Satoshi Tanda, @standa_t, https://github.com/tandasat
List of
Memory
Enclaves
List of
EPROCESSES
Information
MEMORY RANGER ARCHITECTURE: THREE PARTS
Driver is
loaded
MemoryMonRWX* DdiMon* Memory Access Policy
EPT violations:
read, write, exec
Process is
created
Memory is
allocated
* by Satoshi Tanda, @standa_t, https://github.com/tandasat
List of
Memory
Enclaves
List of
Allocated
Memory Pools
List of
EPROCESSES
Information
MEMORY RANGER ARCHITECTURE: THREE PARTS
Driver is
loaded
MemoryMonRWX* DdiMon* Memory Access Policy
EPT violations:
read, write, exec
Process is
created
Memory is
allocated
* by Satoshi Tanda, @standa_t, https://github.com/tandasat
List of
Memory
Enclaves
List of
Allocated
Memory Pools
List of
EPROCESSES
Information
MEMORY RANGER ARCHITECTURE: THREE PARTS
Driver is
loaded
?
switch (exit_reason){
case (execute_violation):
change_ept();
break;
case (read_violation|| write_violation):
if (access_legal()==false){
set_pte(pfn, read|write, fake_page);
set_monitor_trap_flag();
break;
}
case (monitor_trap_flag):
set_pte(pfn, no_access, original_page);
clear_monitor_trap_flag();
break;
}
MEMORY RANGER DISPATCHER (SIMPLIFIED)
switch (exit_reason){
case (execute_violation):
change_ept();
break;
case (read_violation|| write_violation):
if (access_legal()==false){
set_pte(pfn, read|write, fake_page);
set_monitor_trap_flag();
break;
}
case (monitor_trap_flag):
set_pte(pfn, no_access, original_page);
clear_monitor_trap_flag();
break;
}
MEMORY RANGER DISPATCHER (SIMPLIFIED)
switch (exit_reason){
case (execute_violation):
change_ept();
break;
case (read_violation|| write_violation):
if (access_legal()==false){
set_pte(pfn, read|write, fake_page);
set_monitor_trap_flag();
break;
}
case (monitor_trap_flag):
set_pte(pfn, no_access, original_page);
clear_monitor_trap_flag();
break;
}
MEMORY RANGER DISPATCHER (SIMPLIFIED)
switch (exit_reason){
case (execute_violation):
change_ept();
break;
case (read_violation|| write_violation):
if (access_legal()==false){
set_pte(pfn, read|write, fake_page);
set_monitor_trap_flag();
break;
}
case (monitor_trap_flag):
set_pte(pfn, no_access, original_page);
clear_monitor_trap_flag();
break;
}
MEMORY RANGER DISPATCHER (SIMPLIFIED)
1. Callback - creating a list of protected objects
Add objects’ addresses & sizes to the list
Restrict memory access for objects memory via EPT
2. EPT dispatcher – processing EPT violations for this data
type_of_access – read or write
guest_ip is the ‘source address’
fault_va is the ‘destination address’
Temporary allow access to the data using MTF
Redirect access to the fake data using MTF and EPT.PFN
HOW TO PROTECT YOUR DATA IN MEMORY?
1. Callback - creating a list of protected objects
Add objects’ addresses & sizes to the list
Restrict memory access for objects memory via EPT
2. EPT dispatcher – processing EPT violations for this data
type_of_access – read or write
guest_ip is the ‘source address’
fault_va is the ‘destination address’
Temporary allow access to the data using MTF
Redirect access to the fake data using MTF and EPT.PFN
HOW TO PROTECT YOUR DATA IN MEMORY?
Driver Allocated MemoryReads/Writes
70±2
100.000±4.000
500.000±10.000
170.000±7.000
0
1
2
3
4
5
Enabled Cache Disabled Cache AllMemPro MemoryRanger
x 1
00
00
0MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME
* AllMemPro details - http://bit.ly/AllMemPro
*
Kernel-mode memory is out of control
MemoryRanger isolates drivers execution by
using a specific EPT structure for each driver
MemoryRanger seems to prevent Spectre and Meltdown CPU attacks:
research is ongoing
BLACK HAT SOUND BYTES OR CONCLUSION
Dīvide et Imperā*
from Latin divide and rule
* Cartledge, P. (2013). Sparta and Lakonia: A regional history 1300-362 BC. Routledge.