Blog | Subverting Vista Kernel For Fun And Profit

Subverting Vista Kernel For Fun And Profit

Joanna Rutkowska

Joanna Rutkowska gave a highly informative talk at Black Hat called "Subverting Vista Kernel For Fun And Profit." In the first part of her talk, she demonstrated an attack on Vista's code signing feature that requires any code that is loaded into the kernel to be signed by Microsoft. Her attack did not take advantage of an implementation bug or a vulnerability, but instead used the built in raw disk write access to change a few lines in the pagefile. Once the pagefile was altered and the changed data was read back into memory she was able to load any code she desired into the kernel. She stated that this didn't mean that Vista was insecure, just not as secure as Microsoft says.

I talked to her for a few minutes today about her talk and asked if she was going to be releasing the code, and she said she didn't see the point of doing that. Her goal was not to provide people with a way to hack systems, but to alert the community and Microsoft of a flaw in the system. She also mentioned that she is in active informal discussions with Microsoft and they are aware of the problem and the potential solutions she laid out in her talk, but she didn't want to comment on what they were going to do about it.

Joanna Rutkowska

The second part of her talk covered a proof of concept root kit called Blue Pill that takes advantage of the extremely powerful new virtualization features in the new 64 bit AMD processors. Blue Pill takes a running operating system and completely virtualizes it beneath a Hypervisor which can then be used to intercept certain system calls and execute arbitrary code nearly completely invisible to the user. As the system is truly virtualized on the processor level and not in kernel and userspace, the virtualized system has direct access to the hardware (except for calls the hypervisor is intercepting) and detection would be non-trivial to say the least. Although she did her research on the AMD processor, she said the same attacks would be possible on the new Intel chips, although their virtualization implementation was not as powerful.

where do you want to go today?



Post date:

Thursday, August 3rd, 2006 at 9:32:04 PM