Problem

More documents

Recommendations

Info

Windows Hyper Guard • Prevents modification of key MSRs, control registers, and descriptor table registers • Example: SMEP cannot be disabled Secure Kernel Hypervisor-Enforced Code Integrity (HVCI) • Only properly signed kernel pages can become executable Robust even if an attacker can perform arbitrary read/write in VTL0 kernel https://channel9.msdn.com/Blogs/Seth-Juarez/Windows-10-Virtual-Secure-Mode-with-David-Hepkin Tactic Applies to First shipped Breaking exploitation techniques Windows 10 with Hyper-V enabled July, 2015 (Windows 10 RTM)
Non-paged pool System Page tables cache Paged pool Non-paged pool System cache Page tables … Paged pool Paged pool Non-paged System cache pool Page tables PML4 Directory ptr Directory Table Offset System region PML4 entries are randomized Non-paged pool Paged pool System cache PFN database Page tables … and so on Page table self-map and PFN database are randomized • Dynamic value relocation fixups are used to preserve constant address references SIDT/SGDT kernel address disclosure is prevented when Hyper-V is enabled • Hypervisor traps these instructions and hides the true descriptor base from CPL>0 GDI shared handle table no longer discloses kernel addresses Tactic Applies to First shipped Breaking exploitation techniques Windows 10 64-bit kernel August, 2016 (Windows 10 Anniversary Edition)
Page 3 and 4: • S Problem: Preventative Securit
Page 5 and 6: Internal Data Sources External Data
Page 7 and 8: Percentage of Use Analysis: 90 80 7
Page 9 and 10: Assume Breach Prevent Breach Threat
Page 11 and 12: REDTEAM: Model real-world attacks
Page 15: Internet Explorer, Edge, & Chakra S
Page 18 and 19: 1. Allocate object p = new COptionE
Page 20: No legacy document modes No legacy
Page 24 and 25: Place array length at a predictable
Page 26 and 27: Return addresses are not protected
Page 28: Execute arbitrary native code Code
Page 34: Win32 Process Store App AppContaine
Page 38 and 39: Legend 2/4/2014 CVE-2014-0497 Explo

Problem

Create successful ePaper yourself

Delete template?

Save as template?