05.08.2016 • Views

Share Embed Flag

Problem

us-16-Weston-Windows-10-Mitigation-Improvements

ePAPER READ

DOWNLOAD ePAPER

hosselot

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

Win32

Process

Store App

AppContainer

User Mode Font

Driver Host

AppContainer

Manager

AppContainer

Edge

Content

AppContainer

Adobe Flash

AppContainer

Store apps all run within an

AC

Font parsing is now done in

user mode within an AC

System Call Filter

Edge uses a multi-AC design

for isolation

New in Windows 10 Anniversary

Edition

Adobe Flash has now been

moved to its own AC

AppContainer

Properties

Security boundary

Capability-based resource access

Locked down process

Microsoft will address vulnerabilities that can violate AC security boundary

Network, file, registry, and device access are restricted (both read and write)

No symbolic links, reduced attack surface, and various mitigations on by default

Win32k system call filtering is

enabled for Edge

Tactic Applies to First shipped

Containing damage & preventing persistence Multiple applications August, 2012 (Windows 8)

Windows 10 x64 Edge Browser 0day and exploit

A JOURNEY FROM JNDI/LDAP MANIPULATION TO REMOTE CODE EXECUTION DREAM LAND

ANALYSIS OF THE ATTACK SURFACE OF WINDOWS 10 VIRTUALIZATION-BASED SECURITY

Win32 Process Store App AppContainer User Mode Font Driver Host AppContainer Manager AppContainer Edge Content AppContainer Adobe Flash AppContainer Store apps all run within an AC Font parsing is now done in user mode within an AC System Call Filter Edge uses a multi-AC design for isolation New in Windows 10 Anniversary Edition Adobe Flash has now been moved to its own AC AppContainer Properties Security boundary Capability-based resource access Locked down process Microsoft will address vulnerabilities that can violate AC security boundary Network, file, registry, and device access are restricted (both read and write) No symbolic links, reduced attack surface, and various mitigations on by default Win32k system call filtering is enabled for Edge Tactic Applies to First shipped Containing damage & preventing persistence Multiple applications August, 2012 (Windows 8)

Page 3 and 4: • S Problem: Preventative Securit
Page 5 and 6: Internal Data Sources External Data
Page 7 and 8: Percentage of Use Analysis: 90 80 7
Page 9 and 10: Assume Breach Prevent Breach Threat
Page 11 and 12: REDTEAM: Model real-world attacks
Page 15: Internet Explorer, Edge, & Chakra S
Page 18 and 19: 1. Allocate object p = new COptionE
Page 20: No legacy document modes No legacy
Page 24 and 25: Place array length at a predictable
Page 26 and 27: Return addresses are not protected
Page 28: Execute arbitrary native code Code
Page 31 and 32: Non-paged pool System Page tables c
Page 36: Rapidly Respond • Mobilize engine
Page 39: The number of Microsoft vulnerabili

Problem

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?