ANALYSIS OF THE ATTACK SURFACE OF WINDOWS 10 VIRTUALIZATION-BASED SECURITY

More documents

Recommendations

Info

Credentials during logon ? • There is still a problem with how the unencrypted credentials are initially delivered to VTL1 (which happens during logon).“rundll32.exe user32.dll,LockWorkStation”. • If not using smart-card based authentication, then the plaintext credentials can be captured by keylogger and used anywhere, anytime. • In case of smart-card based authentication, the NTOWF hashes sent by KDC can be captured and reused.
aCG scenario 2upa • Credential Guard with armor key protection and smartcard-based authentication • Nontrivial deployment challenge • Possible to enable without TPM, but in such case no real advantage
Page 1 and 2: Rafal Wojtczuk rafal@bromium.com AN
Page 3 and 4: aScopeupa • Most of this research
Page 5 and 6: aCredential Guard architectureupa P
Page 7 and 8: aCG scenario 1upa • Admins just e
Page 9 and 10: aNtlmIumProtectCredentialupa • In
Page 11: aScenario 1 propertiesupa • After
Page 15 and 16: aScenario 2 properties • No more
Page 17 and 18: VBS-enforced code integrity • Win
Page 19 and 20: Mixing signed & unsigned code • C
Page 21 and 22: Kernel HVCI and kernel exploits •
Page 23 and 24: Kernel HVCI bypass, MS16-066
Page 25 and 26: [Un]usual threat model • Usual mo
Page 27 and 28: Root partition privileges • Acces
Page 29 and 30: Root partition privileges • I/O p
Page 31 and 32: Problem 1 - unfiltered MMCFG • MM
Page 33 and 34: Problem 2 - chipset registers • S
Page 35 and 36: S4 sleep • S4 is even more fragil
Page 37 and 38: SMM • SMM is highly-privileged mo
Page 39 and 40: SMM • It is well-known that SMM v
Page 41 and 42: SMM abuse example
Page 43 and 44: Summary • Despite its limited sco
Page 45 and 46: Extra slides: Non-VBS-specific •
Page 47: Other funny chipset capabilities

ANALYSIS OF THE ATTACK SURFACE OF WINDOWS 10 VIRTUALIZATION-BASED SECURITY

Create successful ePaper yourself

Delete template?

Save as template?