WINDOWS 10 VIRTUALIZATION-BASED SECURITY
us-16-Wojtczuk-Analysis-Of-The-Attack-Surface-Of-Windows-10-Virtualization-Based-Security-wp
us-16-Wojtczuk-Analysis-Of-The-Attack-Surface-Of-Windows-10-Virtualization-Based-Security-wp
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Similarly, another proof-of-concept code used SMM privileges to hook syscall handler of VTL1 kernel<br />
(securekernel.exe), so that the syscalls invoked by LsaIso.exe could be monitored.<br />
There are reports of successful use of firmware vulnerability (allowing to escalate to SMM) to extract<br />
secrets from Credential Guard [yb1], apparently by just scanning the whole physical memory for<br />
buffers looking like credentials.<br />
WSMT ACPI table<br />
In April 2016, Microsoft has released the specification of Windows SMM Security Mitigations Table<br />
[wsm]. Many of the above potential attacks are described there; firmware vendors should follow<br />
these guidelines in order to help secure VBS against attacks. Microsoft claims that firmware shipped<br />
with their hardware is hardened against these types of vulnerabilities.<br />
Other non-VBS-specific attack vectors<br />
CPU erratas<br />
If CPU behaves in a way not matching the specification, then it is possible that the security measures<br />
implemented in a hypervisor can be bypassed.<br />
The author is not aware of any case in the past when CPU errata was successfully exploited to escape<br />
from VTx VM confinement.