BATTLE OF SKM AND IUM

Recommendations

Info

TRUSTLET ALPC ENDPOINT CONNECTIONS • Each Trustlet can create its own ALPC / RPC Endpoints • For example, LSA Trustlet (LSAISO.EXE) creates LSA_ISO_RPC_SERVER • However, when a Trustlet crashes, the Windows Error Reporting Service (WER) creates a special ondemand ALPC port \<strong>IUM</strong>_TRUSTLET_DUMP_SERVER • The SK will connect to this (SkpAlpcConnectWerPort) whenever it crashes, and send the encrypted pages to it • WER will write the encrypted pages to disk (<strong>IUM</strong>-name-date-time-pid.dmp) that are sent via SkpAlpcSendReceiveWer • One start message • N chunk messages • One end message • One could arguably use this interface from a Trustlet as a way to write arbitrary files to disk, but the location/name is somewhat limited
CAN WE BUILD OUR OWN TRUSTLETS? • Microsoft has done a phenomenal job to provide new hypervisor-based guarantees to certain key mechanisms and features • Architecturally speaking, the security model is very strong • But could it be used against itself? Can we create malicious Trustlets that are protected? • We’ll call these Malwarelets • There are a number of protections and checks in place to prevent this from happening • We need a correctly-formatted policy with our own Trustlet ID, exported with the right name in a section with the right name and attributes • We need a correctly-signed Trustlet image • We must link with /SUBSYSTEM:WINDOWS (but we still need to tell CRT to give us a wmain, not WinMain) • We must be careful what import libraries we use (and hence what DLLs we import) • And ultimately, a Trustlet is isolated from other Trustlets, and cannot access HLOS in any privileged way
Page 1 and 2:
BATTLE OF SKM AND IUM HOW WINDOWS 1
Page 3 and 4:
PRESENTATION OVERVIEW • Microsoft
Page 5 and 6: VBS FEATURES IN WINDOWS 10 / SERVER
Page 7 and 8: ENABLING VBS
Page 9 and 10: HOW DOES IT ALL WORK? • Hyperviso
Page 11 and 12: SEPARATION OF ROLES • Instead of
Page 13 and 14: PLATFORM REQUIREMENTS • The Boot
Page 15 and 16: HARD CODE GUARANTEES • When hard
Page 17 and 18: VIRTUAL SECURE MODE (VSM) BOOTSTRAP
Page 19 and 20: SKM LAUNCH • To initialize VTL 1,
Page 21 and 22: BCD VSM POLICY OPTIONS • The poli
Page 23 and 24: SKM INTERNALS
Page 25 and 26: SKM STRUCTURES • SKM has a PCR at
Page 27 and 28: SKM CAPABILITIES • The SkCapabili
Page 29 and 30: SECURE MODE CALLS • Secure Mode C
Page 31 and 32: SPECIALIZED SECURE MORE SERVICE CAL
Page 33 and 34: NORMAL MODE SERVICE CALLS • SK ne
Page 35 and 36: IUM INTERNALS
Page 37 and 38: SECURE SYSTEM CALLS • SKM exposes
Page 39 and 40: SECURE BASE API • Trustlets shoul
Page 41 and 42: NOTABLY MISSING… • Trustlets ca
Page 43 and 44: NORMAL MODE SYSTEM CALL PROXYING Th
Page 45 and 46: LAUNCHING A TRUSTLET • Process At
Page 47 and 48: EXAMPLE IUM-COMPLIANT SIGNED BINARY
Page 49 and 50: TRUSTLET INSTANCE GUID • Trustlet
Page 51 and 52: LSA TRUSTLET • One of the two inb
Page 53 and 54: LOADING A TRUSTLET • Ldr, or the
Page 55: TRUSTLET TO NORMAL WORLD COMMUNICAT
Page 59 and 60: CONCLUSION RISKS AND THOUGHTS
Page 61 and 62: SECURE KERNEL COMPLEXITY / ATTACK S
Page 63 and 64: VSM WITHOUT SECUREBOOT • What’s
Page 65: YOU HAVE QUESTIONS? I HOPEFULLY HAV
show all

BATTLE OF SKM AND IUM

Create successful ePaper yourself

Delete template?

Save as template?