BATTLE OF SKM AND IUM

More documents

Recommendations

Info

NORMAL MODE CALLS • Normal Mode Calls are the opposite of Secure Mode Calls – they are services provided by NTOS to SK • SK uses the SkCallNormalMode routine by passing the same structure that’s used for Secure Mode Calls • Four operations are possible • Normal Service Calls [0] • Normal System Calls from IUM (i.e.: Ring 3, Previous Mode == User) [2] • Normal System Calls from SKM (i.e.: Ring 0, Previous Mode == Kernel) [3] • Virtual Interrupt Assertions (VINA) [4] • This puts the CPU into VTL 0 and executes the handler for VTL return which will run in NTOS • VTL 1->0 Switch is done with VMCALL instruction, RCX == 0x12 (RCX is saved into RAX) • Finally, when secure mode ultimately returns back to normal mode, operation 1 is used (IUM Return)
NORMAL MODE SERVICE CALLS • SK needs access to certain resources and mechanisms that are only implemented in NTOS as part of its behavior • This is different from the Normal Mode System Calls which are needed by IUM – these calls are for SKM proper • These are performed with the same secure call interface that’s used to enter SKM, but this time using the VtlReturn instruction • Allocate/Free/Get/PhysicalPages [1, 2, 4] • TerminateThread/Process [7, 8] • AlertThreadByThreadIt, WaitForAlertByThreadId, CheckForApcDelivery [10, 11, 12] • Allocate/Free/Copy/VirtualMemory [15, 16, 13] • DebugForwardException/SuspendProcess/ResumeProcess/SendError [9, 18, 19, 20] • EtwRegister/SetInformation/WriteTransfer [21, 22, 23] • GetCurrentProcessorNumber [17], GetSecureImageHandle [14] • DbgPrint [3]!
Page 1 and 2: BATTLE OF SKM AND IUM HOW WINDOWS 1
Page 3 and 4: PRESENTATION OVERVIEW • Microsoft
Page 5 and 6: VBS FEATURES IN WINDOWS 10 / SERVER
Page 7 and 8: ENABLING VBS
Page 9 and 10: HOW DOES IT ALL WORK? • Hyperviso
Page 11 and 12: SEPARATION OF ROLES • Instead of
Page 13 and 14: PLATFORM REQUIREMENTS • The Boot
Page 15 and 16: HARD CODE GUARANTEES • When hard
Page 17 and 18: VIRTUAL SECURE MODE (VSM) BOOTSTRAP
Page 19 and 20: SKM LAUNCH • To initialize VTL 1,
Page 21 and 22: BCD VSM POLICY OPTIONS • The poli
Page 23 and 24: SKM INTERNALS
Page 25 and 26: SKM STRUCTURES • SKM has a PCR at
Page 27 and 28: SKM CAPABILITIES • The SkCapabili
Page 29 and 30: SECURE MODE CALLS • Secure Mode C
Page 31: SPECIALIZED SECURE MORE SERVICE CAL
Page 35 and 36: IUM INTERNALS
Page 37 and 38: SECURE SYSTEM CALLS • SKM exposes
Page 39 and 40: SECURE BASE API • Trustlets shoul
Page 41 and 42: NOTABLY MISSING… • Trustlets ca
Page 43 and 44: NORMAL MODE SYSTEM CALL PROXYING Th
Page 45 and 46: LAUNCHING A TRUSTLET • Process At
Page 47 and 48: EXAMPLE IUM-COMPLIANT SIGNED BINARY
Page 49 and 50: TRUSTLET INSTANCE GUID • Trustlet
Page 51 and 52: LSA TRUSTLET • One of the two inb
Page 53 and 54: LOADING A TRUSTLET • Ldr, or the
Page 55 and 56: TRUSTLET TO NORMAL WORLD COMMUNICAT
Page 57 and 58: CAN WE BUILD OUR OWN TRUSTLETS? •
Page 59 and 60: CONCLUSION RISKS AND THOUGHTS
Page 61 and 62: SECURE KERNEL COMPLEXITY / ATTACK S
Page 63 and 64: VSM WITHOUT SECUREBOOT • What’s
Page 65: YOU HAVE QUESTIONS? I HOPEFULLY HAV

BATTLE OF SKM AND IUM

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?