BATTLE OF SKM AND IUM
1MHMIxh
1MHMIxh
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
COMPROMISING VBS / MISUSING VSM<br />
• VBS’ key weakness is its reliance on Secure Boot<br />
• Many vendor implementation and design bugs [ref: Sith Strike]<br />
• Many flash/SPI/chipset related issues [ref: Legbacore/Corey/Xeno’s 100 talks in the last decade]<br />
• Option ROMs [ref: Thunderstrike]<br />
• Secure Boot vulnerabilities can bring down the entire security model<br />
• Even worse, a compromised VSM can be used against the user<br />
• A compromised VSM can allow Malwarelets to execute, which can now provide easier access to all of the<br />
isolated secrets, but additionally can also use their own side-channel and secrets now, against the admin itself<br />
• Combined with protected processes, can create non-debuggable, inaccessible, unkillable implants protected by<br />
the hypervisor itself<br />
• This is not an inherent/new risk to VSM! Implants today can load their own hypervisor and build their own<br />
VSM – but this now makes it easier to hide within Microsoft’s own infrastructure<br />
• Recall: Trustlets cannot access files, or the registry, or NTOS/HLOS data