Dr. Dobb's | Black Hat: Vista Vulnerable To Stealthy Malware Despite Body Cavity Search

Black Hat: Vista Vulnerable To Stealthy Malware Despite Body Cavity Search

A security researcher demonstrated how to trick the Windows Vista Beta 2 kernel, x64 edition, into allowing any unsigned device driver to be loaded onto a user's system. This opens the door to malicious code injection. Defenses to such an attack were also presented.

August 04, 2006
URL:http://www.drdobbs.com/security/black-hat-vista-vulnerable-to-stealthy-m/191800659

Microsoft can add a new item to its checklist of security issues that must be ironed out before Windows Vista ships early next year. Under the right conditions, it's possible for a cyberattacker to inject arbitrary code into the Vista x64 kernel and stealthily take control of a user's system, according to one security researcher who demonstrated the process Thursday at the Black Hat conference in Las Vegas.

Joanna Rutkowska, a senior security researcher with Coseinc, presented a demo that showed how an attacker with systems administrator-level privileges could trick Windows Vista Beta 2 kernel, x64 edition, into disabling its signature-checking function and allow any unsigned device driver to be loaded onto a user's system. The danger is that the attacker can write malicious code into such a driver, which Vista would then execute.

Microsoft uses digital signatures for device drivers to let users know that the drivers are compatible with a given version of Windows. The company's goal with Vista x64 was to ensure that all kernel-mode drivers be signed, although Rutkowska showed how this mechanism could be deactivated. Rutkowska first presented her findings on July 21 at the SyScan conference in Singapore.

After the applause died down following her Black Hat demo, Rutkowska reviewed some ways to counter her attack method, ranging from forbidding raw disk access from user-mode applications to encrypting pagefile storage to disabling kernel memory paging. "That's what I'm doing in my home machine," Rutkowska said of the third option.

Although Rutkowska said Vista isn't "as secure as advertised," she added, "I think Microsoft did a good job; this doesn't mean Vista is insecure."

When asked for his reaction to Rutkowska's presentation and demo, Microsoft Director of Windows Product Management Austin Wilson said, "This is exactly why we're here at the conference."

Microsoft claims the potential to execute arbitrary code in the Vista Beta 2 kernel is a problem that's on its road map for correction, and that while the driver-signing function that Rutkowska exploited is turned on by default in the x64 edition of Vista, it's not a default setting in previous versions of Windows. Wilson said Microsoft has reached out to Rutkowska to discuss her research. Following her presentation, however, Rutkowska said she hadn't formally been contacted by Microsoft, although she has chatted with Microsoft employees about her work.

Security isn't something Microsoft has taken lightly in its next iteration of Windows. Earlier in the day, Microsoft Security Group Manager John Lambert hosted a Black Hat session that highlighted the security engineering process behind Vista. Lambert noted that Vista has been subjected to the largest commercial penetration testing effort ever. Microsoft also enlisted the help of more than 20 security researchers to give Vista a "body-cavity search," Lambert added.

Rutkowska, meanwhile, was just getting warmed up with her Vista demo. She then set her sights on AMD's 64-bit Pacifica Secure Virtual Machine technology, demonstrating how her "Blue Pill" technology for creating stealthy malware could be used to create an undetected hypervisor layer that can take control of a server's underlying operating system.

In a June 22 blog entry, Rutkowska described Blue Pill this way: "The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices, like graphics card, are fully accessible to the operating system, which is now executing inside [the] virtual machine. This is all possible thanks to the latest virtualization technology from AMD called SVM/Pacifica."

Intel shouldn't feel left out. Rutkowska said Thursday it "seems possible" to use Blue Pill on Intel's 64-bit Vanderpool virtualization technology, but added that she hadn't actually tested this.