April 29, 2016 at 11:44Microsoft Enhances Windows 10 Kernel Security Mechanisms
The famous Windows internal device guru, Alex Ionescu , revealed new features of the Windows 10 kernel that appeared in the new Windows 10 Insider Preview 14332 build. Earlier in our blog, we repeatedly mentioned Insider Preview versions of Windows 10 that are used by program and driver developers to test. Updates that appear in them will then be released to all Windows 10 users as one big update to this OS.
This time we are talking about ASLR in kernel mode (Kernel ASLR), about which not much is known, unlike its counterpart for Ring3 Windows components. Prior to Windows 10, 14332 Windows used only a partial implementation of KASLR onlyfor system images (drivers) and starting with Windows Vista SP1. Now, with each reboot, Windows will change the virtual address of the placement of not only the drivers, but also, practically, all OS structures and components working in the system virtual address space.
The main goal that Windows (like Apple OS X, iOS, Google Android) pursues when implementing ASLR is to move important data structures and system images in the system part of the virtual address space to new addresses with each reboot. In addition, the data structures of the Windows kernel, which it, in one form or another, can transfer to Ring3, should not contain direct or indirect pointers to kernel objects. This is also a requirement for implementing ASLR.
Fig. According to Ionescu, something unprecedented will happen for the Windows virtual memory manager, the projection addresses of directories and page tables will be dynamic. Local Privilege Escalation (LPE) exploits that rely on fixed addresses in the system virtual address space will stop working correctly. The exception is only used by HAL memory regions, as well as still relevant pointers in PEB.GdiSharedHandleTable . This loophole can still be used to partially bypass KASLR in exploits.
Starting with Win10 14332, Windows will be able to change the virtual base addresses of such critical data structures of the virtual memory manager as the page table catalog (PDE), page table (PTE), system PTE addresses, hyperspace, PFN databases, etc. In virtual distribution concepts the address space of the Windows kernel always implied the base start address of the beginning of the page tables and the above structures, the addresses were sewn up at the kernel compilation stage and could only differ in the case of a 32-bit or 64-bit virtual address space, as well as the use of PAE addressing.
Microsoft’s new measure will significantly increase Windows’s immunity to LPE exploits that rely on fixed virtual addresses in the kernel’s virtual address space. We wrote earlierabout a measure of protection against LPE exploits added by Microsoft that will allow applications to filter access to Win32k system services ( Win32k syscalls filtering ), which are often used by exploits when vulnerabilities in win32k.sys are triggered. Both of these features will be available to Windows 10 users in the new big OS update.
This time we are talking about ASLR in kernel mode (Kernel ASLR), about which not much is known, unlike its counterpart for Ring3 Windows components. Prior to Windows 10, 14332 Windows used only a partial implementation of KASLR onlyfor system images (drivers) and starting with Windows Vista SP1. Now, with each reboot, Windows will change the virtual address of the placement of not only the drivers, but also, practically, all OS structures and components working in the system virtual address space.
The main goal that Windows (like Apple OS X, iOS, Google Android) pursues when implementing ASLR is to move important data structures and system images in the system part of the virtual address space to new addresses with each reboot. In addition, the data structures of the Windows kernel, which it, in one form or another, can transfer to Ring3, should not contain direct or indirect pointers to kernel objects. This is also a requirement for implementing ASLR.
Fig. According to Ionescu, something unprecedented will happen for the Windows virtual memory manager, the projection addresses of directories and page tables will be dynamic. Local Privilege Escalation (LPE) exploits that rely on fixed addresses in the system virtual address space will stop working correctly. The exception is only used by HAL memory regions, as well as still relevant pointers in PEB.GdiSharedHandleTable . This loophole can still be used to partially bypass KASLR in exploits.
Starting with Win10 14332, Windows will be able to change the virtual base addresses of such critical data structures of the virtual memory manager as the page table catalog (PDE), page table (PTE), system PTE addresses, hyperspace, PFN databases, etc. In virtual distribution concepts the address space of the Windows kernel always implied the base start address of the beginning of the page tables and the above structures, the addresses were sewn up at the kernel compilation stage and could only differ in the case of a 32-bit or 64-bit virtual address space, as well as the use of PAE addressing.
Microsoft’s new measure will significantly increase Windows’s immunity to LPE exploits that rely on fixed virtual addresses in the kernel’s virtual address space. We wrote earlierabout a measure of protection against LPE exploits added by Microsoft that will allow applications to filter access to Win32k system services ( Win32k syscalls filtering ), which are often used by exploits when vulnerabilities in win32k.sys are triggered. Both of these features will be available to Windows 10 users in the new big OS update.