UNRAVELLING WINDOWS 8 SECURITY AND THE ARM KERNEL presented at Breakpoint 2012

by Alex Ionescu,

Tags: Exploitation Windows 8 Mitigations ARM

Summary : There has been a lot of attention given lately to Windows 8 and its new "Metro"/Modern UI. But much less attention has been given to the new security features and mitigations coming in this new release (other than Tarjei\'s talk at SyScan 2012 about the new pool mitigations and improvements, and Matt Miller\'s talk at BlackHat). This talk aims to fulfill that void, and introduce major new Windows 8 security features and the internals behind their implementation, including:
App Containers (LowBox), the key sandboxing architecture behind Modern/Metro Applications, including support for per-logon-session handle tables, and per-container object namespace and atom tables, and many new other improvements.
Signing Policy and Signing Levels, which will enable iOS-style code signing requirements, enforceable through Secure Boot.
Capability SIDs (Contracts) which enable iOS and Android-style application authorization for access to contacts, file system, network, etc...
Claim SIDs, the backing behind ABAC (Attribute-Based Access Control) in Windows 7 for AppLocker, and extended in Windows 8 for Dynamic Access Control/Centralized Access Policy support in Windows 8 Server.
Measured Boot and Secure Boot, part of the new TPM implementation
ELAM (Early-Launch Anti Malware), the new driver technology designed for security drivers
... and more ...
On top of these new features, the security and kernel teams at Microsoft have been busy adding dozens of new mitigations, some of which have been made public, such as HEASLR and the new pool mitigations, while others have not yet been formally announced. This talk will cover a laundry list of about 20 new mitigations, including a bit of brief history into their evolution from developer, to consumer, to release preview, and finally RTM.
A few of the things that will be shown:
NULL-page protection
Information leakage plugs
ASLR improvements (other than HEASLR) such as MEM_TOP_DOWN randomization
SMEP support
Changes to how system calls are done
When relevant/possible, anti-mitigations to the new changes will also be described
Finally, a brief discussion of how the Windows RT (previously Windows on ARM) kernel and system works compared to x86/x64, for purposes of exploitation (how to find the KPCR, where is KUSER_SHARED_DATA, how are ring levels defined, what\'s at 0xFFFF0000, etc...?)