Debugger-based Target-to-Host Cross-System Attacks presented at REcon 2010

by Alex Ionescu,

Summary : This talk will present a critical design flaw in the Windows KD (Kernel Debugger) protocol that is implemented in all Windows versions, as well as XBOX and Xbox 360, Windows CE, Singularity and some EFI/EXDI hardware. This flaw enables an attacker running in the target system to attack any host running a KD-compatible debugger, crossing machine isolation boundaries as well as VM boundaries, regardless of the virtualization product in use, be it VMWare or Virtual Box. This design flaw allows the target to execute arbitrary commands on the host, including code execution and local file modification, through a stealthy and covert channel that leaves no fingerprints, since it uses a legitimately implemented feature, without causing the usual stack or buffer overflow. This presentation will also cover a technical analysis of the KD protocol as well as how it can easily be implemented on top of an application that emulates a given OS or architecture, or on top of an OS itself. Finally, techniques on how to mitigate such an attack will be given. With more and more security researchers opting to use VMs to analyze and debug malware, the danger of such a flaw is obvious, obviating the extra security granted by the isolation boundary and turning it against the host.