Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows 10 Security Internals

Published byAmy Morris Modified over 5 years ago

Similar presentations

Presentation on theme: "Windows 10 Security Internals"— Presentation transcript:

1 Windows 10 Security Internals
9/12/ :40 PM BRK4014 Windows 10 Security Internals Chris Jackson Cybersecurity Enthusiast Chief Awesomeologist, Microsoft @appcompatguy © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 9/12/ :40 PM WDEG © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Detect Malicious Behavior
Isolate Threats Control Execution Detect Malicious Behavior Windows App Container Windows Defender Exploit Guard Windows Defender Antivirus Windows Defender Advanced Threat Protection Windows Defender Application Guard Windows 10 Platform Security

4 Detect Malicious Behavior
Isolate Threats Control Execution Detect Malicious Behavior Windows App Container Windows Defender Exploit Guard Windows Defender Antivirus Windows Defender Advanced Threat Protection Windows Defender Application Guard Windows 10 Platform Security

5 Windows Exploit Mitigation Internals
9/12/ :40 PM Windows Exploit Mitigation Internals © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Arbitrary Code Guard PAGE_EXECUTE 0x10 PAGE_EXECUTE_READ 0x20
LPVOID WINAPI VirtualAlloc( _In_opt_ LPVOID lpAddress, _In_     SIZE_T dwSize, _In_     DWORD flAllocationType, _In_     DWORD flProtect ); BOOL WINAPI VirtualProtect( _In_  LPVOID lpAddress, _In_  SIZE_T dwSize, _In_  DWORD flNewProtect, _Out_ PDWORD lpflOldProtect ); PAGE_EXECUTE 0x10 PAGE_EXECUTE_READ 0x20 PAGE_EXECUTE_READWRITE 0x40 PAGE_EXECUTE_WRITECOPY 0x80

7 Windows Advanced Rasterization Platform
Arbitrary Code Guard microsoftedgecp.exe chakra Windows Advanced Rasterization Platform

8 Block Untrusted Fonts Trusted: %windir%\fonts Untrusted:
Everything else GDI

9 ASLR Explained Boot 1 Boot 2 Boot 3 process address space app.exe
user32.dll ssleay32.dll ntdll.dll Boot 1 Boot 2 Boot 3 process address space

10 Only the high-order two bytes are randomized in image mappings
ASLR Explained Only the high-order two bytes are randomized in image mappings Low-order two bytes can be overwritten to return into another location within a mapping Overwriting 0x c with 0x Target address can be used to pivot Local Variables Saved EBP Return address L H Buffer overflow memcpy( dest,  Stack buf src,  Controlled length);  Controlled

11 Not all binaries are compiled with relocation information
9/12/ :40 PM ASLR Explained Not all binaries are compiled with relocation information Executables often don’t have relocations (/FIXED:YES) .NET IL-only assemblies in IE ASLR is most effective if all regions are randomized app.exe user32.dll kernel32.dll ntdll.dll Boot 1 Boot 2 Boot 3 process address space © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 ASLR Explained

13 Mandatory ASLR 0x7FFD 0x7FFD 0x7FFD

14 Bottom-Up ASLR 0x7FFD90820000 0x7FFD61490000 0x7FFD61490000 [0, 256]
64K allocations

15 HMODULE WINAPI LoadLibrary( _In_ LPCTSTR lpFileName );
Code Integrity Guard HMODULE WINAPI LoadLibrary( _In_ LPCTSTR lpFileName ); Binary has a valid signature Binary is in a valid location

16 Mitigating Hijacking Control of execution
9/12/ :40 PM Control Flow Guard Mitigating Hijacking Control of execution Typical control flow hijack by corrupting C++ virtual table pointer and calling first gadget of a ROP payload (example from Metasploit [1]) CFG implements a form of coarse-grained control-flow integrity which places new restrictions on indirect calls to ensure that only valid functions can be called indirectly Compile time Runtime Metadata is automatically added to the image which identifies functions that may be called indirectly void Foo(...) { // SomeFunc is address-taken // and may be called indirectly Object->FuncPtr = SomeFunc; } Update valid call target data with metadata from PE image Image Load Map valid call target data Process Start Transfers control to a stack pivot ROP gadget Perform O(1) validity check Terminate process if invalid target Indirect Call With CFG in place, ROP gadgets and other invalid functions cannot be called indirectly © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Valid Jump Destinations
9/12/ :40 PM Control Flow Guard Valid Jump Destinations Valid jump locations Y YY © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Function main () stack area
DEP Explained Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } Pushed Arguments szIn i EIP = Return of main() Higher Addresses EBP - Frame Pointer j szOut

19 Function main () stack area
DEP Explained Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } void main(int argc, char** argv) foo(argv[1], 0); Pushed Arguments szIn i EIP = Return of main() Higher Addresses EBP - Frame Pointer j = 0x0 szOut= 0x C:\foo “AAAAAAAAAAAAAAAA\x6C\x11\xB0\x30”

20 Function main () stack area
DEP Explained Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } void main(int argc, char** argv) foo(argv[1], 0); Pushed Arguments szIn i Return address = 0x30B0116C Higher Addresses EBP = 0x j = 0x szOut= AAAAAAAA C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30” Return address of main() changed to point to a malicious code area

21 Function main () stack area
DEP Explained Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } void main(int argc, char** argv) foo(argv[1], 0); Pushed Arguments !!pwn3d!! szIn i Return address = 0x30B0116C Higher Addresses EBP = 0x Malicious Code C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30”

22 Disable Extension Points
9/12/ :40 PM Disable Extension Points Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Windows\AppInit_DLLs int WSPAPI WSCInstallProvider( IN LPGUID lpProviderId, IN const WCHAR FAR * lpszProviderDllPath, IN const LPWSAPROTOCOL_INFOW lpProtocolInfoList, IN DWORD dwNumberOfEntries, OUT LPINT lpErrno ); HHOOK WINAPI SetWindowsHookEx( _In_ int       idHook, _In_ HOOKPROC  lpfn, _In_ HINSTANCE hMod, _In_ DWORD     dwThreadId ); © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Disable Win32K System Calls
Application Process User Mode Kernel Mode win32k.sys

24 Do Not Allow Child Processes
Application Process BOOL WINAPI CreateProcess( _In_opt_ LPCTSTR lpApplicationName, _Inout_opt_ LPTSTR lpCommandLine, _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, _In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment, _In_opt_ LPCTSTR lpCurrentDirectory, _In_ LPSTARTUPINFO lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation ); Child Process

25 Block Remote Images Application Process \\server\remote.dll
HMODULE WINAPI LoadLibrary( _In_ LPCTSTR lpFileName ); \\server\remote.dll

26 Block Low Integrity IMages
9/12/ :40 PM Block Low Integrity IMages Application Process c:\Users\cjacks\AppData\LocalLow>icacls Temp Temp BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Power Users:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(F) Everyone:(OI)(CI)(RX,W) Mandatory Label\Low Mandatory Level:(I)(OI)(CI)(NW) %appdata%\ locallow\temp\ remote.dll © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Export Address Filtering

28 Export Address Filtering
.text:000546C4                 test    byte ptr [eax+CONTEXT.Dr6], 11h ; bug! 11h should be 3 .text:000546C8                 jz      short not_handled .text:000546CA                 push    [eax+CONTEXT._Eip] ; reg_eip .text:000546D0                 call    is_in_module .text:000546D5                 test    eax, eax .text:000546D7                 jnz     short not_handled .text:000546D9                 push    edi .text:000546DA                 push    1 .text:000546DC                 call    report_protection .text:000546E1                 cmp     status_exploitaction, 1 .text:000546E8                 pop     ecx .text:000546E9                 pop     ecx .text:000546EA                 jnz     short not_handled .text:000546EC                 push    1 .text:000546EE                 push    STATUS_STACK_BUFFER_OVERRUN .text:000546F3                 push    dword ptr [edi+4] .text:000546F6                 call    report_error_and_terminate .text:000546FB not_handled:

29 Import Address Filtering
9/12/ :40 PM Import Address Filtering © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 9/12/ :40 PM Simulate Execution 0x41BD14: D TEST DWORD PTR [0x41D184],ESI; .data:0x4E 0xE6 0x40 0xBB 0x41BD1A: JNZ x41BD ; (*+0x7) 0x41BD1C: B94FE640BB MOV ECX,0xBB40E64F ; <==0x0041BD12(*-0xA) 0x41BD21: 890D84D MOV DWORD PTR [0x41D184],ECX; .data:0x4E 0xE6 0x40 0xBB ; <==0x0041BD1A(*-0x7) 0x41BD27: F7D NOT ECX 0x41BD29: 890D88D MOV DWORD PTR [0x41D188],ECX; .data:0xB1 0x19 0xBF 0x44 0x41BD2F: 5F POP EDI ; <==0x0041BCC3(*-0x6C) 0x41BD30: 5E POP ESI 0x41BD31: 8BE MOV ESP,EBP 0x41BD33: 5D POP EBP 0x41BD34: C RET 0x41BD35: PUSH x ; <==0x0041B4B9(*-0x87C) 0x41BD3A: PUSH x10000 0x41BD3F: FF157C CALL DWORD PTR [MSVCRT.DLL!_controlfp]; (0x42047C) 0x41BD45: POP ECX 0x41BD46: POP ECX 0x41BD47: C RET © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Validate API Invocation
9/12/ :40 PM Validate API Invocation CALL Critical Function RET © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 Heap Metadata Hardening
Validate Heap Integrity Terminate Process Heap Metadata Hardening Heap Allocation Randomization Heap Guard Pages

33 SEHOP Explained Local variables Previous Stack frame … Exception
Registration Record Next Handler Buffer overflow void vulnerable(char *ptr){ char buf[128]; strcpy(buf, ptr); } void parent(char *ptr) { try { vulnerable(ptr); … exception … } except(…) { }

34 ntdll!_except_handler4
9/12/ :40 PM SEHOP Explained Normal SEH Chain Corrupt SEH Chain N H app!_except_handler4 N H 0x7c1408ac N H k32!_except_handler4 0x414106eb pop eax ret N H ntdll!_except_handler4 An exception will cause 0x7c1408ac to be called as an exception handler as: EXCEPTION_DISPOSITION Handler( PEXCEPTION_RECORD Exception, PVOID EstablisherFrame, PCONTEXT ContextRecord, PVOID DispatcherContext); 0xffffffff © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 ntdll!FinalExceptionHandler
SEHOP Explained Dynamic protection for SEH overwrites No compile/link time hints required Symbolic validation frame inserted as final entry in chain Corrupt Next pointers prevent traversal to validation frame N H app!_except_handler4 k32!_except_handler4 ntdll!FinalExceptionHandler app!_main+0x1c 0x Can’t reach validation frame! Valid SEH Chain Invalid SEH Chain ?

36 Validate Handle Usage Application Process Invalid handle
9/12/ :40 PM Validate Handle Usage Application Process Trigger an exception when an invalid handle is used. Invalid handle © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37 Validate Image Dependency Integrity
9/12/ :40 PM Validate Image Dependency Integrity HMODULE WINAPI LoadLibrary( _In_ LPCTSTR lpFileName ); Enforce code signing for Windows image depencency loading © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38 Validate Stack Integrity
9/12/ :40 PM Validate Stack Integrity Arg 1 EIP Return EBP Frame Pointer XCHG reg, ESP; RETN  MOV  reg, ESP; RETN  CALL reg POP  reg; JMP reg ADD  ESP, offset; RETN ESP Local 1 Fake Arg 1 EIP - Malware EBP Frame Pointer Fake Arg 2 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39 Validate Stack Integrity
Arg 1 EIP Return EBP Frame Pointer XCHG reg, ESP; RETN  MOV  reg, ESP; RETN  CALL reg POP  reg; JMP reg ADD  ESP, offset; RETN Local 1 Fake Arg 1 EIP - Malware EBP Frame Pointer ESP Local 1

40 Validate Stack Integrity
9/12/ :40 PM Validate Stack Integrity Arg 1 EIP Return EBP Frame Pointer Upon entering a critical function, check to see if ESP is between the thread’s upper and lower stack limit. Local 1 Fake Arg 1 EIP - Malware EBP Frame Pointer ESP Local 1 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41 Mitigation Auditing

42 Applications and Services Log\ Microsoft\ Windows\
9/12/ :40 PM Applications and Services Log\ Microsoft\ Windows\ Security-Mitigations © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43 9/12/ :40 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44 Please evaluate this session
Tech Ready 15 9/12/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45 9/12/ :40 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Windows 10 Security Internals"

Similar presentations

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
PCIT417. CVE-2014-1776 (UAF) CVE-2014-0322 (UAF) CVE-2013-3918 (ICARDIE) CVE-2013-3897 (UAF) CVE-2013-3893 (UAF) CVE-2013-3163 (UAF) IE CVE-2014-1761.

PCIT417. CVE (UAF) CVE (UAF) CVE (ICARDIE) CVE (UAF) CVE (UAF) CVE (UAF) IE CVE
MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Session 1.

Session 1.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

demo Demo.

demo Demo.
SEH overwrite and its exploitability Shuichiro Suzuki Fourteenforty Research Institute Inc. Research Engineer.

SEH overwrite and its exploitability Shuichiro Suzuki Fourteenforty Research Institute Inc. Research Engineer.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks.
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

MIX 09 4/17/2018 4:41 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/17/2018 4:41 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Microsoft Teams Behind the Scenes – Q&A

Microsoft Teams Behind the Scenes – Q&A
Cloud Security IS Application-Centric Security

Cloud Security IS Application-Centric Security
6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee Welly.Lee@microsoft.com.

6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
Azure Cloud Shell Magic of Modern Command-line Management

Azure Cloud Shell Magic of Modern Command-line Management
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

Similar presentations

Ads by Google