Things just keep getting interestinger...

Longboard · Aug 15, 2006

This si a slightly long read;

From one of my favourite coding geniuses, I cant follow more than the basic outline, but, all our winboxes are in the firing line:

95% of the planet are dependent on Windows. That's a sad 95%. And no,
there's never been an excuse. Ever. But that's the sad truth. 95%. Or
thereabouts.

So as Vista rolls out, guess what? So does a new kernel model. And it
isn't just about security - there's an ulterior motive. Think about the
classic answer to the following and that should be clue enough.

* Why did Bill Gates abandon Internet Explorer for so many years? *

And notice as well that as always when something stupid is about to
happen, Chief Software Architect Bill Gates will be found peeking from
around the corner.

But we're jumping ahead of our story.

Symantec

Symantec have published a white paper. And it's a good one. And
Symantec are pissed - rightfully.

The paper is called 'Assessment of Vista Kernel Mode Security' and it's
a good paper. And keep in mind that Symantec currently control over 50%
of the Windows security market.

Vista has new kernel mode security, the paper points out.

* driver signing
* 'PatchGuard'
* kernel code integrity checks
* optional 'Secure Bootup' with TPM hardware
* restricted access to \Device\PhysicalMemory

The paper goes on at length about the boot process, and then the
business of driver signing (pointing out that today only eight firms
are allowed to sign drivers) and 'PatchGuard'. The paper shows how one
would go about disabling this feature - against Bill's explicit wishes
of course.

Writing in Phrack, 'Crazylord' showed how physical memory scans could
be used to locate sensitive parts of the kernel. This memory is by
default read-only, but there are ways around everything.

One cute technique, the paper points out, is to find the Global
Descriptor Table and add a ring 0 (kernel mode) call gate. Code can
then issue a 'CALL FAR' to jump right in.

Another trick is to find the Interrupt Descriptor Table and install an
interrupt gate: code can then use an INT to jump into the kernel. All
cute.

On the other hand, the author of this white paper has previously used
physical memory access to fight back: physical memory can be used to
detect BIOS rootkits.

Code Integrity

CI.DLL is a new Windows DLL (shared library). 'CI' stands for 'code
integrity'. CI.DLL is statically linked into the kernel. Of course it
is.

Microsoft's own blurb:

'Code Integrity (CI) protects Windows Vista by verifying that system
binaries haven't been tampered with by malicious code and by ensuring
that there are no unsigned drivers running in kernel mode on the
system. CI starts as Windows starts up. The boot loader checks the
integrity of the kernel, the HAL, and the boot-start drivers. After
these have been verified, the system starts and the memory manager
calls CI to verify any binaries loaded into the kernel memory space.
These binaries are verified by looking up their signatures in system
catalogs. Aside from kernel memory space, CI verifies binaries loaded
into a protected process and system installed dynamic libraries that
implement core cryptographic functions.'

[Maybe you can see it coming already?]

CI and PatchGuard overlap, but CI can be disabled and PatchGuard can
never be. Further, PatchGuard is made by the Windows Core team and
meant to prevent hooking into the OS, whereas CI is made by the DRM
unit and is meant to ensure the integrity of userland code handling
protected content.

[Now you know, right?]

Signed Drivers

Vista signed drivers handling network protocols include the following.

Driver Function
------ --------
NETIO.SYS IP4/IP6 stack
HTTP.SYS HTTP requests
MRXSMB10.SYS SMB 1
MRXSMB20.SYS SMB 2
MRXDAV.sys WebDav
MSRPC.sys RPC

If a hole is found in one of these signed drivers, it could obviously
allow a complete system compromise by remote attack.

Can driver signing be disabled? Yes. To load unsigned drivers, one
needs to patch the kernel (NTOSKRNL) but patching it will invalidate
its signature so WINLOAD will refuse to load it - thus WINLOAD must be
patched first.

[There's always an easy way around, isn't there?]

But Windows Resource Protection (WRP) puts ACLs on files (this is
assuming NTFS) that are not modifiable by admins or the 'LocalSystem'
account - only the 'TrustedInstaller' [sic] has access.

----------------------------------------
The Catch

But here's the catch: both admins and 'LocalSystem' have, as
traditionally, enough privilege to assume ownership of securable
objects - even those owned by the system itself.

So first one enables the SeTakeOwnership privilege, then one takes
ownership of the file with the bitchy ACL, and finally one grants
admins full access via AdjustTokenPrivileges and SetNamedSecurityInfo.

Once WINLOAD is botched, NTOSKRNL can be botched, and after that all
driver signing can be disabled.

And the machine is toast.

All the hacker has to do at this point is 1) disable PatchGuard (which
it now can do) and 2) hook into the NtQueryInformationFile and
NtCreateFile APIs to flip calls to the original unmodified copy - this
prevents userland tools from detecting malfeasance in the system.

----------------------------------------
What's It All Mean?

1. It means that Symantec's Matthew Conover, the author of this white
paper, with assistance from Ollie Whitehouse and Chris Wee, already
discovered a way to totally crack Vista - to the point they in effect
have a rootkit on the system - and this before the danged Vista's even
been released.

2. Microsoft read the papers too, and Conover knows this. Read between
the lines with his paper.

3. Conover knows Microsoft are going to fix this again and change
everything - but he also knows who Microsoft are, and he knows it's
only a matter of time before he cracks their revised system too. And
the next revision after that. And after that. The basic mechanism for
the current crack has been in XPT code for ten years. And the XPT is
not exploiting a bug: this is a design flaw. It's been there ten years.
And Microsoft programmers should know of it. In fact, this entire thing
smacks of the kind of DRM we've seen so many times before: wobbly and
full of holes.

4. This is the painful issue: hackers can always break through, but
third party software houses cannot use illicit methods to access
drivers - and yet the security industry NEED to access these drivers.

5. See where this is leading? Symantec, McAfee, et al: they're all
basically out of business. Microsoft won't grant them access, and even
if they did, they wouldn't be able to keep up with Microsoft's
ever-changing code and security strategy.

6. Customers will be forced to rely only on microsoft security products.

7. But there's another reason for this - with Bill Gates there's always
another reason: DRM. Bill must ensure the ??AA that protected media
make it to the computer with no one eavesdropping on the line. They
will encrypt the **** out of all sorts of media files and only Mister
Bill will be able to decrypt them. If anyone does publish a hack for
his DRM, the US have their trusty DMCA all ready and waiting.

Gee whiz. How convenient. What's IE anyway?
Click to expand...

Devinco · Aug 15, 2006

Thanks Longboard.

That is interestinger!

Lamehand · Aug 16, 2006

5. See where this is leading? Symantec, McAfee, et al: they're all
basically out of business. Microsoft won't grant them access, and even
if they did, they wouldn't be able to keep up with Microsoft's
ever-changing code and security strategy.
Click to expand...

I don't think these company's will sit back and let this happen, there will surely be made some sort of a deal, there is too much money involved in this.

Lamehand

phasechange · Aug 16, 2006

If Microsoft were to shut other Security companies out then it would be an anticompetitive practice and they would be back at the EU and US courts again. This time I don't think the EU would be pulling their punches and even the US Courts may get a bit heavy.

Personally I welcome attempts to lock down the core OS. I am however concerned that it goes too far and MS excludes drivers that I like. For example AnyDVD.

Fairy

Rilla927 · Aug 22, 2006

Lamehand said:

I don't think these company's will sit back and let this happen, there will surely be made some sort of a deal, there is too much money involved in this.

Lamehand
Click to expand...

I agree.

Isn't this called monopolizing? I thought that was against the law.

By Gates doing this he would be putting a lot of folks out of jobs, so they should all get together to sue him.

I'm all for security, but not this way. This is going way too far.

You know what I can picture, all these people out there that don't know that you wouldn't be able to use your own security softwares on a purchased windows Vista system will be marching them right back for refunds. If they had any sense, anyway.

lodore · Aug 22, 2006

Hi

the thing is this message "if one has enough time and patience one can get past any operating system" No OS is completely safe there is a moderatly secure.

lodore

Longboard · Sep 3, 2006

As requested: extra info: the original post was from a news letter from Radsoft.
Heh, has a slight (!!) bias against MS.

Check their site : good tools for Windows and Apple (from Rixstep)
Always has good reads.

Also trying to set up a community to write a new OS based on Ubuntu.
http://rixstep.com/2/0/nextbuntu.shtml

The bulk of the opinion and analysis came from:
http://symantec.com/enterprise/security_response/weblog/2006/08/assessment_of_vista_kernel_mod.html

http://symantec.com/avcenter/reference/Windows_Vista_Kernel_Mode_Security.pdf

Regards.

nadirah · Sep 4, 2006

Microsoft is very domineering( correct spelling?).
But anyway if the guys from the 3rd-party security companies lose their jobs, they can go and work for MS and bite MS back from the inside.

Microosft might as well harden the Vista kernel even further, even if it means putting the 3rd-party security companies out of jobs. They need to be fast, because people will always find ways to crack the OS core.

Harden it further:
1) You put people out of jobs.
2) Make hackers'/malware authors/researchers lives' more difficult than ever. Vista IS Microsoft's product and as the maker of it, they've every right to protect their own interests IMO.

Seems like a very difficult and tense situation. Either way, it's all about balance.

1 GOOD thing: We won't have to rely so much on so many 3rd-party programs. MS seems like it wants to be the God of the IT world.

Lamehand · Sep 5, 2006

nadirah said:

1 GOOD thing: We won't have to rely so much on so many 3rd-party programs. MS seems like it wants to be the God of the IT world.
Click to expand...

Restricting choice and diversity is never a good thing and won't improve the security of the system one bit.

Lamehand

rogannn · Sep 9, 2006

Wow, i'm too lazy to read all that.

Log in or Sign up

Things just keep getting interestinger...

Longboard Registered Member

Devinco Registered Member

Lamehand Registered Member

phasechange Registered Member

Rilla927 Registered Member

lodore Registered Member

Longboard Registered Member

nadirah Registered Member

Lamehand Registered Member

rogannn Registered Member

Log in or Sign up

Things just keep getting interestinger...

Longboard Registered Member

Devinco Registered Member

Lamehand Registered Member

phasechange Registered Member

Rilla927 Registered Member

lodore Registered Member

Longboard Registered Member

nadirah Registered Member

Lamehand Registered Member

rogannn Registered Member

Useful Searches