Back From Black Hat


Well, we’re back after an exciting week in Las Vegas presenting on Microsoft Windows Vista. There are plenty of reports out there recapping what we discussed, so I won’t go any further into that in this post.


But there were many presentations outside of the Windows Vista track at Black Hat last week, including the Device Drivers presentation by David Maynor and Johnny Cache, which generated significant buzz afterwards. In the end, David and Johnny even demo’d a method to take over a Mac OS X box using a wireless vulnerability. To be fair, that weakness isn’t unique to Mac OS X, and our wireless teams have already been working on mitigations with the Wi-Fi Alliance.


A presentation that pertained directly to Windows Vista was Joanna Rutkowska’s “Blue Pill” demonstration. Joanna’s obviously incredibly talented. She demo’d a way for someone who has admin level access to attempt to insert unsigned code into the kernel on the x64 versions of Windows Vista. Some people have commented that this demo means that some of Microsoft’s security work in Windows Vista doesn’t matter. Untrue. It is important to consider a couple of different things: There is no “silver bullet” when it comes to security, and it’s very difficult to protect against an attacker that is sitting at the console of your computer with an administrator command window open. With the two demos that were shown relating to driver signing and virtualization, both started by assuming that the person trying to execute the code already had administrative privileges on the computer. We’re certainly looking into her research to determine if any changes should be made before the final release of Windows Vista; however, it’s difficult for any operating system to limit the powers of someone who already has administrative privileges on a computer. But the way I look at it, that’s the very reason why Windows Vista is built with a defense-in-depth mindset—to help prevent attackers from getting administrative privileges in the first place. Remember, that’s the goal: using multiple layers to try and prevent elevation of privilege. For Windows Vista, we’re a lot like Shrek’s onion analogy—lots of layers. Firewall on by default, running as standard user, Windows Service Hardening, Internet Explorer 7 protected mode, support for hardware data execution prevention (/NX), Address Space Layout Randomization, Windows Defender…and that’s just to name seven.


Like the previous examples, signed driver checking on x64 versions of Windows Vista is a defense-in-depth measure. It is designed to make potential attacks more difficult, but it is not impervious on its own. A driver-signing requirement also helps improve the reliability of Windows Vista. Microsoft’s crash analysis reports indicate that many system crashes result from inadequate design and testing of kernel-mode drivers. Requiring the authors of these drivers to identify themselves makes it easier for Microsoft to determine the cause of system crashes and work with the responsible vendor to resolve the issue.


So for those who think that all of the security work that has gone into Windows Vista doesn’t matter because someone who already had administrative privileges was able to install malware, we respectfully disagree. To get a better understanding of our approach to security in Windows Vista, see our white paper.


It was a great Black Hat, and we already have our teams combing through information to make Windows Vista even better because of it. Special thanks to Black Hat for having us and to all the security researchers I talked to.


- Austin Wilson



Comments (14)
  1. Chris says:

    Something stupid, but about the bluepill… while i agree their isn’t a solid way to protect against everything especially with someone sitting down with admin priviledges… perhaps vista needs to be better at autohealing the kernel after a modification to its kernel takes place.

    If Microsoft knows what the kernels supposed to look like shouldn’t an automated roll back be possible based on the current vista versioning?

    It’s just a thought and i’m by far not a security guru but it just appears that if you can’t block everything, perhaps just blocking isnt the only way to bite the bullet… Perhaps in this case a good offensive recovery of the kernel to heal itself would remove the damage that a change like a bluepill could create.

  2. Timothy says:

    I really think it’s silly when people get all excited about malware/exploits that require administrative privileges to execute.  You can also format the hard drive as an admin without the OS complaining, what’s your point?

    That being said, I think it is good that the Windows team is analyzing these strategies, such as bluepill, to further protect admins from shooting themselves in the foot by running 100% of the time as admins.  But I still have no sympathy for someone who is exploited while being an admin.

  3. Larry says:

    Actually, the problem doesn’t have anything to do with Vista per se, it is more of a hardware problem. Here is a link to the blog of the woman (Joanna Rutkowska) who developed the "Blue Bill":

    http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html

    If you read her blog, the "Blue Pill" exploits a weakness in the AMD "Pacifica SVM technology." This technology is available in certain 64-bit versions of AMD processors and it has nothing to do with the operating system. Here is a quote from her blog:

        "I would like to make it clear, that the Blue Pill

        technology does not rely on any bug of the underlying

        operating system. I have implemented a working

        prototype for Vista x64, but I see no reasons why it

        should not be possible to port it to other operating

        systems, like Linux or BSD which can be run on x64

        platform.

    Her exploit works by creating an undetectable "Virtual Machine" in which "malware" could run. These kinds of undetectable programs are generally called "Root Kits" and they use various technologies to work.

    Microsoft Research wrote an article about using Virtual Machine technology for creating a root kit several months ago, but it used commercial software to create the Virtual Machine:

    http://www.eecs.umich.edu/~pmchen/papers/king06.pdf

    Because this technique required a commercial virtual machine, it was not a very practical way to create malware.

    Joanna’s accomplishment was to exploit the new AMD SVM technology to inject the malware without rebooting the machine. She claims that it may be possible to do the same thing with Intel’s Virtual Technology (VT), but she hasn’t tried it.

    On her blog, there is a lengthy discussion about ways that the exploit might be detected and whether it might be possible to prevent an infection. Some people feel that the Intel Virtual Technology is not as vulnerable and would allow for easier detection of the "Root Kit".

    Bottom line is that her hack exploits a microprocessor weakness and there may be no way to prevent it, no matter what operating system you are using. I suspect that the ultimate solution will require changes to microprocessor architecture.

  4. Stephen says:

    Just a quick comment on the Admin aspect of this post.

    I work around many different OS’s and you always hear arguments why people need ‘Administrator/root’ privledges for thier system.  As far as I am concerned any no one should be on a system with Administrative/Super User privledges to begin with.  Why do you think *NIX makes you create a ‘USER’ account during OS Installation.

    Proper security practices need to be taught to all…create a normal user (No Privledges to destroy the system) and if you need to install something you can ‘Run As…’ or you can ‘SU…’ to get it on the system.

    Just my 2 cents worth and hope that it is worth it.

  5. Gerk says:

    Stephen,

    You wrote "Proper security practices need to be taught to all…"

    I think your failing to account for one simple fact in stating that users should run as a ‘normal’ user.  A significant amount of Windows software simply does not function without admin privileges.  Though this problem is slowly (ever-so-slowly) correcting itself, it still continues to drive the need.

    Years ago I remember upgrading my wife’s account to admin on our home box because she could not RUN Microsoft’s "Picture It" photo editor without being an admin.  More recently, my wife can’t use her XP Home ‘user’ account on her Toshiba notebook computer because the battery power-level indicator fails to function without being an admin.  This seems silly, but the notebook fails to initiate the screen dimming on low power or the safe shutdown prior to power outage.

    So yes Stephen, in an ideal world no one gets admin rights.  Unfortunately it will be a very long time before software allows this to become the norm.

  6. Web Resources

     

    [SQL Server and Data Access] 2006 PASS Community Summit: Microsoft SQL…

  7. Paul Hudson says:

    I can’t see the problem here.  If an admin trashes the server, they may find it difficult to find gainful employment in the future.

    If the admin does something stupid, then they have to fix it.  Hopefully, they are intelligent enough to know how to fix it.

  8. Chris G. says:

    It has been quite evident and ever-so-publicly stated in recent history that many have it in for any OS with the Microsoft tag. That being the case I must say that I am rather pleased with the RTM Vista. Granted the "Blue Pill" scenario worked rather well but to be fair how often is someone going to get anonymous access to SU on a remote machine running Vista? We would do well to remember most Malware is injected into a system through user error. Granted the lsass ports are still open however I have yet to be able to infect my PC running Vista through a remote port eventhough they are open. i.e. The following exploits were tested and failed to root on my Vista machine. {DCom and Dcom2, NetDevil, lsass, All seven Optix mods, Upnp, netbios} Also the following modded viri failed to infect my host pc trying to root and remote execute RBot, Ago(all variations), RXBot(All Var’s),NLX (new dcass modd),aIRC, all sassers, DNSX (New Aug 06 mod), phatbot and mods.

    Now My point? 80% of Malware comes from the remote execution of scripts by malicious users. Malicious scripts have yet to be able to access the Vista kernel. The farthest I was able to get on my journey to infect my Test PC was the User Account control popping up alerting me of a script trying to run on a Optix Bot Variation. In order to achieve this feat I had to SU and install the remote execute script by hand.

    I believe the moral of this story is, Unless you are planning on leaving your remote desktop turned on to accept all connections with admin access while leaving the User Account Control and windows firewall and defender turned off, RTM Vista provides a more stable, more secure core than most *nix platforms and OS X.

  9. Chris G. says:

    It has been quite evident and ever-so-publicly stated in recent history that many have it in for any OS with the Microsoft tag. That being the case I must say that I am rather pleased with the RTM Vista. Granted the "Blue Pill" scenario worked rather well but to be fair how often is someone going to get anonymous access to SU on a remote machine running Vista? We would do well to remember most Malware is injected into a system through user error. Granted the lsass ports are still open however I have yet to be able to infect my PC running Vista through a remote port eventhough they are open. i.e. The following exploits were tested and failed to root on my Vista machine. {DCom and Dcom2, NetDevil, lsass, All seven Optix mods, Upnp, netbios} Also the following modded viri failed to infect my host pc trying to root and remote execute RBot, Ago(all variations), RXBot(All Var’s),NLX (new dcass modd),aIRC, all sassers, DNSX (New Aug 06 mod), phatbot and mods.

    Now My point? 80% of Malware comes from the remote execution of scripts by malicious users. Malicious scripts have yet to be able to access the Vista kernel. The farthest I was able to get on my journey to infect my Test PC was the User Account control popping up alerting me of a script trying to run on a Optix Bot Variation. In order to achieve this feat I had to SU and install the remote execute script by hand.

    I believe the moral of this story is, Unless you are planning on leaving your remote desktop turned on to accept all connections with admin access while leaving the User Account Control and windows firewall and defender turned off, RTM Vista provides a more stable, more secure core than most *nix platforms and OS X. I am for the first time pleased to say I Use a Genuine Microsoft Operating System.

  10. Dean says:

    Baa, just an annoyance and just barely better security!

    Vista is just overlapping guest privileges even when when the user is logged on as Admin..

    Then, instead of blocking them, it asks.. COME ON! If you spent one day in my shoes where you see first hand that that people NEED admin rights to be able to use their computers and to ask them if they want to run something A CABILLION TIMES will only annoy them.

    The MAC commercial sums it up very well.. Yes I hate to agree with a drugged out, burnt out, hippy, (the founders of MAC, a bunch of "blue box" making stoners).. But, that commercial is very accurate.

    Is MAC the answer? NO.. MAC sucks, if you live in the real world with numbers, applications, and games.. There is a reason 90% of the computer world use Microsoft. That is why they make viruses for them.. Why would they make a virus for something no one is using?

    ANYWAY..

    Guest account=NO (can not do crap)

    Admin all the time=N0 (to many holes)

    Asking a cabillion questions=NO (then still allowing the teen, kid or average user to still allow it, WILL NOT WORK)

    What is the answer?

    Well, if I told you, I would not make a living… I have been doing my system from about 2000. Works good.

    Am I for real?

    http://www.cbs13.com/video/?id=15413@kovr.dayport.com

    http://www.cbs13.com/video/?id=15410@kovr.dayport.com

  11. Dean says:

    Ha, another crap feature of UAC, you have to reboot to turn it OFF or ON! Ha, with my CPULOCK, you just turn it on and off at will.

    I have only spent about 10 min playing with Vista, but, I like the look and feal.

Comments are closed.

Skip to main content