Adsense

Monday, August 18, 2014

Windows 8 Kernel Memory Protections Bypass

Windows 8 Kernel Memory Protections Bypass

Recently, MWR intern Jérémy Fetiveau (@__x86) conducted a research project into the kernel protections introduced in Microsoft Windows 8 and newer. This blog post details his findings, and presents a generic technique for exploiting kernel vulnerabilities, bypassing SMEP and DEP. Proof-of-concept code is provided which reliably gains SYSTEM privileges, and requires only a single vulnerability that provides an attacker with a write-what-where primitive. We demonstrate this issue by providing a custom kernel driver, which simulates the presence of such a kernel vulnerability.

Introduction

Before diving into the details of the bypass technique, we will quickly run through some of the technologies we will be breaking, and what they do. If you want to grab the code and follow along as we go, you can get the zip of the files here.

SMEP

SMEP (Supervisor Mode Execution Prevention) is a mitigation that aims to prevent the CPU from running code from user-mode while in kernel-mode. SMEP is implemented at the page level, and works by setting flags on a page table entry, marking it as either U (user) or S (supervisor). When accessing this page of memory, the MMU can check this flag to make sure the memory is suitable for use in the current CPU mode.

DEP

DEP (Data Execution Prevention) operates much the same as it does in user-mode, and is also implemented at the page level by setting flags on a page table entry. The basic principle of DEP is that no page of memory should be both writeable and executable, which aims to prevent the CPU executing instructions provided as data from the user.

KASLR

KASLR (Kernel Address Space Layout Randomization) is a mitigation that aims to prevent an attacker from successfully predicting the address of a given piece of memory. This is significant, as many exploitation techniques rely on an attacker being able to locate the addresses of important data such as shellcode, function pointers, etc.

Paging 101

With the use of virtual memory, the CPU needs a way to translate virtual addresses to physical addresses. There are several paging structures involved in this process. Let’s first consider a toy example where we only have page tables in order to perform the translation.
For each running process, the processor will use a different page table. Each entry of this page table will contain the information “virtual page X references physical frame Y”. Of course, these frames are unique, whereas pages are relative to their page table. Thus we can have a process A with a page table PA containing an entry “page 42 references frame 13” and a process B with a page table PB containing an entry “page 42 references frame 37”.
If we consider a format for virtual addresses that consists of a page table field followed by an offset referencing a byte within this page, the same address 4210 would correspond to two different physical locations according to which process is currently running (and which page table is currently active). For a 64-bit x86_64 processor, the virtual address translation is roughly the same.
However, in practice the processor is not only using page tables, but uses four different structures. In the previous example, we had physical frames referenced by PTEs (page table entries) within PTs (page tables). In the reality, the actual format for virtual addresses looks more like the illustration below:
picture1_offset
The cr3 register contains the physical address of the PML4. The PML4 field of a virtual address is used to select an entry within this PML4. The selected PML4 entry contains (with a few additional flags) the physical address of a PDPT (Page Directory Pointer Table). The PDPT field of a virtual address therefore references an entry within this PDPT. As expected this PDPT entry contains the physical address of the PD. Again, this entry contains the physical address of a PD. We can therefore use the PD field of the virtual address to reference an entry within the PD and so on and so forth. This is well summarized by Intel’s schema:
intel
It should be now be clearer how the hardware actually translates virtual addresses to physical addresses. An interested reader who is not familiar with the inner working of x64 paging can refer to the section 4.5 of the volume 3A of the Intel manuals for more in-depth explanations.

Previous Exploitation Techniques

In the past, kernel exploits commonly redirected execution to memory allocated in user-land. Due to the presence of SMEP, this is now no longer possible. Therefore, an attacker would have to inject code into the kernel memory, or convince the kernel to allocate memory with attacker-controlled content.
This was commonly achieved by allocating executable kernel objects containing attacker controlled data. However, due to DEP, most objects are now non executable (for example, the “NonPagedPoolNx” pool type has replaced “NonPagedPool”). An attacker would now have to find a way to use a kernel payload which uses return-oriented programming (ROP), which re-uses existing executable kernel code.
In order to construct such a payload, an attacker would need to know the location of certain “ROP gadgets”, which contain the instructions that will be executed. However, due to the presence of KASLR, these gadgets will be at different addresses on each run of the system, so locating these gadgets would likely require additional vulnerabilities.

Read more -|- Learn more »
Posted by at No comments:

Business law: chapter 2

Law of contract
meaning
a contract is an exchange of promises by wot or more persons, resulting in an legal obligation to do or not to do, which is recognized and enforced by law.
valid contract = and agreement + enforceable of an agreement by state.
Essential elements of valid contract.
  1. offer and acceptance = a person must have offer by one party and acceptance of same offer by another party. such offer and acceptance must be valid.
  2. legal relationship = contract cannot be enforceable by law if there is lack of legal relationship. eg invitation for birthday party.
  3. free consent = consent means that the parties must have agree upon the same thing in same sense. The contract must not be enforced by mistake, undue influence, coercion, fraud or misrepresentation.
  4. competent parties = parties to the contract must be capable in the eye of law. a minor person, lunatic person, insolvent person, are disqualified in the eye of law.
  5. lawful considerations =  the objective contracted between two parties must be legal an done to oppose the public policy.
  6. two parties = there are at least two parties in which one offers and other accepts in the same sense.
  7. possibility of performance =  agreement should be made that is possible to do. eg  promise to pay rs 1000 if hari can fly.
  8. certainty = both the parties in a contract must clearly know about all the terms and conditions mentioned or implied in it.
Classification of contract
On the basis of the mode of creating the contract
1. Express and Implied contract
        An express contract is that contract where the parties have made an oral and written declaration of their intention.
        An implied contract is one in which the evidence of the agreement is not show by words, written or spoken but by acts or conduct of parties.
2. Simple and formal contract
        If a contract is made in a written form, duly sealed, properly signed and transferred to other party, it is formal.
        When a contract is created in the absence of any of the above four element it is simple.
On the basis of performance of contract
1. Executed and Executory contract
        When the contract is completely performed or nothing remains to be done by either party is executed contract.
        Executory contract is composed of undertaking in which one or both parties are under an obligation to do or no to do certain things mentioned in the contract.
On the basis of nature of contract
1. Unilateral and bilateral contract
        Unilateral contract is a contract, which creates legal obligation to only one party. he cannot compel other party to perform the contract. eg. donation
        When a contract comes into existence by the exchange of promises with each other party, it is bilateral. it is two sided and creates obligation to both.
On the basis of Enforceability of Contract
1. A valid contract =  It is an agreement which is binding and enforceable by law and has satisfied all the essentials elements of valid contract.
2. A voidable contract = missing some essential elements of valid contract.
3. A void contract =  An agreement without legal effect. It is not void from its inception and that it is valid and binding on the parties when originally entered but subsequent it becomes invalid of legal effect because of certain reasons.
4. Unenforceable contract = It though perfectly valid contract in all other respects but if it lack some technical requirements needed to make it enforceable (eg signature, stamp, ticked, etc), the law cannot enforce it.
5. Illegal contract =an agreement is illegal an void if its object or consideration is forbidden by law. e.g.. contract for murder, blackmailing.
On the basis of Origin of liability of parties
1. general contract = formal contract where liabilities of both the parties arise from the beginning of the agreement.
2. Contingent contract = contract where liabilities of one party arise when some even happens in future. eg. contract to sell statue if found in market.

Considerations
It results only when one promise is made in exchange for something in returns. this something in return is what we mean by consideration. Consideration means a promise made by a person to do or not to do something for the acts done or undone by the other according to that mentioned in the offer. It refers to promises of a party for the promises of another to the contract.
Types of consideration
1. Executory consideration
2. Executed
3. past

1. Executory Consideration : It is when one promise is made in return for another or a promise in return of promise.
Example: -M promised to sell his mobile phone to K for RM550/- and K promised to pay the price upon delivery by M. Here, the promise to sell is in return to promise to buy.

M agreed to sell his house to N. An agreement was written on a scrap paper and says as follows: -

I agree to sell my house No. (address) held under…. to Mr. N, the present tenant of the house at $26,000/- within three months from the date. M later refused to sell the house and a specific performance was ordered at the trial and the appellant took the matter to Federal Court. The appeal was dismissed, gave effect to Illustration of Section 24. Chang Min Tat F.J held:“The agreement must be seen to be a case of Executory consideration. A promisee is made by one party in return for a promise made by the other; in such a case each promise is the consideration for the other”

Example : A agrees to sell his car for RM20,000/- to B. B promise to pay the sum of RM 20,000/- in consideration for A’s promise to sell the car, and A’s promise to sell the car is the consideration for B’s promise to pay the RM20,000/-. These are lawful considerations.

2. Executed Consideration
It is when a promise is made in return for the performance of an act.
Example : M lost his pen and offered RM 200/- to anyone who finds and returns the documents to him. K found M’s pen in response to the offer and returns them to M. By returning the pen, K has given consideration to M’s promise to pay. Should M refuse to pay, K may take an legal action against him.

3. Past Consideration

Where a promise is made subsequent to and in return for an act that has already been performed, the promise is made on account of a past consideration.
Example : If K finds and returns M’s pen and in gratitude, M promise to pay K RM200/- the promise is made in return for a prior act.

Requirement of consideration
  1. Desire or request of promisor is essential. ( doing something without desire/request is voluntary service and is not treated as consideration)
  2. Consideration need not necessarily be adequate
  3. It must be real and competent ( should not create dual meaning, uncertain or illusionary. eg.if hari completes the work in time he will be awarded by something)
  4. consideration must be lawful
  5. contract whether oral or writing must be supported by consideration
  6. mere request of the promisor is not enough
  7. considerations may be either tangible or intangible
Termination of Contract
    It means termination of contractual relation between the patties. It means getting relief from contractual laibilities.
Methods of terminaton of contact
  1. By perfromance of contract ( when both parties fulfill their respective promises in time)
  2. Impossibility of performance ( if it is impossible to perform though when made was possible due to some unavoidable reasons like, change in law, deductio of subject matter)
  3. Termination of mutual areement (making agreement between the parties with their mutual consent terminates the contract)
  4. by operation of law ( by death of parties, by insolvency of parties, by emerging one contract with another)
  5. Termination by breach of contract ( if one party fails or denies performing his/her contractual laibilities created by contract, it is breach of contract. when one party breach the contract, other party will also get relief from his contractual liabilities.)
  6. termination of contract by material alternation (material alternation means a change made in the material mentioned in the contract. If one party changes material in the contract without obtaining the consent of other party, contract terminates)
  7. By recession of contract ( Recession means cancellation of the contact by  the party.)
  8. termination by lapse of time ( if contract is not performed within specified time mentioned in contract)
Breach of Contract
    If one party fails / denies perfoming his contractual liabilities created by contract, it is said to be breach of contract. A contract may be breached in two ways: 1.anticipatory (breach before the date of performance by giving notice or by conduct) and 2. actual breach ( breach at the time when he is supposed to perform)
Remedies for breach of contract
  1. Right to withdraw the contract
  2. right to claim compensation
  3. right to get usual performance
  4. right to sue for injunctions
  5. right to claim for quantum meruit
Posted by at No comments:
Subscribe to: Posts (Atom)