whips1.0 internals
TRANSCRIPT
Sapienza University of RomeComputer Science Department
Bruno Vavalà - Whips 1.0 Beta 1
Sicurezza dei Dati e delle Reti 2008/2009Prof. Luigi V. Mancini
Student
Bruno Vavalà([email protected])
Supervisor
Roberto Battistoni([email protected])
Our GoalsWe want to:
Introduce and recall some important system security concepts
Explain a little deeper how the Windows architecture works, what are the security issues and how they can be (almost) solved, even in a not so documented environment, showing 2very powerful techniques
Highlight: the difference between our solution and Winpooch; the improvements we made with respect to the precedentversion of WHIPS
Show how we made WHIPS: the concept, the development, itsalgorithms and data structures
Discuss about the future of Windows and WHIPS
Bruno Vavalà - Whips 1.0 Beta 2
Reference Monitor
Always-invoked
Non-bypassable
Tamper-resistant
Verifiable
Bruno Vavalà - Whips 1.0 Beta 3
Windows Architecture
Bruno Vavalà - Whips 1.0 Beta 4
System Calls
Win32 and Syscall Api
SSDT Protection
Syscall Invocation
KiSystemService
SystemService
Dispatch/ParameterTable
Nt vs. Zw
Ntdll.dll and Ntoskrnl.exe
Bruno Vavalà - Whips 1.0 Beta 5
Trap and Interrupt Masking
Bruno Vavalà - Whips 1.0 Beta 6
Restrictions on code running at DispatchLevel
The first 3 IRQL are software interrupts, the others are hardware interrupts
System Memory Pools
They are all system spacevirtual addresses
System Page Table Entries
Non-paged pool
No page fault
Paged pool
Page fault possible
Memory Manager Fault Handler
Bruno Vavalà - Whips 1.0 Beta 7
System Call Interposition
Syscall hooking(Russinovich et al.)
SSDT update
Bruno Vavalà - Whips 1.0 Beta 8
Detours
Binary Interception SSDT untouched
Trampoline Function Assembly modifications Instruction saving Unconditional jump
Bruno Vavalà - Whips 1.0 Beta 9
Winpooch
Watchdog for Windows
Real-time virus protection
Detours
Hard-coded (Nt)syscallspointers (Windows versiondependent)
Stub saving
Bruno Vavalà - Whips 1.0 Beta 10
WHIPS Concept
ReferenceMonitor
Windows Module
Syscall hooking
Bruno Vavalà - Whips 1.0 Beta 11
Hard-Coded Syscall FREEDOM Previous version
Winpooch
Portability
The disassembler role
Pedasm
“C:\windows\system32\SCIndexes.sci”
Security Issues
Always-opened handles
Bruno Vavalà - Whips 1.0 Beta 12
WHIPS Overview
Windows Driver Developed in C with the Windows
Driver Kit (available for free at www.microsoft.com)
Boot-time loading
Windows Service Developed under the Microsoft .NET
2.0 framework in C# Driver Loading “The man in the middle”
Agent Application Developed under the Microsoft .NET
2.0 framework in C# Communication
Bruno Vavalà - Whips 1.0 Beta 13
whips.sourceforge.net
WHIPS Overview
Bruno Vavalà - Whips 1.0 Beta 14
WHIPS Driver
Windows Driver Model
Kernel-mode activity Registering predefined routines
Installation Boot-time loading
Windows Registry entry
Driver Entry routine
Device creation “\\DosDevices\\WHIPS”
Major Function Setting Create, Close, DeviceControl
Bruno Vavalà - Whips 1.0 Beta 15
I/O Flow Control
Bruno Vavalà - Whips 1.0 Beta 16
I/O Request Packet
Kernel-mode WDM data structure
Communication buffer (by pointer)
DeviceIoControl
IOCTLs
IRP Completion
Asynchronous Procedure Call (APC)
CancelRoutine (noone must be lost)
Bruno Vavalà - Whips 1.0 Beta 17
Syscall Hooking Pointer initialization
Service control message Syscall Index Set data
structures
SSDT Protection Memory mapping (MDL)
Control Register 0 (writeprotection) disabling
SSDT update with Interlockedoperation (multiprocessorsafe)
Bruno Vavalà - Whips 1.0 Beta 18
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) \_Orig = (PVOID) InterlockedExchange( (PLONG)
&MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
Syscall Wrappers How many
parameters has a syscall ?
One-to-Onecorrespondence
HookPacketstructure
ReferenceMonitorcall
Bruno Vavalà - Whips 1.0 Beta 19
Whips Reference Monitor
Driver state
Log/Allow/Protectionmode
Process image pathretrieving
Logging
HookPacketSerialization
Drv2App Irp completion
ACD Checker
Bruno Vavalà - Whips 1.0 Beta 20
Windows Processes
Executive Process Block structure
Query processinformations
Retrieving processexecutable image path
Bruno Vavalà - Whips 1.0 Beta 21
ACD
Bruno Vavalà - Whips 1.0 Beta 22
Non-pagedmemory usage
ACD Setting
Serialization
CheckHook String
comparisonwith dynamic-programming
FHFU policy
ActionType Implicit_Log
Implicit_Deny
WHIPS Service
Installation
(MS.NET)InstallUtil.exe
Windows Registry entry
Automatic starting
LocalSystem account
ServiceBase Class
Bruno Vavalà - Whips 1.0 Beta 23
Using System.ServiceProcess;
Public class WHIPSService : ServiceBase {
public WHIPSService() {
this.ServiceName = “WhipsService”;
this.CanStop = true;
}
public static void main() {
ServiceBase.Run(new WHIPSService());
}
}
Service Initialization
EventLogger
Driver (un)installation and loading
Communication Manager
Driver initialization
Syscall index set
Exclusive access
Acd set
Shared-read access
Bruno Vavalà - Whips 1.0 Beta 24
Device Opening
The device is a file
IO Manager call
Object Manager call
Device objectsecurity attributes
Bruno Vavalà - Whips 1.0 Beta 25
Service Proxy
Like a reference monitor
Game management
App2Drv/Drv2App IRPs
Overlapped(Asynchronous IO)
Pipe Manager
Communication events
Bruno Vavalà - Whips 1.0 Beta 26
Logger and ACD Controller Win System32 home
directory
ACD Reader/Writer
ACD file (shared-readmode)
LawPacket structure
Fixed fields
Hook Logger
Buffered Write
“Log.txt”
Bruno Vavalà - Whips 1.0 Beta 27
WHIPS Agent Ready-to-run application (pretty ugly interface)
Are you able to design it better?!?!... Do it
Driver Controls Pipe
ACD window Filter Rule insertion/deletion
Monitor Log window Manual/Automatic (timeout
based) refresh
Index field in the Insert Filterwindow
Bruno Vavalà - Whips 1.0 Beta 28
Bruno Vavalà - Whips 1.0 Beta 29
What’s next ?
Bruno Vavalà - Whips 1.0 Beta 30
Distributed WHIPS Global ACD maintenance
Auto Update
Less overhead for “Windows typical users”
Interface: with or without it ?
Better and faster protection
Architectural complexityincreased
(Do you want the barrel to befull and the wife to be drunk?!)
Bruno Vavalà - Whips 1.0 Beta 31
What’s better to do now ? Increasing:
Stability
Reliability (still not so high)
Performance
Security issues
Secure boot
Non-paged memory amount
Authentication betweencomponents
Integrity and availability of usedfiles
Secure channel communication
Bruno Vavalà - Whips 1.0 Beta 32
References Battistoni, Gabrielli, Mancini - An Host Intrusion Prenvention System for Windows Operating Systems,
ESORICS 2004
Bernaschi, Gabrielli, Mancini - REMUS: a Security-Enhanced Operating System, ACM Feb. 2002
Russinovich, Solomon - Microsoft Windows Internals 4th Edition: Microsoft Windows Server, Windows XP and Windows 2000, Microsoft Press, 2004
(NOT YET RELEASED) Russinovich, Solomon - Microsoft Windows Internals 5th Ed.: Microsoft Windows Vista
Nebbet - Windows NT/2000: Native API reference, Macmillan Technical Publishing
Hoglund, Butler - Rootkits: Subverting the Windows Kernel, Addison Wesley Professional, 2005
Oney – Programming The Windows Driver Model, 2nd Edition (2003)
Microsoft Developer Network - msdn.microsoft.com
Windows Driver Development - www.osronline.com
Battistoni / Licameli / Di Biagio Laurea Thesis and other stuff at www.robertobattistoni.it
Bruno Vavalà - Whips 1.0 Beta 33
I WantYOU
Bruno Vavalà - Whips 1.0 Beta 34
If you like WHIPS, you are…
WELCOME
…just ask to Prof. Mancini or Roberto Battistoni
The end
Enjoy WHIPS
For further information visit
whips.sourceforge.net
For any other thing, bugs above all, send an email at
or
Bruno Vavalà - Whips 1.0 Beta 35