Kernel Hijacking Is Not an Option: MemoryRanger to the Rescue

Abstract

The presented research is focused on three attacks on kernel data in Windows and the way to stop them using MemoryRanger.

The attacks on exclusively opened files give hackers illegal read and write access and can be implemented by patching data structures of NTFS driver (Hijacking NTFS structures) and ObjectManager (Handle Hijacking). During file operations, several internal structures are allocated dynamically and used by the OS kernel.

Hijacking NTFS structures.
NTFS driver dispatches one group of them, e.g. Stream Control Block. Hijacking NTFS structures is based on overwriting such structures without modifying file objects. Such attacks provide unauthorized access to the files opened without shared access.

Handle Hijacking.
ObjectManager controls another group of internal structures. This group comprises handle table entries, which play the role of intermediaries between file handles and file objects. Patching handle table entries leads to reading and overwriting files illegally.

Token Hijacking attack is focused on escalating process privileges. Updated Windows Defender Antivirus detects such escalations by monitoring token-swapping attempts. Tampering with the target process token structure results in elevated process privileges, without swapping the token field.

These attacks on data have been successfully tested on the newest Windows 10 1903. They occur transparently for the OS security features, e.g. PatchGuard and Device Guard.

MemoryRanger is a hypervisor, which protects OS kernel memory using VT-x and EPT technologies. MemoryRanger prevents Hijacking NTFS structures and Handle Hijacking by locating these structures and restricting access to them. MemoryRanger grants various access rights to different parts of these structures. To block Token Hijacking a special kernel enclave is allocated to host sensitive data. This new scheme isolates token structures from all drivers without restricting OS kernel. Various cybersecurity solutions will benefit from applying MemoryRanger.

The source and demos are here github.com/IgorKorkin/MemoryRanger

LOCATION: TRACK 2

DATE: July 25, 2020

TIME: 03:00 PM - 04:00 PM

Igor Korkin

Got a question for our speakers or just want to chat? Join us on Discord!