Whips1.0 Internals

791
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
791
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Whips1.0 Internals

  1. 1. Sapienza University of Rome Computer Science Department Supervisor Student Roberto Battistoni Bruno Vavalà (rbattistoni@acm.org) (vavalab@gmail.com) Sicurezza dei Dati e delle Reti 2008/2009 Prof. Luigi V. Mancini Bruno Vavalà - Whips 1.0 Beta 1
  2. 2. Our Goals We want to:  Introduce and recall some important system security concepts  Explain a little deeper how the Windows architecture works, what are the security issues and how they can be (almost) solved, even in a not so documented environment, showing 2 very powerful techniques  Highlight: the difference between our solution and Winpooch; the improvements we made with respect to the precedent version of WHIPS  Show how we made WHIPS: the concept, the development, its algorithms and data structures  Discuss about the future of Windows and WHIPS Bruno Vavalà - Whips 1.0 Beta 2
  3. 3. Reference Monitor  Always-invoked  Non-bypassable  Tamper-resistant  Verifiable Bruno Vavalà - Whips 1.0 Beta 3
  4. 4. Windows Architecture Bruno Vavalà - Whips 1.0 Beta 4
  5. 5. System Calls  Win32 and Syscall Api  SSDT Protection  Syscall Invocation  KiSystemService  SystemService  Dispatch/Parameter Table  Nt vs. Zw  Ntdll.dll and Ntoskrnl.exe Bruno Vavalà - Whips 1.0 Beta 5
  6. 6. Trap and Interrupt Masking  Restrictions on code running at Dispatch Level  The first 3 IRQL are software interrupts, the others are hardware interrupts Bruno Vavalà - Whips 1.0 Beta 6
  7. 7. System Memory Pools  They are all system space virtual addresses  System Page Table Entries  Non-paged pool  No page fault  Paged pool  Page fault possible  Memory Manager Fault Handler Bruno Vavalà - Whips 1.0 Beta 7
  8. 8. System Call Interposition  Syscall hooking (Russinovich et al.)  SSDT update Bruno Vavalà - Whips 1.0 Beta 8
  9. 9. Detours  Binary Interception  SSDT untouched  Trampoline Function  Assembly modifications  Instruction saving  Unconditional jump Bruno Vavalà - Whips 1.0 Beta 9
  10. 10. Winpooch  Watchdog for Windows  Real-time virus protection  Detours  Hard-coded (Nt)syscalls pointers (Windows version dependent)  Stub saving Bruno Vavalà - Whips 1.0 Beta 10
  11. 11. WHIPS Concept  Reference Monitor  Windows Module  Syscall hooking Bruno Vavalà - Whips 1.0 Beta 11
  12. 12. Hard-Coded Syscall FREEDOM  Previous version  Winpooch  Portability  The disassembler role  Pedasm  “C:windowssystem32SCIndexes.sci”  Security Issues  Always-opened handles Bruno Vavalà - Whips 1.0 Beta 12
  13. 13. WHIPS Overview  Windows Driver  Developed in C with the Windows Driver Kit (available for free at www.microsoft.com)  Boot-time loading  Windows Service  Developed under the Microsoft .NET 2.0 framework in C#  Driver Loading whips.sourceforge.net  “The man in the middle”  Agent Application  Developed under the Microsoft .NET 2.0 framework in C#  Communication Bruno Vavalà - Whips 1.0 Beta 13
  14. 14. WHIPS Overview Bruno Vavalà - Whips 1.0 Beta 14
  15. 15. WHIPS Driver  Windows Driver Model  Kernel-mode activity  Registering predefined routines  Installation  Boot-time loading  Windows Registry entry  Driver Entry routine  Device creation  “DosDevicesWHIPS”  Major Function Setting  Create, Close, DeviceControl Bruno Vavalà - Whips 1.0 Beta 15
  16. 16. I/O Flow Control Bruno Vavalà - Whips 1.0 Beta 16
  17. 17. I/O Request Packet  Kernel-mode WDM data structure  Communication buffer (by pointer)  DeviceIoControl  IOCTLs  IRP Completion  Asynchronous Procedure Call (APC)  CancelRoutine (noone must be lost) Bruno Vavalà - Whips 1.0 Beta 17
  18. 18. Syscall Hooking  Pointer initialization  Service control message  Syscall Index Set data structures  SSDT Protection  Memory mapping (MDL)  Control Register 0 (write protection) disabling  SSDT update with Interlocked operation (multiprocessor safe) #define HOOK_SYSCALL(_Function, _Hook, _Orig ) _Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook) Bruno Vavalà - Whips 1.0 Beta 18
  19. 19. Syscall Wrappers  How many parameters has a syscall ?  One-to-One correspondence  HookPacket structure  ReferenceMonitor call Bruno Vavalà - Whips 1.0 Beta 19
  20. 20. Whips Reference Monitor  Driver state  Log/Allow/Protection mode  Process image path retrieving  Logging  HookPacket Serialization  Drv2App Irp completion  ACD Checker Bruno Vavalà - Whips 1.0 Beta 20
  21. 21. Windows Processes  Executive Process Block structure  Query process informations  Retrieving process executable image path Bruno Vavalà - Whips 1.0 Beta 21
  22. 22. ACD  Non-paged memory usage  ACD Setting  Serialization  CheckHook  String comparison with dynamic- programming  FHFU policy  ActionType  Implicit_Log  Implicit_Deny Bruno Vavalà - Whips 1.0 Beta 22
  23. 23. WHIPS Service  Installation  (MS.NET)InstallUtil.exe  Using System.ServiceProcess; Windows Registry entry Public class WHIPSService : ServiceBase {  Automatic starting public WHIPSService() {  LocalSystem account this.ServiceName = “WhipsService”; this.CanStop = true;  ServiceBase Class } public static void main() { ServiceBase.Run(new WHIPSService()); } } Bruno Vavalà - Whips 1.0 Beta 23
  24. 24. Service Initialization  EventLogger  Driver (un)installation and loading  Communication Manager  Driver initialization  Syscall index set  Exclusive access  Acd set  Shared-read access Bruno Vavalà - Whips 1.0 Beta 24
  25. 25. Device Opening  The device is a file  IO Manager call  Object Manager call  Device object security attributes Bruno Vavalà - Whips 1.0 Beta 25
  26. 26. Service Proxy  Like a reference monitor  Game management  App2Drv/Drv2App IRPs  Overlapped (Asynchronous IO)  Pipe Manager  Communication events Bruno Vavalà - Whips 1.0 Beta 26
  27. 27. Logger and ACD Controller  Win System32 home directory  ACD Reader/Writer  ACD file (shared-read mode)  LawPacket structure  Fixed fields  Hook Logger  Buffered Write  “Log.txt” Bruno Vavalà - Whips 1.0 Beta 27
  28. 28. WHIPS Agent  Ready-to-run application  (pretty ugly interface)  Are you able to design it better ?!?!... Do it   Driver Controls  Pipe  ACD window  Filter Rule insertion/deletion  Monitor Log window  Manual/Automatic (timeout based) refresh  Index field in the Insert Filter window Bruno Vavalà - Whips 1.0 Beta 28
  29. 29. Bruno Vavalà - Whips 1.0 Beta 29
  30. 30. What’s next ? Bruno Vavalà - Whips 1.0 Beta 30
  31. 31. Distributed WHIPS  Global ACD maintenance  Auto Update  Less overhead for “Windows typical users”  Interface: with or without it ?  Better and faster protection  Architectural complexity increased  (Do you want the barrel to be full and the wife to be drunk ?!) Bruno Vavalà - Whips 1.0 Beta 31
  32. 32. What’s better to do now ?  Increasing:  Stability  Reliability (still not so high)  Performance  Security issues  Secure boot  Non-paged memory amount  Authentication between components  Integrity and availability of used files  Secure channel communication Bruno Vavalà - Whips 1.0 Beta 32
  33. 33. References  Battistoni, Gabrielli, Mancini - An Host Intrusion Prenvention System for Windows Operating Systems, ESORICS 2004  Bernaschi, Gabrielli, Mancini - REMUS: a Security-Enhanced Operating System, ACM Feb. 2002  Russinovich, Solomon - Microsoft Windows Internals 4th Edition: Microsoft Windows Server, Windows XP and Windows 2000, Microsoft Press, 2004  (NOT YET RELEASED) Russinovich, Solomon - Microsoft Windows Internals 5th Ed.: Microsoft Windows Vista  Nebbet - Windows NT/2000: Native API reference, Macmillan Technical Publishing  Hoglund, Butler - Rootkits: Subverting the Windows Kernel, Addison Wesley Professional, 2005  Oney – Programming The Windows Driver Model, 2nd Edition (2003)  Microsoft Developer Network - msdn.microsoft.com  Windows Driver Development - www.osronline.com  Battistoni / Licameli / Di Biagio Laurea Thesis and other stuff at www.robertobattistoni.it Bruno Vavalà - Whips 1.0 Beta 33
  34. 34. I WantYOU If you like WHIPS, you are… WELCOME  …just ask to Prof. Mancini or Roberto Battistoni Bruno Vavalà - Whips 1.0 Beta 34
  35. 35. The end  Enjoy WHIPS  For further information visit whips.sourceforge.net  For any other thing, bugs above all, send an email at vavalab@gmail.com or rbattistoni@acm.org Bruno Vavalà - Whips 1.0 Beta 35
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×