Roberto Battistoni! (firstname.lastname@example.org)Information Security Lessons 2012/2013 (prof. Luigi V. Mancini) – 12/12/2012
v Introduction to Windows internals!v Two open source projects: o WHIPS: Windows Host Intrusion Prevention System o FoXP: Computer Forensic eXPerience 2!
Windows Seven is the evolution of Windows NT 4.0. The ﬁrst OS based on theNT technology was Windows NT 3.5 in 1993. NT was created from a DigitalResearch project. Its name originally was “VMS NT” then it was changed in“Windows NT”. 3!
Local Security Authority subsystem(Lsass): A user-mode process runningthe image “Lsass.exe” that isresponsible for the local systemsecurity policy (such as which usersare allowed to log on to the machine,password policies, privileges grantedto users and groups, and the systemsecurity auditing settings), userauthentication, and sending securityaudit messages to the Event Log. !!Security reference monitor (SRM): Acomponent in the Windows executive(Ntoskrnl.exe) that is responsible fordeﬁning the access token data structure torepresent a security context,performing security access checks onobjects, manipulating privileges (userrights), and generating any resultingsecurity audit messages.! 7!
Two methods are used for determining access to an object:! ! • The mandatory integrity check, which determines whether the integrity level of the caller is high enough to access the resource, based on the resource’s own integrity level and its mandatory policy (Biba?).! • The discretionary access check, which (the owner) determines the access that a speciﬁc user account has to an object.!When a process tries to open an object, the integrity check takes place before the standard Windows DACL check in the kernel’s SeAccessCheck functionbecause it is faster to execute and can quickly eliminate the need to perform the full discretionary access check. Given the default integrity policies, aprocess can only open an object for write access if its integrity level is equal to or higher than the object’s integrity level and the DACL also grants theprocess the accesses it desires. !
§ The protection context of a process or a thread is made from informationwhich describe its privileges, account or groups and it is represented by theAccess Token!§ A privilege in Windows is the right to operate on the whole system without !distinction through the objects in it.§ The Security Reference Monitor (SRM) uses the Access Tokens to allow ordeny the access to the system objects in relation to the protection context of !the process or thread;§ All the programs (processes) opened by the user inherit a copy of theinitial token made at the user’s log-on and at the creation of the user’ shell(explorer.exe);! 10!
§ There are two kind of Access Token: Primary Token and ! Impersonation Token• The impersonation allow to migrate the security context of a process or a thread. A process inherit the primary token or it receives a new impersonation ! token;• In Windows (>=VISTA) if a user belong to Administrators the process assigned to the user has two distinct Access Tokens: one with user rights and the other one with Administrator rights. The mechanism that allows to choose the needed Access Token is called UAC (User Account Control)! 11!
A security descriptor contains the security informationassociated with a securable object. A security descriptorconsists of a SECURITY_DESCRIPTOR structure andits associated security information. A securitydescriptor can include the following securityinformation:!• Security identiﬁers (SIDs) for the owner and primarygroup of an object.!• A DACL that speciﬁes the access rights allowed ordenied to particular users or groups.!• A SACL that speciﬁes the types of access attemptsthat generate audit records for the object.!• A set of control bits that qualify the meaning of asecurity descriptor or its individual members.!Discretionary Access Control List (DACL): An access control list that is controlled by the owner of an object and thatspeciﬁes the access particular users or groups can have to the object. The controls are discretionary in the sense that asubject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.!A system access control list (SACL) enables administrators to log attempts to access a secured object.! 12!
• A privileged process is a process to which has been assigned some “Windows privileges”. !• A privileged process with dangerous privileges is a dangerous process. !• Windows Services, that are very similar to Unix daemons, are dangerous process.! • Almost all the Windows 2000 Services did the authentication with very high privileged account: LocalSystem. LocalSystem belongs to the Administrators group. ! • Starting from Windows XP a lot of Windows Services use two new less ! privileged account to authenticate themselves: LocalService e NetworkService. • A Service vulnerability allows a malicious user to gain the rights of LocalSystem, LocalService or NetworkService. A lot of attacks are made onto Services that are listening to TCP ports: Privilege Escalation.!• System calls are critical when they can be used by a malware or an hacker. They are dangerous if used in attacks and called by a dangerous process like a Service.! 15!
• ! S-1-5-18: Local System• ! S-1-5-19: Local Service• S-1-5-20: Network Service !• S-1-5-80: Per Service SID!!If exists a Group SID equals to ServiceSID !!“S-1-5-6”.! 16!
!• Native APIs are exported by the Windows Kernel with two different name preﬁx: Zw* and Nt*. The formers always call the dispatcher “KiSystemService()” the latter not. !• Not all the native APIs are exported by the NTOSKRNL.LIB (into the Windows DDK). In some case you have to use the API’s physical address into the kernel.!• To invoke a native API we needed to raise an interrupt: 0x2E. Now (from XP) it is no more used and the code calls directly a CPU function called SYSENTER.! ntdll!ZwReadFile: “Newer versions of Windows no longer use INT ntdll!ZwReadFile: 77f8c552 mov eax,0xa1 2E or go through the IDT to request the services 77f4302f mov eax,0xbf 77f8c557 lea edx,[esp+0x4] in the system call table. Instead, they use the 77f43034 mov edx,0x7ffe0300 77f8c55b int 2e fast call method. ! 77f43039 call edx ! 77f8c55d ret 0x24 77f4303b ret 0x24 In this case, NTDLL loads the EAX register with the system call number of the requested service and the EDX register with the current stack SharedUserData!SystemCallStub: pointer, ESP. NTDLL then issues the Intel 7ffe0300 mov edx,esp instruction SYSENTER.”! 7ffe0302 sysenter 7ffe0304 ret 18!
• To increase: • Stability • Reliability (still not so high) • Performance • Security issues • Secure boot • Non-paged memory amount • Authentication between components • Integrity and availability of used ﬁles • Secure channel communication 32!
v Completeness: system has to collect enough information to intercept the user’s activity v Integrity: nobody can modify the log without being properly authorized v Authenticity: logs have to be authenticated v Non bypassable: nobody can escape the log activity or stop the logging without authorization v Transparency: logging has to be invisible to the user v Reproducibility: knowing for every activity “who” and “what” v Eﬃciency: minimizing the log dimension and the node overhead. 35!
LDF (Live Digital Forensic) has three key aspects related to the “Live” part: • Continuity: shu_ing down a system could represent a big problem in environments that cannot be stopped; • Real Time analysis: LDF intercepts activities while the system is running and no one knows about it; It can allow the CF expert and the admin to analyze (in RT) what happens and to prevent malicious activities; • Proactivity: In the classic Computer Forensic the approach is only “Reactive” whereas in the LDF it is “Proactive”. 36!
u Usage of System Call interposition for Computer Forensic purposes u Real Time System Call interception leads to Live Digital Forensic (LDF) u Distributed collection of intercepted system calls u The prototype (FOXP) is released as an open source project 38!
FOXP: an open source Computer Forensic system for Windows network where every node has a Windows NT family OS. Scenario: • N controlled nodes, every node sends its logs to the central server • A server node receives node logs and organizes them into a R-‐‑DBMS • R-‐‑DBMS for data collection: is a support for a be_er forensic analysis 39!
Client Side: logger component collects and sends data to the central server (Windows NT family OS) Secure Communication: to provide a u t h e n t i c i t y , i n t e g r i t y a n d conﬁdentiality Server Side: is a server application that collects data sent from various clients; this data is available for forensic analysis 40!
Command Audit Server Mgmt Console all n g sysc L og g i States & Logs Node j To Analyze States & Logs 41!
FOXP Agent (FOXP-‐‑A): It is like an IDS that executes basic analysis of node activities (all the • agents realize a Distributed IDS). If an anomaly is detected, than the logging is activated;• FOXP Logger (FOXP-‐‑L): it intercepts the system calls invoked on the node and keeps track of them in a logging ﬁle; te pda te cted e sta les u co l l eFOXP Mgmt Service (FOXP-‐‑MS): it e Liv nt rumanages the Agent and the Logger on Data Nod Agee v e r y n o d e a s w e l l a s t h e i r communications with the centralized server of the architecture: • It receives commands from the Mgmt Console for the Agent rules update; • It forwards commands directly to the Logger; • It sends node live state to the Audit Server; • It receives messages from the Agent and send commands to the Logger; • It sends to the Collector Server the data collected from the Logger. 42!
• FOXP Collector Server (FOXP-‐‑CS): it receives and stores logs from every network node;• FOXP Audit Server (FOXP-‐‑AS): it receives and stores the state of the nodes. It receives commands from the FOXP-‐‑MC and forwards them to the FOXP-‐‑MS of the destination nodes;• FOXP Management Console (FOXP-‐‑MC): it r e m o t e l y m a n a g e s n e t w o r k n o d e s communicating with the FOXP-‐‑MS on every node. It monitors the state of the nodes, conﬁgures and updates the Agent rules, manages the FOXP-‐‑Logger;• FOXP Forensic Analysis Tools (FOXP-‐‑FAT): it executes the analysis of the collected logs and states. 43!
It is the WHIPS core function Interception technique extended to all the 284 system calls of Windows XP and VISTA and Seven (we hope...) It uses the system call index instead of its explicit name 44!
Ø Assessing the efﬁciency and efﬁcacy of the FOXP system with more experimentations; Ø Classifying the system calls according to their level of dangerousness; Ø Communication security with authenticity and non-repudiability of collected logs, is currently under investigation and will be presented in a different paper. 45!
• This security model is directed toward data integrity (rather than conﬁdentiality) and is characterized by the phrase: "no read down, no write up". This is in contrast to the Bell-LaPadula model which is characterized by the phrase "no write down, no read up". • In the Biba model, users can only create content at or below their own integrity level (a monk may write a prayer book that can be read by commoners, but not one to be read by a high priest). Conversely, users can only view content at or above their own integrity level. • The Biba model deﬁnes a set of security rules similar to the Bell-LaPadula model. These rules are the reverse of the Bell-LaPadula rules: o The Simple Integrity Axiom states that a subject at a given level of integrity must not read an object at a lower integrity level (no read down). o The * (star) Integrity Axiom states that a subject at a given level of integrity must not write to any object at a higher level of integrity (no write up).
• CPU Cycle Counting: In Windows Vista, the scheduler uses the cycle counter register of modern processorsto track precisely how many CPU cycles a thread executes.!• Multimedia Class Scheduler Service: Windows Vista introduces MMCSS to manage the CPU priorities ofmultimedia threads. A multimedia app like Windows Media® Player 11 registers with MMCSS usingnew APIs that indicate its multimedia characteristics. MMCSS has a priority-management thread thatruns at priority 27. This thread boosts the priority of registered multimedia threads.!• File-Based Symbolic Links: The Windows Vista I/O-related changes include ﬁle-based symbolic links,more efﬁcient I/O completion processing, comprehensive support for I/O cancellation, and prioritizedI/O.!• I/O Completion and Cancellation: There are a number of under-the-hood changes to the I/O systemthat can improve the performance of server applications. These applications commonly use asynchronization object called a completion port to wait for the completion of asynchronous I/Orequests. On Windows Vista, the I/O completion processing is performed not necessarily by the thread thatissued the I/O, but instead by the one that is waiting for the completion port to wake it up.!• I/O Priority: While Windows has always supported prioritization of CPU usage, it hasnt included theconcept of I/O priority. Windows Vista introduces two new types of I/O prioritization in order to help makeforeground I/O operations get preference: priority on individual I/O operations and I/O bandwidthreservations.! 50!
• SuperFetch: Windows XP introduced prefetching support that improved boot and application startup performance byperforming large disk I/Os to preload memory with code and ﬁle system data that it expected, based on previous boots andapplication launches. Windows Vista goes a big step further with SuperFetch, a memory management scheme that enhances theleast-recently accessed approach with historical information and proactive memory management.!• ReadyBoost: While RAM is ideal for caching disk data, it is relatively expensive. Flash memory, however, is generallycheaper and can service random reads up to 10 times faster than a typical hard disk. Windows Vista, therefore, includes afeature called ReadyBoost to take advantage of ﬂash memory storage devices by creating an intermediate caching layer on themthat logically sits between memory and disks.!• ReadyBoot: After every boot, the ReadyBoost service (the same service that implements the ReadyBoost feature justdescribed) uses idle CPU time to calculate a boot-time caching plan for the next boot. It analyzes ﬁle trace information from theﬁve previous boots and identiﬁes which ﬁles were accessed and where they are located on disk.!• Dynamic Kernel Address Space: In 32-bit Windows Vista, the Memory Manager dynamically manages the kernels addressspace, allocating and deallocating space to various uses as the demands of the workload require. Thus, the amount ofvirtual memory used to store paged buffers can grow when device drivers ask for more, and it can shrink when thedrivers release it.!• Memory Priorities: Just as Windows Vista adds I/O priorities, it also implements memory priorities. On Windows Vista,every page of memory has a priority in the range of 0 to 7, and so the Memory Manager divides the Standby List into eightlists that each store pages of a particular priority. When the Memory Manager wants to take a page from the Standby List,it takes pages from low-priority lists ﬁrst.! 51!
• Boot Conﬁguration Database: Startup has improved with the introduction of the Boot Conﬁguration Database (BCD) forstoring system and OS startup conﬁguration, a new ﬂow and organization of system startup processes, new logonarchitecture, and support for delayed-autostart services. Windows Vista shutdown changes include pre-shutdownnotiﬁcation for Windows services, Windows services shutdown ordering, and a signiﬁcant change to the way the OSmanages power state transitions.!• Startup Processes: Several system processes were re-architected for Windows Vista. Session Manager (Smss.exe) is theﬁrst user-mode process created during the boot as in previous versions of Windows, but on Windows Vista the SessionManager launches a second instance of itself to conﬁgure Session 0, which is dedicated solely to system processes. The SessionManager process for Session 0 launches the Windows Startup Application (Wininit.exe), a Windows subsystem process(Csrss.exe) for Session 0, and then it exits. The Windows Startup Application continues by starting the Service ControlManager, the Local Security Authority Subsystem, and a new process, Local Session Manager (Lsm.exe), which managesterminal server connections for the machine.!• Credential Providers: Instead of a GINA, Windows Vista uses the new Credential Provider architecture.!• Delayed-Autostart Services: Windows Vista introduces a new service start type called delayed automatic start, which servicescan use if they dont have to be active immediately after Windows boots.!• Shutdown: Some services, like those that have network-related shutdown operations or have to save large amounts ofdata to disk, might require more time and so Windows Vista allows a service to request pre-shutdown notiﬁcation.!• Power Management: In Windows Vista, the kernels Power Manager still informs drivers and applications of power-statechanges so that they can prepare for them, but it no longer asks for permission.! 52!
• Kernel Transaction Manager: When an application wants to make a number of related changes, it can either create aDistributed Transaction Coordinator (DTC) transaction and a KTM transaction handle, or create a KTM handle directlyand associate the modiﬁcations of the ﬁles and registry keys with the transaction.!• Enhanced Crash Support: Windows Vista reduces the window of time where no dump ﬁle is generated by initializing dumpﬁle support after all the boot-start device drivers are initialized but before loading system-start drivers.! Windows XP introduced a technology called Volume Shadow Copy to• Volume Shadow Copy:make point-in-time snapshots of disk volumes. Windows Vista also takes advantage of volumesnapshots to unify user and system data protection mechanisms and avoid saving redundant backupdata.!• BitLocker: Windows Vista introduces a full-volume encryption feature called Windows BitLocker Drive Encryption. Unlike EFS,which is implemented by the NTFS ﬁle system driver and operates at the ﬁle level, BitLocker encrypts at the volumelevel using the Full Volume Encryption (FVE) driver!• Code Integrity Veriﬁcation: The Windows Vista code integrity for kernel-mode code feature, also known as kernel-modecode signing (KMCS), only allows device drivers to load if they are published and digitally signed by developers whohave been vetted by one of a handful of certiﬁcate authorities (CAs). KMCS is enforced by default on Windows Vista for64-bit systems.!• Protected Processes: Protected processes restrict access to a limited set of informational and process managementinterfaces that include querying the processs image name and terminating or suspending the process.!• Address Space Load Randomization: The Windows Vista Address Space Load Randomization (ASLR) feature makes itimpossible for malware to know where APIs are located by loading system DLLs and executables at a different location every timethe system boots.! 53!
• WHIPS Driver • Developed in ANSI C with the Windows Driver Development Kit (DDK); • Boot-time loading. • WHIPS Service • Developed in C# on the Microsoft .NET 2.0; • Proxy between Driver and GUI. • WHIPS Agent and minimal GUI Application • Developed in C# on the Microsoft .NET 2.0; • Notiﬁcations from the driver; • Conﬁguration of the driver policy. 54!