• Like
Windows HIPS & LDF
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.



  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Roberto Battistoni! (rbattistoni@acm.org)Information Security Lessons 2012/2013 (prof. Luigi V. Mancini) – 12/12/2012
  • 2. v  Introduction to Windows internals!v  Two open source projects: o  WHIPS: Windows Host Intrusion Prevention System o  FoXP: Computer Forensic eXPerience 2!
  • 3. Windows Seven is the evolution of Windows NT 4.0. The first OS based on theNT technology was Windows NT 3.5 in 1993. NT was created from a DigitalResearch project. Its name originally was “VMS NT” then it was changed in“Windows NT”. 3!
  • 4. 4!
  • 5. 5!
  • 6. 6!
  • 7. Local Security Authority subsystem(Lsass): A user-mode process runningthe image “Lsass.exe” that isresponsible for the local systemsecurity policy (such as which usersare allowed to log on to the machine,password policies, privileges grantedto users and groups, and the systemsecurity auditing settings), userauthentication, and sending securityaudit messages to the Event Log. !!Security reference monitor (SRM): Acomponent in the Windows executive(Ntoskrnl.exe) that is responsible fordefining the access token data structure torepresent a security context,performing security access checks onobjects, manipulating privileges (userrights), and generating any resultingsecurity audit messages.! 7!
  • 8. Two methods are used for determining access to an object:! ! • The mandatory integrity check, which determines whether the integrity level of the caller is high enough to access the resource, based on the resource’s own integrity level and its mandatory policy (Biba?).! • The discretionary access check, which (the owner) determines the access that a specific user account has to an object.!When a process tries to open an object, the integrity check takes place before the standard Windows DACL check in the kernel’s SeAccessCheck functionbecause it is faster to execute and can quickly eliminate the need to perform the full discretionary access check. Given the default integrity policies, aprocess can only open an object for write access if its integrity level is equal to or higher than the object’s integrity level and the DACL also grants theprocess the accesses it desires. !
  • 9. SIDs identify the entities whose execute operations in the system and representevery user, group, machine or domain.! 1 5 1 4 1 3 1 2 1 1 ! 1 0 9 8 7 6 5 4 3 2 1 !! 0 Possible identifier authority values are:! | SubAuthorityCount |Reserved1 (SBZ)| ! +-------------------------------------------------------------+ !! Revision | +-------------------------------------------------------------+ | IdentifierAuthority[0] !! | +-------------------------------------------------------------+ • 0 - Null Authority! | IdentifierAuthority[1] ! ! | +-------------------------------------------------------------+ • 1 - World Authority! | | IdentifierAuthority[2] !| !! +-------------------------------------------------------------+ | • 2 - Local Authority! +- - - - - - - - SubAuthority[] - - - - - - - - - + | !| +-------------------------------------------------------------+ • 3 - Creator Authority! • 4 - Non-unique Authority! C:>psgetsid Z24! • 5 - NT Authority! ! PsGetSid v1.43 - Translates SIDs to names and vice versa! • 9 - Resource Manager Authority! Copyright (C) 1999-2006 Mark Russinovich! Sysinternals - www.sysinternals.com! ! SID for WAM2Z24:! S-1-5-21-1993962763-2139871995-725345543-1003! 9!
  • 10. §  The protection context of a process or a thread is made from informationwhich describe its privileges, account or groups and it is represented by theAccess Token!§ A privilege in Windows is the right to operate on the whole system without !distinction through the objects in it.§ The Security Reference Monitor (SRM) uses the Access Tokens to allow ordeny the access to the system objects in relation to the protection context of !the process or thread;§ All the programs (processes) opened by the user inherit a copy of theinitial token made at the user’s log-on and at the creation of the user’ shell(explorer.exe);! 10!
  • 11. §  There are two kind of Access Token: Primary Token and ! Impersonation Token•  The impersonation allow to migrate the security context of a process or a thread. A process inherit the primary token or it receives a new impersonation ! token;•  In Windows (>=VISTA) if a user belong to Administrators the process assigned to the user has two distinct Access Tokens: one with user rights and the other one with Administrator rights. The mechanism that allows to choose the needed Access Token is called UAC (User Account Control)! 11!
  • 12. A security descriptor contains the security informationassociated with a securable object. A security descriptorconsists of a SECURITY_DESCRIPTOR structure andits associated security information. A securitydescriptor can include the following securityinformation:!• Security identifiers (SIDs) for the owner and primarygroup of an object.!• A DACL that specifies the access rights allowed ordenied to particular users or groups.!• A SACL that specifies the types of access attemptsthat generate audit records for the object.!• A set of control bits that qualify the meaning of asecurity descriptor or its individual members.!Discretionary Access Control List (DACL): An access control list that is controlled by the owner of an object and thatspecifies the access particular users or groups can have to the object. The controls are discretionary in the sense that asubject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.!A system access control list (SACL) enables administrators to log attempts to access a secured object.! 12!
  • 13. 13!
  • 14. 14!
  • 15. •  A privileged process is a process to which has been assigned some “Windows privileges”. !•  A privileged process with dangerous privileges is a dangerous process. !•  Windows Services, that are very similar to Unix daemons, are dangerous process.! •  Almost all the Windows 2000 Services did the authentication with very high privileged account: LocalSystem. LocalSystem belongs to the Administrators group. ! •  Starting from Windows XP a lot of Windows Services use two new less ! privileged account to authenticate themselves: LocalService e NetworkService. •  A Service vulnerability allows a malicious user to gain the rights of LocalSystem, LocalService or NetworkService. A lot of attacks are made onto Services that are listening to TCP ports: Privilege Escalation.!•  System calls are critical when they can be used by a malware or an hacker. They are dangerous if used in attacks and called by a dangerous process like a Service.! 15!
  • 16. •  ! S-1-5-18: Local System•  ! S-1-5-19: Local Service•  S-1-5-20: Network Service !•  S-1-5-80: Per Service SID!!If exists a Group SID equals to ServiceSID !!“S-1-5-6”.! 16!
  • 17. 17!
  • 18. !•  Native APIs are exported by the Windows Kernel with two different name prefix: Zw* and Nt*. The formers always call the dispatcher “KiSystemService()” the latter not. !•  Not all the native APIs are exported by the NTOSKRNL.LIB (into the Windows DDK). In some case you have to use the API’s physical address into the kernel.!•  To invoke a native API we needed to raise an interrupt: 0x2E. Now (from XP) it is no more used and the code calls directly a CPU function called SYSENTER.! ntdll!ZwReadFile: “Newer versions of Windows no longer use INT ntdll!ZwReadFile: 77f8c552 mov eax,0xa1 2E or go through the IDT to request the services 77f4302f mov eax,0xbf 77f8c557 lea edx,[esp+0x4] in the system call table. Instead, they use the 77f43034 mov edx,0x7ffe0300 77f8c55b int 2e fast call method. ! 77f43039 call edx ! 77f8c55d ret 0x24 77f4303b ret 0x24 In this case, NTDLL loads the EAX register with the system call number of the requested service and the EDX register with the current stack SharedUserData!SystemCallStub: pointer, ESP. NTDLL then issues the Intel 7ffe0300 mov edx,esp instruction SYSENTER.”! 7ffe0302 sysenter 7ffe0304 ret 18!
  • 19. 19!
  • 20. 20!
  • 21. 21!
  • 22. 22!
  • 23. 23!
  • 24. 24!
  • 25. Here is the Windows Service to attack!!!!! WHIPS!! LAN, Intranet, Internet, local attack.! OK!!Good Native Malicious API!! Native API!! 25!
  • 26. 26!
  • 27. WHIPS changes the native original pointers in SSDT with pointers to new native API that are called “WHIPS wrappers” and where their names start with “NewNt....”.!27!
  • 28. #define  HOOK_SYSCALL(_Function,  _Hook,  _Orig  )  _Orig  =   (PVOID)  InterlockedExchange((PLONG)  &MappedSystemCallTable[SYSCALL_INDEX(_Function)],  (LONG)  _Hook) •  Pointer initialization •  Service control message •  Syscall Index Set data structures •  SST Protection (from Windows XP) •  Memory mapping (MDL) •  Control Register 0 (write protection) disabling •  SST update with Interlocked operation (multiprocessor safe) 28!
  • 29. •  How many parameters does a syscall have?•  HookPacket structure •  ReferenceMonitor call 29!
  • 30. •  Retrieving the calling User Mode Process within the Syscall •  E x e c u t i v e   P r o c e s s   B l o c k   structure •  Query  process  information •  Retrieving   process   executable   image  path 30!
  • 31. 31!
  • 32. •  To increase: •  Stability •  Reliability (still not so high) •  Performance •  Security issues •  Secure boot •  Non-paged memory amount •  Authentication between components •  Integrity and availability of used files •  Secure channel communication 32!
  • 33. 33!
  • 34. 34!
  • 35. v  Completeness:   system   has   to   collect   enough   information   to   intercept   the   user’s   activity v  Integrity:  nobody  can  modify  the  log  without  being  properly  authorized v  Authenticity:  logs  have  to  be  authenticated v  Non   bypassable:   nobody   can   escape   the   log   activity   or   stop   the   logging   without   authorization v  Transparency:  logging  has  to  be  invisible  to  the  user v  Reproducibility:  knowing  for  every  activity  “who”  and  “what” v  Efficiency:  minimizing  the  log  dimension  and  the  node  overhead. 35!
  • 36. LDF   (Live   Digital   Forensic)   has   three   key   aspects   related   to   the  “Live”  part: •  Continuity:   shu_ing   down   a   system   could   represent   a   big   problem  in  environments  that  cannot  be  stopped; •  Real   Time   analysis:   LDF   intercepts   activities   while   the   system   is   running   and   no   one   knows   about   it;   It   can   allow   the   CF   expert   and   the   admin   to   analyze   (in   RT)   what   happens   and   to   prevent  malicious  activities; •  Proactivity: In   the   classic   Computer   Forensic   the   approach   is   only  “Reactive”  whereas  in  the  LDF  it  is  “Proactive”. 36!
  • 37. 37!
  • 38. u  Usage   of   System   Call   interposition   for   Computer   Forensic   purposes u  Real   Time   System   Call   interception   leads   to   Live   Digital   Forensic  (LDF) u  Distributed  collection  of  intercepted  system  calls u  The  prototype  (FOXP)  is  released  as  an  open  source  project 38!
  • 39. FOXP:   an   open   source   Computer   Forensic   system   for   Windows   network  where  every  node  has  a  Windows  NT  family  OS. Scenario: •  N   controlled   nodes,   every   node   sends   its   logs  to  the  central  server •  A   server   node   receives   node   logs   and   organizes  them  into  a  R-­‐‑DBMS •  R-­‐‑DBMS  for  data  collection:  is  a  support  for   a  be_er  forensic  analysis 39!
  • 40. Client  Side:  logger  component  collects  and   sends   data   to   the   central   server  (Windows  NT  family  OS) Secure   Communication:   to   provide  a u t h e n t i c i t y ,   i n t e g r i t y   a n d  confidentiality   Server   Side:   is   a   server   application  that   collects   data   sent   from   various  clients;   this   data   is   available   for  forensic  analysis 40!
  • 41. Command Audit Server Mgmt Console all n g sysc L og g i States & Logs Node j To Analyze States & Logs 41!
  • 42. FOXP  Agent  (FOXP-­‐‑A):  It  is  like  an  IDS  that  executes  basic  analysis  of  node  activities  (all  the   •  agents  realize  a  Distributed  IDS).  If  an  anomaly  is  detected,  than  the  logging  is  activated;•  FOXP  Logger  (FOXP-­‐‑L):  it  intercepts  the  system  calls  invoked  on  the  node  and  keeps  track  of   them  in  a  logging  file; te pda te cted e sta les u co l l eFOXP   Mgmt   Service   (FOXP-­‐‑MS):   it   e Liv nt rumanages   the   Agent   and   the   Logger   on   Data Nod Agee v e r y   n o d e   a s   w e l l   a s   t h e i r  communications   with   the   centralized  server  of  the  architecture: •  It   receives   commands   from   the   Mgmt   Console   for   the   Agent   rules   update; •  It  forwards  commands  directly  to  the   Logger; •  It  sends  node  live  state  to  the  Audit   Server; •  It   receives   messages   from   the   Agent   and  send  commands  to  the  Logger; •  It   sends   to   the   Collector   Server   the   data  collected    from  the  Logger. 42!
  • 43. •  FOXP  Collector  Server  (FOXP-­‐‑CS):  it  receives   and  stores  logs  from  every  network  node;•  FOXP   Audit   Server   (FOXP-­‐‑AS):   it   receives   and   stores   the   state   of   the   nodes.   It   receives   commands  from  the  FOXP-­‐‑MC  and  forwards   them   to   the   FOXP-­‐‑MS   of   the   destination   nodes;•  FOXP   Management   Console   (FOXP-­‐‑MC):   it   r e m o t e l y   m a n a g e s   n e t w o r k   n o d e s   communicating   with   the   FOXP-­‐‑MS   on   every   node.   It   monitors   the   state   of   the   nodes,   configures   and   updates   the   Agent   rules,   manages  the  FOXP-­‐‑Logger;•  FOXP   Forensic   Analysis   Tools   (FOXP-­‐‑FAT):   it   executes   the   analysis   of   the   collected   logs   and  states. 43!
  • 44. —  It is the WHIPS core function —  Interception technique extended to all the 284 system calls of Windows XP and VISTA and Seven (we hope...) —  It uses the system call index instead of its explicit name 44!
  • 45. Ø  Assessing the efficiency and efficacy of the FOXP system with more experimentations; Ø  Classifying the system calls according to their level of dangerousness; Ø  Communication security with authenticity and non-repudiability of collected logs, is currently under investigation and will be presented in a different paper. 45!
  • 46. See  you  next  week…maybe!
  • 47. 47!
  • 48. •  This security model is directed toward data integrity (rather than confidentiality) and is characterized by the phrase: "no read down, no write up". This is in contrast to the Bell-LaPadula model which is characterized by the phrase "no write down, no read up". •  In the Biba model, users can only create content at or below their own integrity level (a monk may write a prayer book that can be read by commoners, but not one to be read by a high priest). Conversely, users can only view content at or above their own integrity level. •  The Biba model defines a set of security rules similar to the Bell-LaPadula model. These rules are the reverse of the Bell-LaPadula rules: o  The Simple Integrity Axiom states that a subject at a given level of integrity must not read an object at a lower integrity level (no read down). o  The * (star) Integrity Axiom states that a subject at a given level of integrity must not write to any object at a higher level of integrity (no write up).
  • 49. 49!
  • 50. • CPU Cycle Counting: In Windows Vista, the scheduler uses the cycle counter register of modern processorsto track precisely how many CPU cycles a thread executes.!• Multimedia Class Scheduler Service: Windows Vista introduces MMCSS to manage the CPU priorities ofmultimedia threads. A multimedia app like Windows Media® Player 11 registers with MMCSS usingnew APIs that indicate its multimedia characteristics. MMCSS has a priority-management thread thatruns at priority 27. This thread boosts the priority of registered multimedia threads.!• File-Based Symbolic Links: The Windows Vista I/O-related changes include file-based symbolic links,more efficient I/O completion processing, comprehensive support for I/O cancellation, and prioritizedI/O.!• I/O Completion and Cancellation: There are a number of under-the-hood changes to the I/O systemthat can improve the performance of server applications. These applications commonly use asynchronization object called a completion port to wait for the completion of asynchronous I/Orequests. On Windows Vista, the I/O completion processing is performed not necessarily by the thread thatissued the I/O, but instead by the one that is waiting for the completion port to wake it up.!• I/O Priority: While Windows has always supported prioritization of CPU usage, it hasnt included theconcept of I/O priority. Windows Vista introduces two new types of I/O prioritization in order to help makeforeground I/O operations get preference: priority on individual I/O operations and I/O bandwidthreservations.! 50!
  • 51. • SuperFetch: Windows XP introduced prefetching support that improved boot and application startup performance byperforming large disk I/Os to preload memory with code and file system data that it expected, based on previous boots andapplication launches. Windows Vista goes a big step further with SuperFetch, a memory management scheme that enhances theleast-recently accessed approach with historical information and proactive memory management.!• ReadyBoost: While RAM is ideal for caching disk data, it is relatively expensive. Flash memory, however, is generallycheaper and can service random reads up to 10 times faster than a typical hard disk. Windows Vista, therefore, includes afeature called ReadyBoost to take advantage of flash memory storage devices by creating an intermediate caching layer on themthat logically sits between memory and disks.!• ReadyBoot: After every boot, the ReadyBoost service (the same service that implements the ReadyBoost feature justdescribed) uses idle CPU time to calculate a boot-time caching plan for the next boot. It analyzes file trace information from thefive previous boots and identifies which files were accessed and where they are located on disk.!• Dynamic Kernel Address Space: In 32-bit Windows Vista, the Memory Manager dynamically manages the kernels addressspace, allocating and deallocating space to various uses as the demands of the workload require. Thus, the amount ofvirtual memory used to store paged buffers can grow when device drivers ask for more, and it can shrink when thedrivers release it.!• Memory Priorities: Just as Windows Vista adds I/O priorities, it also implements memory priorities. On Windows Vista,every page of memory has a priority in the range of 0 to 7, and so the Memory Manager divides the Standby List into eightlists that each store pages of a particular priority. When the Memory Manager wants to take a page from the Standby List,it takes pages from low-priority lists first.! 51!
  • 52. • Boot Configuration Database: Startup has improved with the introduction of the Boot Configuration Database (BCD) forstoring system and OS startup configuration, a new flow and organization of system startup processes, new logonarchitecture, and support for delayed-autostart services. Windows Vista shutdown changes include pre-shutdownnotification for Windows services, Windows services shutdown ordering, and a significant change to the way the OSmanages power state transitions.!• Startup Processes: Several system processes were re-architected for Windows Vista. Session Manager (Smss.exe) is thefirst user-mode process created during the boot as in previous versions of Windows, but on Windows Vista the SessionManager launches a second instance of itself to configure Session 0, which is dedicated solely to system processes. The SessionManager process for Session 0 launches the Windows Startup Application (Wininit.exe), a Windows subsystem process(Csrss.exe) for Session 0, and then it exits. The Windows Startup Application continues by starting the Service ControlManager, the Local Security Authority Subsystem, and a new process, Local Session Manager (Lsm.exe), which managesterminal server connections for the machine.!• Credential Providers: Instead of a GINA, Windows Vista uses the new Credential Provider architecture.!• Delayed-Autostart Services: Windows Vista introduces a new service start type called delayed automatic start, which servicescan use if they dont have to be active immediately after Windows boots.!• Shutdown: Some services, like those that have network-related shutdown operations or have to save large amounts ofdata to disk, might require more time and so Windows Vista allows a service to request pre-shutdown notification.!• Power Management: In Windows Vista, the kernels Power Manager still informs drivers and applications of power-statechanges so that they can prepare for them, but it no longer asks for permission.! 52!
  • 53. • Kernel Transaction Manager: When an application wants to make a number of related changes, it can either create aDistributed Transaction Coordinator (DTC) transaction and a KTM transaction handle, or create a KTM handle directlyand associate the modifications of the files and registry keys with the transaction.!• Enhanced Crash Support: Windows Vista reduces the window of time where no dump file is generated by initializing dumpfile support after all the boot-start device drivers are initialized but before loading system-start drivers.! Windows XP introduced a technology called Volume Shadow Copy to• Volume Shadow Copy:make point-in-time snapshots of disk volumes. Windows Vista also takes advantage of volumesnapshots to unify user and system data protection mechanisms and avoid saving redundant backupdata.!• BitLocker: Windows Vista introduces a full-volume encryption feature called Windows BitLocker Drive Encryption. Unlike EFS,which is implemented by the NTFS file system driver and operates at the file level, BitLocker encrypts at the volumelevel using the Full Volume Encryption (FVE) driver!• Code Integrity Verification: The Windows Vista code integrity for kernel-mode code feature, also known as kernel-modecode signing (KMCS), only allows device drivers to load if they are published and digitally signed by developers whohave been vetted by one of a handful of certificate authorities (CAs). KMCS is enforced by default on Windows Vista for64-bit systems.!• Protected Processes: Protected processes restrict access to a limited set of informational and process managementinterfaces that include querying the processs image name and terminating or suspending the process.!• Address Space Load Randomization: The Windows Vista Address Space Load Randomization (ASLR) feature makes itimpossible for malware to know where APIs are located by loading system DLLs and executables at a different location every timethe system boots.! 53!
  • 54. •  WHIPS Driver •  Developed in ANSI C with the Windows Driver Development Kit (DDK); •  Boot-time loading. •  WHIPS Service •  Developed in C# on the Microsoft .NET 2.0; •  Proxy between Driver and GUI. •  WHIPS Agent and minimal GUI Application •  Developed in C# on the Microsoft .NET 2.0; •  Notifications from the driver; •  Configuration of the driver policy. 54!
  • 55. 55!
  • 56. •  Installation •  InstallUtil.exe   •  Windows  Registry  entry •  Automatic  starting Using System.ServiceProcess; ! •  LocalSystem  account Public class WHIPSService : ServiceBase { ! !public WHIPSService() { !•  It  extends  ServiceBase  Class ! “ ! ” !this.ServiceNameWhipsService = ;•  Developed  in  C# ! !this.CanStop = true; ! !} ! !public static void main() { ! ! !ServiceBase.Run(new WHIPSService()); ! !} ! } ! 56!
  • 57. •  Like  a  reference  monitor •  Game  management •  App2Drv/Drv2App  IRPs •  Overlapped  (Asynchronous  IO) •  Named  Pipe  Manager •  Communication  events 57!
  • 58. Macro to exchange pointers in SSDT:#define HOOK(APIName, NewAPIPtr, OldAPIPtr) OldAPIPtr=ExchangePointers(&SSDT[Index(APIName)],NewAPIPtr) … HOOK( ZwOpenFile , NewZwOpenFile , OldZwOpenFile );Example of a new native API: NewZwOpenFile:NewZwOpenFile(OUT PHANDLE phFile,…,IN ULONG OpenMode) !{ ! doLog(“ZwOpenFile”, phFile,…, OpenMode); ! OldZwOpenFile(phFile,…,OpenMode ); !} 58!
  • 59. Internet Explorer Remote Code Execution Exploit v 0.1 ! <input type="checkbox" id=a> <script> ! ! -- malicious code -- var r = ! document.getElementById(a).createTextRange(); </script>! NtOpenFile ! ! (! OUT PHANDLE phFile:34c|IN ACCESS_MASK DesiredAccess:1000a1| ! IN POBJECT_ATTRIBUTES ObjectAttributes:/??/ C:/WINDOWS/system32/cmd.exe| ! OUT PIO_STATUS_BLOCK pIoStatusBlock:0|IN ULONG ShareMode:5| ! IN ULONG OpenMode:60 ! ! ) called by: ! /Device/HarddiskVolume2/Program/Internet Explorer/IEXPLORE.EXE! 59!