Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Whips1.0 Internals

1,057 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Whips1.0 Internals

  1. 1. Sapienza University of Rome Computer Science Department Supervisor Student Roberto Battistoni Bruno Vavalà (rbattistoni@acm.org) (vavalab@gmail.com) Sicurezza dei Dati e delle Reti 2008/2009 Prof. Luigi V. Mancini Bruno Vavalà - Whips 1.0 Beta 1
  2. 2. Our Goals We want to:  Introduce and recall some important system security concepts  Explain a little deeper how the Windows architecture works, what are the security issues and how they can be (almost) solved, even in a not so documented environment, showing 2 very powerful techniques  Highlight: the difference between our solution and Winpooch; the improvements we made with respect to the precedent version of WHIPS  Show how we made WHIPS: the concept, the development, its algorithms and data structures  Discuss about the future of Windows and WHIPS Bruno Vavalà - Whips 1.0 Beta 2
  3. 3. Reference Monitor  Always-invoked  Non-bypassable  Tamper-resistant  Verifiable Bruno Vavalà - Whips 1.0 Beta 3
  4. 4. Windows Architecture Bruno Vavalà - Whips 1.0 Beta 4
  5. 5. System Calls  Win32 and Syscall Api  SSDT Protection  Syscall Invocation  KiSystemService  SystemService  Dispatch/Parameter Table  Nt vs. Zw  Ntdll.dll and Ntoskrnl.exe Bruno Vavalà - Whips 1.0 Beta 5
  6. 6. Trap and Interrupt Masking  Restrictions on code running at Dispatch Level  The first 3 IRQL are software interrupts, the others are hardware interrupts Bruno Vavalà - Whips 1.0 Beta 6
  7. 7. System Memory Pools  They are all system space virtual addresses  System Page Table Entries  Non-paged pool  No page fault  Paged pool  Page fault possible  Memory Manager Fault Handler Bruno Vavalà - Whips 1.0 Beta 7
  8. 8. System Call Interposition  Syscall hooking (Russinovich et al.)  SSDT update Bruno Vavalà - Whips 1.0 Beta 8
  9. 9. Detours  Binary Interception  SSDT untouched  Trampoline Function  Assembly modifications  Instruction saving  Unconditional jump Bruno Vavalà - Whips 1.0 Beta 9
  10. 10. Winpooch  Watchdog for Windows  Real-time virus protection  Detours  Hard-coded (Nt)syscalls pointers (Windows version dependent)  Stub saving Bruno Vavalà - Whips 1.0 Beta 10
  11. 11. WHIPS Concept  Reference Monitor  Windows Module  Syscall hooking Bruno Vavalà - Whips 1.0 Beta 11
  12. 12. Hard-Coded Syscall FREEDOM  Previous version  Winpooch  Portability  The disassembler role  Pedasm  “C:windowssystem32SCIndexes.sci”  Security Issues  Always-opened handles Bruno Vavalà - Whips 1.0 Beta 12
  13. 13. WHIPS Overview  Windows Driver  Developed in C with the Windows Driver Kit (available for free at www.microsoft.com)  Boot-time loading  Windows Service  Developed under the Microsoft .NET 2.0 framework in C#  Driver Loading whips.sourceforge.net  “The man in the middle”  Agent Application  Developed under the Microsoft .NET 2.0 framework in C#  Communication Bruno Vavalà - Whips 1.0 Beta 13
  14. 14. WHIPS Overview Bruno Vavalà - Whips 1.0 Beta 14
  15. 15. WHIPS Driver  Windows Driver Model  Kernel-mode activity  Registering predefined routines  Installation  Boot-time loading  Windows Registry entry  Driver Entry routine  Device creation  “DosDevicesWHIPS”  Major Function Setting  Create, Close, DeviceControl Bruno Vavalà - Whips 1.0 Beta 15
  16. 16. I/O Flow Control Bruno Vavalà - Whips 1.0 Beta 16
  17. 17. I/O Request Packet  Kernel-mode WDM data structure  Communication buffer (by pointer)  DeviceIoControl  IOCTLs  IRP Completion  Asynchronous Procedure Call (APC)  CancelRoutine (noone must be lost) Bruno Vavalà - Whips 1.0 Beta 17
  18. 18. Syscall Hooking  Pointer initialization  Service control message  Syscall Index Set data structures  SSDT Protection  Memory mapping (MDL)  Control Register 0 (write protection) disabling  SSDT update with Interlocked operation (multiprocessor safe) #define HOOK_SYSCALL(_Function, _Hook, _Orig ) _Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook) Bruno Vavalà - Whips 1.0 Beta 18
  19. 19. Syscall Wrappers  How many parameters has a syscall ?  One-to-One correspondence  HookPacket structure  ReferenceMonitor call Bruno Vavalà - Whips 1.0 Beta 19
  20. 20. Whips Reference Monitor  Driver state  Log/Allow/Protection mode  Process image path retrieving  Logging  HookPacket Serialization  Drv2App Irp completion  ACD Checker Bruno Vavalà - Whips 1.0 Beta 20
  21. 21. Windows Processes  Executive Process Block structure  Query process informations  Retrieving process executable image path Bruno Vavalà - Whips 1.0 Beta 21
  22. 22. ACD  Non-paged memory usage  ACD Setting  Serialization  CheckHook  String comparison with dynamic- programming  FHFU policy  ActionType  Implicit_Log  Implicit_Deny Bruno Vavalà - Whips 1.0 Beta 22
  23. 23. WHIPS Service  Installation  (MS.NET)InstallUtil.exe  Using System.ServiceProcess; Windows Registry entry Public class WHIPSService : ServiceBase {  Automatic starting public WHIPSService() {  LocalSystem account this.ServiceName = “WhipsService”; this.CanStop = true;  ServiceBase Class } public static void main() { ServiceBase.Run(new WHIPSService()); } } Bruno Vavalà - Whips 1.0 Beta 23
  24. 24. Service Initialization  EventLogger  Driver (un)installation and loading  Communication Manager  Driver initialization  Syscall index set  Exclusive access  Acd set  Shared-read access Bruno Vavalà - Whips 1.0 Beta 24
  25. 25. Device Opening  The device is a file  IO Manager call  Object Manager call  Device object security attributes Bruno Vavalà - Whips 1.0 Beta 25
  26. 26. Service Proxy  Like a reference monitor  Game management  App2Drv/Drv2App IRPs  Overlapped (Asynchronous IO)  Pipe Manager  Communication events Bruno Vavalà - Whips 1.0 Beta 26
  27. 27. Logger and ACD Controller  Win System32 home directory  ACD Reader/Writer  ACD file (shared-read mode)  LawPacket structure  Fixed fields  Hook Logger  Buffered Write  “Log.txt” Bruno Vavalà - Whips 1.0 Beta 27
  28. 28. WHIPS Agent  Ready-to-run application  (pretty ugly interface)  Are you able to design it better ?!?!... Do it   Driver Controls  Pipe  ACD window  Filter Rule insertion/deletion  Monitor Log window  Manual/Automatic (timeout based) refresh  Index field in the Insert Filter window Bruno Vavalà - Whips 1.0 Beta 28
  29. 29. Bruno Vavalà - Whips 1.0 Beta 29
  30. 30. What’s next ? Bruno Vavalà - Whips 1.0 Beta 30
  31. 31. Distributed WHIPS  Global ACD maintenance  Auto Update  Less overhead for “Windows typical users”  Interface: with or without it ?  Better and faster protection  Architectural complexity increased  (Do you want the barrel to be full and the wife to be drunk ?!) Bruno Vavalà - Whips 1.0 Beta 31
  32. 32. What’s better to do now ?  Increasing:  Stability  Reliability (still not so high)  Performance  Security issues  Secure boot  Non-paged memory amount  Authentication between components  Integrity and availability of used files  Secure channel communication Bruno Vavalà - Whips 1.0 Beta 32
  33. 33. References  Battistoni, Gabrielli, Mancini - An Host Intrusion Prenvention System for Windows Operating Systems, ESORICS 2004  Bernaschi, Gabrielli, Mancini - REMUS: a Security-Enhanced Operating System, ACM Feb. 2002  Russinovich, Solomon - Microsoft Windows Internals 4th Edition: Microsoft Windows Server, Windows XP and Windows 2000, Microsoft Press, 2004  (NOT YET RELEASED) Russinovich, Solomon - Microsoft Windows Internals 5th Ed.: Microsoft Windows Vista  Nebbet - Windows NT/2000: Native API reference, Macmillan Technical Publishing  Hoglund, Butler - Rootkits: Subverting the Windows Kernel, Addison Wesley Professional, 2005  Oney – Programming The Windows Driver Model, 2nd Edition (2003)  Microsoft Developer Network - msdn.microsoft.com  Windows Driver Development - www.osronline.com  Battistoni / Licameli / Di Biagio Laurea Thesis and other stuff at www.robertobattistoni.it Bruno Vavalà - Whips 1.0 Beta 33
  34. 34. I WantYOU If you like WHIPS, you are… WELCOME  …just ask to Prof. Mancini or Roberto Battistoni Bruno Vavalà - Whips 1.0 Beta 34
  35. 35. The end  Enjoy WHIPS  For further information visit whips.sourceforge.net  For any other thing, bugs above all, send an email at vavalab@gmail.com or rbattistoni@acm.org Bruno Vavalà - Whips 1.0 Beta 35

×