BlueHat v17 || Securing Windows Defender Application Guard
•Download as PPTX, PDF•
2 likes•2,480 views
Saruhan Karademir, Microsoft David Weston, Microsoft Windows Defender Application Guard (WDAG) brings the next generation isolation into the browser space. It merges the best of Hyper-V virtualization and Microsoft Edge sandboxing technologies to bring hardware-enforced isolation of untrusted websites from the user’s data and operating system. In this talk, we will walk through the WDAG security promise and architecture. We will explain how it was built from the ground up with security as the number one priority showcasing the architectural decisions that added layers of defense. Finally, we explore how Microsoft’s internal security teams engaged from the very beginning of this feature’s development, helping shape WDAG’s design, finding and fixing critical vulnerabilities, and building additional defense-in-depth layers before the product reached a single customer.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to BlueHat v17 || Securing Windows Defender Application Guard
Similar to BlueHat v17 || Securing Windows Defender Application Guard (20)
More from BlueHat Security Conference
More from BlueHat Security Conference (20)
Recently uploaded
Recently uploaded (20)
BlueHat v17 || Securing Windows Defender Application Guard
- 1. David “dwizzzle” Weston Securing Windows Defender Application Guard Microsoft, Windows and Devices Device Security Group Manager Saruhan “manbun” Karademir Information Security Microsoft, Windows and Devices
- 2. Eliminate entire classes of vulnerabilities Break exploitation techniques Contain damage & prevent persistence Limit the window of opportunity to exploit
- 3. …
- 4. Edge Manager AppContainer Content AppContainer Store App AppContainer Adobe Flash AppContainer Win32 Process User Mode Font Driver Host AppContainer • UWP apps all run within an AC • Edge uses a multi-AC design for isolation • Office Protected view in n AC • Flash Runs in a separate AC • Win32k system call filtering is enabled for Edge Windows 10 Fall Creators Update • New AppContainer profile (LPAC) reduces broker surface by 90%! • Edge refactored to remove most of GDI System Call Filter AppContainer Properties Security boundary Microsoft will address vulnerabilities that can violate AC security boundary Capability-based resource access Network, file, registry, and device access are restricted (both read and write) Locked down process No symbolic links, reduced attack surface, and various mitigations on by default
- 5. 2 2 1 6 5 5 6 5 14 15 Kernel exploitation trends Ubiquitous user-mode sandboxing has driven attackers to kernel attack surface Windows kernel is a “target rich” environment User-mode sandbox isolation leaves a large kernel attack surface (~2000 system calls) Windows not well suited to software kernel filtering (e.g. seccomp-bpf) Most applications have legacy dependency on kernel limiting effectiveness of filtering Kernel attacks are the top path for sandbox escape
- 6. Privileged Access Workstation Strong kernel isolation for applications running in the guest Separate identity and resource infrastructure Can be extended to arbitrary application scenarios Qubes OS Desktop PAW Locked down host V-Switch V-Switch Strengths Weaknesses High resource requirements Difficult experience for non-technical users Expensive configuration
- 7. • Lightest weight container. • Application isolated using file system and registry virtualization. • Used for centennial as a bridge • No Security guarantees • Container providing an isolated the user session • Shares kernel • Used to achieve higher density in cloud and server deployments. • No a security boundary • Container that uses a lightweight VM • Hypervisor boundary. • Used in hostile multi-tenant hosting. • Commercially known as a “Hyper-V container” • Container that uses a lightweight VM • Resistant to kernel attacks Runs a separate kernel from the host.
- 8. Resource sharing between guest and host VM accesses a file, data is transferred into physical pages of the guest Pages are backed by private virtual memory on the host. Direct Map Physically-backed VMs statically mapped VA backed VMs have “hot hint” indicate set of physical pages should be mapped into the guest Reduces number of memory intercepts generated by the guest. Memory Enlightenment No scheduler in the hypervisor Remove extra scheduling layer Take advantage of the existing NT scheduler features Improved CPU resource tracking/management Root schedules all VP-backing threads Integrated Scheduler
- 14. Host User Mode VM Worker Process Hyper-V Container System Processes Microsoft Edge StorVSP Host Storage Guest Storage C: HVSIMgr Process
- 20. Host User Mode VMSwitch Hyper-V Container System Processes WinNAT Network Adapter(s) HVSIMgr Process Microsoft Edge
- 21. Host User Mode VMSwitch Hyper-V Container System Processes WinNAT Network Adapter(s) HVSIMgr Process Microsoft Edge
- 22. Host User Mode VMSwitch Hyper-V Container System Processes WinNAT LSASS Network Adapter(s) LSASS HVSIMgr Process DNS Client Microsoft Edge DNS Client
- 23. Host User Mode VMSwitch Hyper-V Container System Processes WinNAT LSASS Network Adapter(s) LSASS HVSIMgr Process DNS Client Microsoft Edge DNS Client QueryContextAttributesEx( PCtxtHandle ContextHandle, ULONG Attribute, ULONG BufferLength,
- 24. Host User Mode VMSwitch Hyper-V Container System Processes WinNAT LSASS Network Adapter(s) LSASS HVSIMgr Process DNS Client Microsoft Edge DNS Client QueryContextAttributesEx( PCtxtHandle ContextHandle, ULONG Attribute, ULONG BufferLength, typedef struct PCtxtHandle { ULONG_PTR dwLower ; ULONG_PTR dwUpper ; }
- 26. Host User Mode WinNAT Network Adapter(s) HVSIMgr Process HVSIRPCD Process Hyper-V Container System Processes LSASS Microsoft Edge DNS Client VMSwitch LSASS DNS Client Mitigations • Win32K Blocked • CFG Strict • Image load Restrictions • Microsoft-only • No Remote • ACG • No Child Process creation
- 28. Host User Mode Hyper-V Container System Processes Microsoft Edge System Processes HVSIMgr Process Microsoft Edge VM Worker Process RDP Server User Session
- 29. • Limited Codec SupportAudio • Only Text and ImagesClipboard • Limited by GPO policyPrinter Input Devices • Restricted for WDAGDesktop Integration • Shared memoryDisplay
- 30. Host User Mode Hyper-V Container System Processes Microsoft Edge System Processes HVSIMgr Process Microsoft Edge VM Worker Process RDP Server User Session
- 31. Host User Mode Hyper-V Container System Processes Microsoft Edge System Processes HVSIMgr Process Microsoft Edge VM Worker Process RDP Server User Session
- 33. Host User Mode Hyper-V Container System Processes Microsoft Edge System Processes HVSIMgr Process Microsoft Edge VM Worker Process RDP Server User Session HVSIRDP Client Process HVSIRPCD Process Mitigations • Win32K Filter • CFG Strict • Image load Restrictions • Microsoft-only • No Remote • ACG • No Child Process creation
- 35. Host User Mode Hyper-V Container System Processes Microsoft Edge System Processes HVSIMgr Process Microsoft Edge VM Worker Process User Session HVSIRDP Client Process HVSIRPCD Process HVSI Container Service dll
- 36. Host User Mode Hyper-V Container System Processes Microsoft Edge System Processes HVSIMgr Process Microsoft Edge VM Worker Process User Session HVSIRDP Client Process HVSIRPCD Process HVSI Container Service dll
- 37. Report vulnerabilities & mitigation bypasses via our bounty programs! https://aka.ms/bugbounty Or come work with us. We’re hiring https://aka.ms/cesecurityopenjobs https://aka.ms/wdgsecurityjobs Windows is investing and performance and OS integration to improve container density and scale Conclusion Extend WDAG technology to contain arbitrary apps
- 38. Follow us on the MSRC Blogs to get information on new bounties https://blogs.technet.microsoft.com/msrc/ Windows Bounty Program includes all critical and important bugs in: Windows Insider Preview Hyper-V Microsoft Edge Windows Defender Application Guard New Microsoft Bounty Programs | Additions
- 39. Windows Bounty Program Targets Submit: Critical and important vulnerabilities in Windows Insider Preview slow Hyper-V escapes, Information disclosure and DOS bugs in Hyper-V This continues our effort in finding bugs in various stages of development Category Targets Windows Version Payout range (USD) Base NEW Windows Insider Preview WIP slow $500 to $15,000 Focus area NEW Microsoft Hyper-V Windows 10 Windows Server 2012 Windows Server 2012 R2 Windows Server Insider Preview $5,000 to $250,000 Focus area NEW Windows Defender Application Guard WIP slow $500 to $50,000 Focus area Microsoft Edge WIP slow $500 to $15,000 Focus area Mitigation bypass and Bounty for defense Windows 10 $500 to $200,000
- 40. Vulnerability Type in Windows Insider Preview Slow Whitepaper / Report Quality/ Proof of Concept Pay-out Range(USD) Remote Code Execution High Up to $15,000 Low Up to $1,500 Elevation of Privilege High Up to $10,000 Low Up to $5,000 Information Disclosure High Up to $5,000 Low Up to $2,500 Remote Denial of Service High Up to $5,000 Low Up to $2,500 Tampering / Spoofing High Up to $5,000 Low Up to $2,500 Submit high quality critical and important vulnerabilities in Windows Insider Preview slow Windows Bounty Program Targets
- 41. Vulnerability Type Proof of concept Functioning Exploit Report Quality Payout range (USD) Vulnerability resulting in escape from the WDAG container to the host Required Yes High $30,000 No High $20,000 No Low $10,000 Vulnerability within the Application Guard container, no container escape Required No High $10,000 No Low $2,000 Windows Defender Application Guard
Editor's Notes
- matt
- matt
- dave
- We aren’t there yet. We have a bunch of work to do. We all need to help. Drive customer passion and engagement. WDG-IS is a customer… Find efficiencies, keep the bottom line down. Be willing to take risks, break how we have done things in the past.
- We aren’t there yet. We have a bunch of work to do. We all need to help. Drive customer passion and engagement. WDG-IS is a customer… Find efficiencies, keep the bottom line down. Be willing to take risks, break how we have done things in the past.
- We aren’t there yet. We have a bunch of work to do. We all need to help. Drive customer passion and engagement. WDG-IS is a customer… Find efficiencies, keep the bottom line down. Be willing to take risks, break how we have done things in the past.
- We aren’t there yet. We have a bunch of work to do. We all need to help. Drive customer passion and engagement. WDG-IS is a customer… Find efficiencies, keep the bottom line down. Be willing to take risks, break how we have done things in the past.
- We aren’t there yet. We have a bunch of work to do. We all need to help. Drive customer passion and engagement. WDG-IS is a customer… Find efficiencies, keep the bottom line down. Be willing to take risks, break how we have done things in the past.
- matt
- I wanted to have a special call out to these programs to ensure it’s gotten your attention. The Edge web plat beta and .net core and asp.net core programs were announced in the months of August and September this year.
- Let’s get to the heart of the matter – starting with a new Edge beta bounty I like to call it part 2 of the Edge beta bounty series as the first one was in 2015 Please submit RCE and W3c standard We want you to use our latest bits and partner with us to help us understand the issue better. Additional money will be awarded for those who submit bugs on WIP slow All bugs must reproduce on the Windows Insider Preview slow branch. A lot of you have had questions in the past on why we focus primarily on beta – one of the reasons is that we want to find all these bugs in our latest and greatest software in earlier development stages. It ensures the end user receives the most secure software possible (it’s been through internal and crowdsourced pen testing) Another change with this bounty aligns with the general trend by other software vendors and bounty agents We will pay $1500 for internally known bugs You’ve got about 7 more months to give us your bugs