Windows Kernel-mode GS Cookies subverted (paper)

[j00ru <j00ru.vx () gmail com>]

Hi,

We've published a paper about reducing the effective entropy of GS
cookies found in the Windows drivers (both 32 and 64bits). The document
aims to outline some of the techniques, which can be employed to predict
the cookie value of a kernel module with up to 50% accuracy.
Experimental results included.

http://vexillium.org/dl.php?/Windows_Kernel-mode_GS_Cookies_subverted.pdf

More information is available on our blogs:
http://j00ru.vexillium.org/?p=690
http://gynvael.coldwind.pl/?id=371

Abstract: This paper describes various techniques that can be used to
reduce the effective entropy of GS cookies implemented in a certain
group of Windows kernel-mode executable images by roughly 99%, or
otherwise defeat it completely. This reduction is made possible due to
the fact that GS uses a number of extremely weak entropy sources, which
can be predicted by the attacker with varying (most often - very high)
degree of accuracy. In addition to presenting theoretical considerations
related to the problem, the paper also contains a great amount of
experimental results, showing the actual success / failure rate of
different cookie prediction techniques, as well as pieces of
hardware-related information. Furthermore, some of the possible problem
solutions are presented, together with a brief description of potential
attack vectors against these enhancements. Finally, the authors show how
the described material can be practically used to improve kernel
exploits’ reliability - taking the CVE-2010-4398 kernel vulnerability as
an interesting example.

Comments are welcome!

Take care,
Matt "j00ru" Jurczyk, Gynvael Coldwind

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/