Secure Coding mailing list archives

Dark Reading - Application and Perimeter Security - Hacking the Vista Kernel - Security News Analysis

From: petesh at indigo.ie (Pete Shanahan)
Date: Wed, 26 Jul 2006 17:49:31 +0100

Ken Buchanan wrote:

I thought you had to have administrator access before you were

If you took Joanna to mean 'User privileges' when she said
'user-mode', then you were mistaken.  The opposite of user mode is
kernel mode.


Yes, I think that would be my foot-in-mouth there. I misread the article,
misinterpreting privileges when it meant non-kernel mode.

I'm just wondering how flawed the implementation of the windows paging
model is
that it would allow for this kind of breach. The standard model I'm
familiar
with would simply flush the page from memory, and would not keep a
copy in the
external page-file, instead relying on the copy that already exists on
the disk.


Can you explain this objection a little better?  I understand Joanna's
attack to imply that she is  forcing OS code to be paged out of
memory, meaning it is now on disk and no longer in physical memory.
She modifies the paged-out code using raw disk writes, since
sector-level access bypasses the file system's access control
protection.  Then, when the OS code is needed again, it is paged back
into physical memory carrying a whatever little Easter Egg Joanna
cared to hide in it.


Again, a slight silliness on my behalf - I was thinking that the modifications
were being made to the content of the page-file and not the binary on-disk, as
mentioned in the article:

  This isn't simple for hackers to execute, however. "For the attack to succeed,
  one needs to find a reliable way to force interesting kernel code to be paged
  out, then find that code inside a page file and modify it. And finally, the
  kernel needs to load that code (now modified) again into physical memory and
  execute it," she says. "The proof-of-concept code I implemented solves all
  those challenges allowing for very reliable exploitation."

I presume the flaw with the OS is that the code signing check only occurs once,
at driver load time, rather than every time any part of it gets paged in.

I've seen malicious cache page corruption on Solaris, where you corrupt a page
that is already loaded in memory, which does not require root access to work.

-- 
Pete    +353 (87) 412 9576 [M]
The first time, it's a KLUDGE!
The second, a trick.
Later, it's a well-established technique!

        -- Mike Broido, Intermetrics

Current thread:

Dark Reading - Application and Perimeter Security - Hacking the Vista Kernel - Security News Analysis SC-L Subscriber Dave Aronson (Jul 25)
- <Possible follow-ups>
- Dark Reading - Application and Perimeter Security - Hacking the Vista Kernel - Security News Analysis Pete Shanahan (Jul 26)