LAS VEGAS — Microsoft spent a whole day here at the Black Hat conference extolling the security enhancements in its upcoming Vista operating system.
Joanna Rutkowska, a security researcher with security firm Coseinc, spent a day picking it apart.
Then again, what else would you expect from a session at a hacker convention titled: “Subverting Vista Kernel For Fun And Profit”?
Rutkowska took the stage in front of a capacity audience and proceeded to explain how to get around Vista.
She demonstrated two potential attack vectors. One could allow unsigned code to be loaded into the Vista kernel. The second vector involved taking advantage of AMD’s Pacific Hardware Virtualization to inject a new form of super malware that Rutkowska claimed to be undetectable.
Rutkowska’s Vista kernel attack did not rely on any known bugs in Vista, which is still in beta testing. She stressed that her demonstration did not rely on any implementation bug nor any undocumented Windows Vista functionality.
She characterized her approaches as “legal,” using documented SDK One of the new features in Vista Beta 2 is that it requires all kernel mode drivers to be signed. The general idea is to prevent malware from being injected. Rutkowska’s effort suggested that Microsoft still has some work to do on this feature. Rutkowska’s method for injecting unsigned (and therefore potentially malicious) drivers into the Vista kernel involved taking advantage of paged memory to bypass Vista security. In her demo, the shellcode used disabled signature checking, thus allowing any unsigned driver to be subsequently loaded. Taking her attack a step further, she implemented a one-click tool, which she called “Kernelstike” to execute her Vista kernel exploit. Call it fresh meat for sharks: The audience erupted into spontaneous applause, followed by whoops and woo-hoos throughout her demonstration. “The fact that this mechanism was bypassed doesn’t mean Vista is insecure. It just means it’s just not as secure as advertised,” Rutkowska said. Rutkowska brought suggestions that could potentially prevent the subversion of the Vista kernel. One of them involves denying raw disk access from usermode, though she said that approach would likely break many applications. Rutkowska said she disabled kernel memory paging on her own machine and is just using physical memory instead. She did admit, however, that her machine had 4 GB of RAM and as such paging makes little sense. Rutkowska also demonstrated a new form of super malware that she said she could use against Vista. The attack involved compromising chipmaker AMD’s 64 SVM hardware virtualization features with a tool she called “Blue Pill.” It creates a hypervisor that can control the operating system. A network backdoor can then be inserted onto a compromised Blue Pill machine. Rutkowska developed such a backdoor. She named it “Delusion.” She said it was undetectable. When she connected to it, the remote shell on the compromised Blue Pill machine greeted Rutkowska with the following response: “Hi this is Delusion. Where do you want to go today?”