On October 31, Google security team has announced it has discovered a vulnerability, actively exploited the wild, in (unspecified) versions of Microsoft Windows. The vulnerability is a local privilege escalation, allowing an unprivileged user to gain kernel privileges. The original advisory is here. On November 1, Alex Ionescu posted on his blog some remarks (here […]
Today I presented at Blackhat USA conference. The talk is titled “Analysis of the attack surface of Windows 10 virtualization-based security”. The main points of the presentation were: Currently VBS provides protection only for few specific attacks. Many typical malware actions (e.g. ransomware) are not affected by it. Credential Guard stops the classical pass-the-hash scenario. […]
Nine Xen hypervisor security advisories – XSA-145, XSA-146, XSA-147, XSA-148, XSA-149, XSA-150, XSA-151, XSA-152, XSA-153 were released on October 29. The good news is that none of them impact Bromium vSentry hypervisor. The most notable one is XSA-148:
On Windows systems, before Windows 8.1 update 3, C code calling a function pointer used to be compiled to just a simple “call register” instruction; for example, in a 32bit process: call esi Starting with Windows 8.1 update 3, in all system libraries, it is more complicated: mov ecx, esi call ds:___guard_check_icall_fptr call esi
Five Xen hypervisor security advisories – XSA-120, XSA-121, XSA-122, XSA-123 and XSA-124 have been published recently. Let’s have a look how they relate to the Bromium vSentry hypervisor, uXen, that has been derived from Xen.
Introduction CVE-2014-9322 is described as follows: arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space. It was fixed on […]
Recently I presented at the 31st Chaos Communication Congress (together with Corey Kallenberg) and presented a talk titled “Attacks on UEFI security”. We described (and demoed) vulnerabilities allowing us to achieve write access to the flash chip (that stores UEFI code) and to SMM memory (that holds the code for the all-powerful System Management Mode). The CERT […]
Mega biblion mega kakon… … and similarly a long blog is a nuisance, so I managed to squeeze the essence of it into a single sentence, the title. If it is not entirely clear, read on.
As all careful readers of this blog certainly know, the Bromium vSentry hypervisor (uXen) has been derived from Xen. It means parts of the codebase are shared between the two projects, and vulnerabilities found in Xen sometimes are relevant for uXen. The two recent Xen Security Advisories, XSA-105 and XSA-108, are not particularly severe (at […]
This week I presented at Black Hat USA. The talk is titled “Poacher turned gatekeeper: lessons learned from eight years of breaking hypervisors”. The main points were: Describe the attack surface of Type 1 and Type 2 hypervisors Show that despite not being 100% bulletproof, hypervisors are still the best usable way to isolate potentially […]
What is SMEP? Supervisor Mode Execution Protection (SMEP) is a feature introduced in the third generation of Intel Core processors (Ivy Bridge). It can be enabled by setting the bit 20 of the CR4 register. If SMEP is enabled, attempts to execute code stored in a page not owned by the kernel will be denied […]