Blackhat USA presentation on Windows 10 VBS

Author: No Comments Share:

Today I presented at Blackhat USA conference. The talk is titled “Analysis of the attack surface of Windows 10 virtualization-based security”. The main points of the presentation were:

  1. Currently VBS provides protection only for few specific attacks. Many typical malware actions (e.g. ransomware) are not affected by it.
  2. Credential Guard stops the classical pass-the-hash scenario. However, an attacker capable of running his code in the context of the logged-in user can still use user’s credentials in order to authenticate to remote servers, and thus perform lateral movement.
  3. Hypervisor-enforced kernel code integrity places additional restrictions on what kernel exploits can achieve. A vulnerability fixed in MS16-066, allowing to run unsigned code in kernel context, is discussed.
  4. VBS architecture is very different from other virtualization-based solutions. Possible attack vectors, specific to VBS, are discussed; particularly, reliance on UEFI and hardware security is highlighted.
  5. A special case of the above, namely SMM vulnerabilities, are clearly the most severe threat. Exploitation of them is nontrivial and firmware-specific, but recently there were many examples (e.g. thinkpwn), resulting in full bypass of all VBS features.

The slides and whitepaper are available for download; the latter is more detailed.

Previous Article

Using Intel SGX to Protect On-line Credentials

Next Article

Implementing Human Nature

You may also like