Today I presented at Blackhat USA conference. The talk is titled “Analysis of the attack surface of Windows 10 virtualization-based security”. The main points of the presentation were:
- Currently VBS provides protection only for few specific attacks. Many typical malware actions (e.g. ransomware) are not affected by it.
- Credential Guard stops the classical pass-the-hash scenario. However, an attacker capable of running his code in the context of the logged-in user can still use user’s credentials in order to authenticate to remote servers, and thus perform lateral movement.
- Hypervisor-enforced kernel code integrity places additional restrictions on what kernel exploits can achieve. A vulnerability fixed in MS16-066, allowing to run unsigned code in kernel context, is discussed.
- VBS architecture is very different from other virtualization-based solutions. Possible attack vectors, specific to VBS, are discussed; particularly, reliance on UEFI and hardware security is highlighted.
- A special case of the above, namely SMM vulnerabilities, are clearly the most severe threat. Exploitation of them is nontrivial and firmware-specific, but recently there were many examples (e.g. thinkpwn), resulting in full bypass of all VBS features.