start > 2006-08-06 > 1
Security: Window Vista's Kernel not that secure
labels
Security: Window Vista's Kernel not that secure 
I know it seems really strange that I'm writing about Windows Vista, but yesterday I've read some interesting stuff about Windows Vista, specially about it's 
kernel.You might not know, but Microsoft has implemented a policy system within the vista's kernel, where kernel-mode software will (errr..should) only be loaded if they have a digital signature.This is the way Microsoft found to harden their kernel against malware, such as kernel mode rootkits. (If you are interested in rootkits you might want to have a look on the post
Rootkits: now a generalised threat)Although Microsoft claimed that the new feature was pretty secure (so typical of them), last friday, Joanna Rutkowska presented a talk at the black hat conference called, "Subverting Vista Kernel For Fun And Profit", where she showed that she was able to load unsigned modules into the kernel. Now what's even cooler is that she didn't exploit any obscure vista functionality or unknown bug, she just use raw disk access to change some pagefiles!But Joanna couldn't present only that attack vector, being a well known security researcher with interests in rootkits, she presented an application called "Blue pill", which takes advantage of AMD's hardware virtualization in order to on the fly create a Virtual Machine where the OS runs. Blue Pill virtualizes the operating system beneath the
Hypervisor, which is then used to intercept system calls and execute the code the attacker wants. This means that the virtualization is made at processor level, not at userland or kernel level, which makes the detection really hard.Joanna also stated that with some work the concept can be brough to the new Intel chips.Like the other attack vector, this one doesn't exploits directly a problem in vista, still it brings vista to the knees. And with some work, it might work with any operating system. Now this sounds probably one of the most interesting, yet dangerous, attack vectors presented in the last years. A truly undetectable rootkit..Related:
no comments |
post comment
Who am I?
My name is Paulo Abrantes AKA pabrantes and I'm a software developer. I'm currently employed at CIIST working as a Java developer in FenixEDU.This blog is mostly about Java programming, domain driven design and snipsnap bliki developing. Everything written in this blog is my personal opinion and it may not reflect the opinions of my employer and co-workers.
Blog subscription
My name is Paulo Abrantes AKA pabrantes and I'm a software developer. I'm currently employed at CIIST working as a Java developer in FenixEDU.This blog is mostly about Java programming, domain driven design and snipsnap bliki developing. Everything written in this blog is my personal opinion and it may not reflect the opinions of my employer and co-workers.
Blog subscription
Links
Home
Paulo's Profile
Post History
Add to Technorati Favorites
Paulo's Photo Gallery
WishList
Posting without Login
Lon3wolf's Blog
MANOWAR's Blog
Max's Blog
Jff's Blog
João Ferreira's Blog
Moon's Blog
Rui's Movie
Blog
Balhau's Blog
Recent PostsJava Programming: Bytecode Injection
Intermission: Sorry For Downtime
Software Developing: Studying The Bliki Domain Model
SnipSnap Developing: Trying to settle a roadmap
System Administration: Load Balancing with Apache
Blogging: Two years have passed
Software Developing: The SnipSnap Saga
Java Programming: Getting your code spicy with Groovy
Software Developing: Fluent Interfaces
Software Developing: Implementing a ShoutBox on SnipsSnip
Software Developing: SnipSnap, SnipIt and SnipSnip
Java Programming: Proxies and Access Control
Java Programming: Proxies and References
Java Programming: References' Package
YALM: Yet Another Layout Modification
For older posts, please refer to post-history for a complete Post History
… and 4 Guests.
Home Paulo's Profile Post History Add to Technorati Favorites Paulo's Photo Gallery WishList Posting without LoginSearch Blog
Fellow Bloggers
Lon3wolf's Blog MANOWAR's Blog Max's Blog Jff's Blog João Ferreira's Blog Moon's Blog Rui's Movie
Blog Balhau's BlogIntermission: Sorry For Downtime
Software Developing: Studying The Bliki Domain Model
SnipSnap Developing: Trying to settle a roadmap
System Administration: Load Balancing with Apache
Blogging: Two years have passed
Software Developing: The SnipSnap Saga
Java Programming: Getting your code spicy with Groovy
Software Developing: Fluent Interfaces
Software Developing: Implementing a ShoutBox on SnipsSnip
Software Developing: SnipSnap, SnipIt and SnipSnip
Java Programming: Proxies and Access Control
Java Programming: Proxies and References
Java Programming: References' Package
YALM: Yet Another Layout Modification
For older posts, please refer to post-history for a complete Post History
Recently Changed
Software Developing: SnipSnap, SnipIt and SnipSnip (enricod)
enricod- beautisgift01@yahoo.com
- Java Programming: Bytecode Injection (pabrantes)
- Java Programming: Bytecode Injection (m4ktub)
- Java Programming: Bytecode Injection (pabrantes)
- Java Programming: Bytecode Injection (m4ktub)
Java Programming: Bytecode Injection - Intermission: Sorry For Downtime
- Software Developing: Studying The Bliki Domain Model (pabrantes)
Logged in Users: (0)