[вопрос] Что изменилось в Windows 10 в плане защиты от эксплойтов?

[Azrv3l]

В новых Windows появляются новые механизмы защиты от эксплойтов. Пример:

В Windows 8 было добавлено ряд нововведений, касающихся защиты от эксплоитов, включая защиту пользовательской кучи (userland heap) и кучи ядра (kernel heap), защиту от использования разыменований нулевого указателя в режиме ядра (kernel-mode) и защиту от неправильной эксплуатации таблиц указателей на виртуальные функции.

Что изменилось в Win 8/10 отнасительно более старых редакций? Можно немного ссылок по теме?

 

[weaver]

К примеру в Windows 8.1 появился CFG, а Windows 10 он по дефолту присутствует.
Упор делается на контроле целостности потока управления: Code Pointer Integrity (CPI), Control Integrity Guard (CIG), Compact Control Flow Integrity and Randomization (CCFIR), Control-Flow Integrity (CFI\CFG), Return Flow Guard (RFG)

Последнее что добавили -> https://techcommunity.microsoft.com...dware-enforced-stack-protection/ba-p/1247815#

R.I.P ROP: CET Internals in Windows 20H1 – Winsider Seminars & Solutions Inc.

windows-internals.com

Apply mitigations to help prevent attacks through vulnerabilities - Microsoft Defender for Endpoint

Protect devices against exploits with Windows 10 or Windows 11. Windows has advanced exploit protection capabilities, building upon and improving the settings available in Enhanced Mitigation Experience Toolkit (EMET).

docs.microsoft.com

Exploit Mitigation on Windows

Exploit mitigation is a popular discussion for individuals and enterprises, defending against exploits and vulnerabilities is becoming a…

medium.com

Exploit Mitigation Improvements in Windows 8
Windows 10 Mitigation Improvements

Azrv3l смотри презентации с конференций blackhat, cansecwest, defcon, hitb, offensivecon, recon ,nullcom, zer0con etc там много чего интересного

 

[smuggling]

UAC, DEP, ASLR, KPP, EMET

 

[weaver]

Видео с мероприятия SANS HackFest Summit

Windows 10 Kernel Mitigations and Exploitation w/ Jaime Geiger & Stephen Sims - SANS HackFest Summit​

В этом выступлении мы кратко рассмотрим внутреннее устройство ядра Windows 10 и меры защиты от эксплойтов ядра. Корпорация Майкрософт проделала невероятную работу, уменьшив поверхность атаки операционной системы Windows. Применив эффективные меры по предотвращению использования уязвимостей, причем некоторые из последних средств защиты сосредоточены на технологии принудительного контроля потока. Эксплуатация все еще возможна при правильных условиях; тем не менее, общие методы в основном смягчаются. Мы закончим презентацию рассмотрением некоторых оставшихся возможностей использования уязвимостей.

p.s.
Тут так если разобраться очень много всего.

*** Kernel Exploit Mitigation Overview
Kernel Mode Code Signing (KMCS)
Supervisor Mode Execution/Access Prevention (SMEP\SMAP)
Kernel Address Space Layout Randomizayion (KASLR)
Control Flow Guard (CFG)
Virtual Based Security (VBS)
Device Guard and Credential Guard
Hypervisor-Protected Code Integrity (HVCI)
PatchGuard (KPP)
Other and Future Mitigations
Shadow Virtual Address (KVA)
Kernel Data Protection (KDP)



KMCS
Can be defeated by exploiting signed driver
Windows Hardware Quality Labs (WHQL)
Extended Validation (EV)
Extra tests, no third-party signing
Mode available in Server 2019 to only allow EV-signed drivers
Once it's signed, it will load, even if it is expired
Leaked certificates can help you sign your own code
Antivirus may look for dirvers signed by these certificates



SMEP&SMAP
Prevent execution or access of data residing in user mode from kernel mode
SMEP is fully implemented as of Windows 8
SMAP is only implemented as of Windows 10 1903
Very limited form, would break many legacy drives
EFLAGS AC bit allows switching it on and off when user mode addresses need to be accessed



KASLR & Address Leak Protection
Kernel ASLR has been vastly improved over time
HEASLR + ForceASLR make a powerful combination
4 bits of entropy (Win Vista 32-bit)-> 22 bits of entropy (Win 10 64-bit)
Windows 10 vastly reduces the number of information leaks that could disclose the base of the kernel pr other modules
Randomize HAL heap
Remove kernel pointer references from TEB (Desktop Heap) and PEB (GdiSharedHandleTable)
GDI objects have been moved into session pool to reduce likelihood of read/write primitive abuse
Randomized page tables
Unable to query driver bases bia Psapi and NtQuerySystemInformation from low integrity (Win 8)




CFG
Forward control flow protection
Guards indirect calls via validation of destination
ls the function that is about to be called a valid call target?
Only enabled on Pro and Enterprise version of Windows 10 when Core Isolation is also enabled
guard_dispatch_icall validates call targets via bitmap check





VBS
Hyper-V backed security mechanism
Trust split across Virtual Machines into Virtual Trust Levels (VTLs)
Runs a secure OS in VTL1, normal Windows OS in VTL0
Only Microsoft-signed code can run in VTL1 if boot process is secure
Secure Kernel Mode (SKM) - VTL1\Ring 0
Stripped-down kernel
Isolated User Mode (IUM) - VTL1\Ring 3
System calls still pass through a version of NTDLL into SKM
Runs normal, but specially signed exes called "trustlets"







Device Guard and Credential Guard
Device Guard
Ensure that only known-good code can run via Hypervisor Code Integrity (HVCI)
Credential Guard
Lock LSA secrets away inside of Isolated User Mode
Includes NTDL hashes and KErberos Tickets (TGT)
Lsass.exe (VTL0\Ring 3) communicatewith Lsaiso.exe (VTL1\Ring 0) via secure channel (ALPC)





HVCI
SKM module (SKCI.DLL)
Checks if a page can become executable from a policy (CCI)
Kernel Mode Code Integrity (KMCI): "Strong code guarantees"
Kernel pages can only become executable with proper signing
"Software SMEP"
User Mode Code Integrity (UMCI): "Hard code guarantees"
Use mode pages can only become executable with proper signing
MSR, control register, and DMA filtering
Legacy drives that request executable memory will think they have it, but the hypervisor will prevent it




KPP
Kernel Patch Protection (KPP) a.k.a PatchGuard protests the kernel from modifications of critical structures and registers
Only runs on 64-bit systems, 32-bit does not have KMCS
Obfuscated code that hooks into many different kernel mechanisms to check for modifications periodically and randomly
Hooks DPCs, APCs, some kernel fucntions, and much more
Relies on rtdsc instruction for randomness
Checks IDT, SSDT, HAL dispatch table, 100+ Nt- functions, MSRs
Can be defeated with a bootkit, hard to defeat at runtime
Does not run if a debugger is attached at boot




Other Mitigations
Speculative Execution mitigations
Kernel Page Table Isolation (KPTI)/Kernel Virtual Address Shadow (KVAS)
Retpoline
Segment Heap
Null page mapping
Guard pages
Range checks
Stack cookit



Future Mitigations
Xtreme Flow Guard (XFG)/ Enhanced Control Flow Guard
Fucntions have prototype information validated before call
Kernel Data Proction
Lock pages in VSM to prevent modification of important data structures (such as the code integrity bit in the kerne image)
Contorl-flow Enforcement Technology (CET)
Hardware shadow stacks
Implemented in Windows 10 20H1
System Guard Secure Launch
Oversee and limit impact of firmaware vulnerabilities in System Management Mode (SMM)