Windows 10 Security Internals 9/12/2018 10:40 PM BRK4014 Windows 10 Security Internals Chris Jackson Cybersecurity Enthusiast Chief Awesomeologist, Microsoft @appcompatguy © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/12/2018 10:40 PM WDEG © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Detect Malicious Behavior Isolate Threats Control Execution Detect Malicious Behavior Windows App Container Windows Defender Exploit Guard Windows Defender Antivirus Windows Defender Advanced Threat Protection Windows Defender Application Guard Windows 10 Platform Security

Detect Malicious Behavior Isolate Threats Control Execution Detect Malicious Behavior Windows App Container Windows Defender Exploit Guard Windows Defender Antivirus Windows Defender Advanced Threat Protection Windows Defender Application Guard Windows 10 Platform Security

Windows Exploit Mitigation Internals 9/12/2018 10:40 PM Windows Exploit Mitigation Internals © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Arbitrary Code Guard PAGE_EXECUTE 0x10 PAGE_EXECUTE_READ 0x20 LPVOID WINAPI VirtualAlloc( _In_opt_ LPVOID lpAddress, _In_     SIZE_T dwSize, _In_     DWORD flAllocationType, _In_     DWORD flProtect ); BOOL WINAPI VirtualProtect( _In_  LPVOID lpAddress, _In_  SIZE_T dwSize, _In_  DWORD flNewProtect, _Out_ PDWORD lpflOldProtect ); PAGE_EXECUTE 0x10 PAGE_EXECUTE_READ 0x20 PAGE_EXECUTE_READWRITE 0x40 PAGE_EXECUTE_WRITECOPY 0x80

Windows Advanced Rasterization Platform Arbitrary Code Guard microsoftedgecp.exe chakra Windows Advanced Rasterization Platform

Block Untrusted Fonts Trusted: %windir%\fonts Untrusted: Everything else GDI

ASLR Explained Boot 1 Boot 2 Boot 3 process address space app.exe user32.dll ssleay32.dll ntdll.dll Boot 1 Boot 2 Boot 3 process address space

Only the high-order two bytes are randomized in image mappings ASLR Explained Only the high-order two bytes are randomized in image mappings Low-order two bytes can be overwritten to return into another location within a mapping Overwriting 0x1446047c with 0x14461846 Target address can be used to pivot Local Variables Saved EBP Return address L H Buffer overflow memcpy( dest,  Stack buf src,  Controlled length);  Controlled

Not all binaries are compiled with relocation information 9/12/2018 10:40 PM ASLR Explained Not all binaries are compiled with relocation information Executables often don’t have relocations (/FIXED:YES) .NET IL-only assemblies in IE ASLR is most effective if all regions are randomized app.exe user32.dll kernel32.dll ntdll.dll Boot 1 Boot 2 Boot 3 process address space © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ASLR Explained

Mandatory ASLR 0x7FFD61490000 0x7FFD61490000 0x7FFD90820000

Bottom-Up ASLR 0x7FFD90820000 0x7FFD61490000 0x7FFD61490000 [0, 256] 64K allocations

HMODULE WINAPI LoadLibrary( _In_ LPCTSTR lpFileName ); Code Integrity Guard HMODULE WINAPI LoadLibrary( _In_ LPCTSTR lpFileName ); Binary has a valid signature Binary is in a valid location

Mitigating Hijacking Control of execution 9/12/2018 10:40 PM Control Flow Guard Mitigating Hijacking Control of execution Typical control flow hijack by corrupting C++ virtual table pointer and calling first gadget of a ROP payload (example from Metasploit [1]) CFG implements a form of coarse-grained control-flow integrity which places new restrictions on indirect calls to ensure that only valid functions can be called indirectly Compile time Runtime Metadata is automatically added to the image which identifies functions that may be called indirectly void Foo(...) { // SomeFunc is address-taken // and may be called indirectly Object->FuncPtr = SomeFunc; } Update valid call target data with metadata from PE image Image Load Map valid call target data Process Start Transfers control to a stack pivot ROP gadget Perform O(1) validity check Terminate process if invalid target Indirect Call With CFG in place, ROP gadgets and other invalid functions cannot be called indirectly © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Valid Jump Destinations 9/12/2018 10:40 PM Control Flow Guard Valid Jump Destinations Valid jump locations Y YY © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Function main () stack area DEP Explained Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } Pushed Arguments szIn i EIP = Return of main() Higher Addresses EBP - Frame Pointer j szOut

Function main () stack area DEP Explained Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } void main(int argc, char** argv) foo(argv[1], 0); Pushed Arguments szIn i EIP = Return of main() Higher Addresses EBP - Frame Pointer j = 0x0 szOut= 0x05040504 C:\foo “AAAAAAAAAAAAAAAA\x6C\x11\xB0\x30”

Function main () stack area DEP Explained Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } void main(int argc, char** argv) foo(argv[1], 0); Pushed Arguments szIn i Return address = 0x30B0116C Higher Addresses EBP = 0x65656565 j = 0x65656565 szOut= AAAAAAAA C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30” Return address of main() changed to point to a malicious code area

Function main () stack area DEP Explained Function main () stack area void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } void main(int argc, char** argv) foo(argv[1], 0); Pushed Arguments !!pwn3d!! szIn i Return address = 0x30B0116C Higher Addresses EBP = 0x65656565 Malicious Code C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30”

Disable Extension Points 9/12/2018 10:40 PM Disable Extension Points Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Windows\AppInit_DLLs int WSPAPI WSCInstallProvider( IN LPGUID lpProviderId, IN const WCHAR FAR * lpszProviderDllPath, IN const LPWSAPROTOCOL_INFOW lpProtocolInfoList, IN DWORD dwNumberOfEntries, OUT LPINT lpErrno ); HHOOK WINAPI SetWindowsHookEx( _In_ int       idHook, _In_ HOOKPROC  lpfn, _In_ HINSTANCE hMod, _In_ DWORD     dwThreadId ); © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Disable Win32K System Calls Application Process User Mode Kernel Mode win32k.sys

Do Not Allow Child Processes Application Process BOOL WINAPI CreateProcess( _In_opt_ LPCTSTR lpApplicationName, _Inout_opt_ LPTSTR lpCommandLine, _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, _In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment, _In_opt_ LPCTSTR lpCurrentDirectory, _In_ LPSTARTUPINFO lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation ); Child Process

Block Remote Images Application Process \\server\remote.dll HMODULE WINAPI LoadLibrary( _In_ LPCTSTR lpFileName ); \\server\remote.dll

Block Low Integrity IMages 9/12/2018 10:40 PM Block Low Integrity IMages Application Process c:\Users\cjacks\AppData\LocalLow>icacls Temp Temp BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Power Users:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(F) Everyone:(OI)(CI)(RX,W) Mandatory Label\Low Mandatory Level:(I)(OI)(CI)(NW) %appdata%\ locallow\temp\ remote.dll © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Export Address Filtering

Export Address Filtering .text:000546C4                 test    byte ptr [eax+CONTEXT.Dr6], 11h ; bug! 11h should be 3 .text:000546C8                 jz      short not_handled .text:000546CA                 push    [eax+CONTEXT._Eip] ; reg_eip .text:000546D0                 call    is_in_module .text:000546D5                 test    eax, eax .text:000546D7                 jnz     short not_handled .text:000546D9                 push    edi .text:000546DA                 push    1 .text:000546DC                 call    report_protection .text:000546E1                 cmp     status_exploitaction, 1 .text:000546E8                 pop     ecx .text:000546E9                 pop     ecx .text:000546EA                 jnz     short not_handled .text:000546EC                 push    1 .text:000546EE                 push    STATUS_STACK_BUFFER_OVERRUN .text:000546F3                 push    dword ptr [edi+4] .text:000546F6                 call    report_error_and_terminate .text:000546FB not_handled:

Import Address Filtering 9/12/2018 10:40 PM Import Address Filtering © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/12/2018 10:40 PM Simulate Execution 0x41BD14: 853584D14100 TEST DWORD PTR [0x41D184],ESI; .data:0x4E 0xE6 0x40 0xBB 0x41BD1A: 7505 JNZ 0x41BD21 ; (*+0x7) 0x41BD1C: B94FE640BB MOV ECX,0xBB40E64F ; <==0x0041BD12(*-0xA) 0x41BD21: 890D84D14100 MOV DWORD PTR [0x41D184],ECX; .data:0x4E 0xE6 0x40 0xBB ; <==0x0041BD1A(*-0x7) 0x41BD27: F7D1 NOT ECX 0x41BD29: 890D88D14100 MOV DWORD PTR [0x41D188],ECX; .data:0xB1 0x19 0xBF 0x44 0x41BD2F: 5F POP EDI ; <==0x0041BCC3(*-0x6C) 0x41BD30: 5E POP ESI 0x41BD31: 8BE5 MOV ESP,EBP 0x41BD33: 5D POP EBP 0x41BD34: C3 RET 0x41BD35: 6800000300 PUSH 0x30000 ; <==0x0041B4B9(*-0x87C) 0x41BD3A: 6800000100 PUSH 0x10000 0x41BD3F: FF157C044200 CALL DWORD PTR [MSVCRT.DLL!_controlfp]; (0x42047C) 0x41BD45: 59 POP ECX 0x41BD46: 59 POP ECX 0x41BD47: C3 RET © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Validate API Invocation 9/12/2018 10:40 PM Validate API Invocation CALL Critical Function RET © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Heap Metadata Hardening Validate Heap Integrity Terminate Process Heap Metadata Hardening Heap Allocation Randomization Heap Guard Pages

SEHOP Explained Local variables Previous Stack frame … Exception Registration Record Next Handler Buffer overflow void vulnerable(char *ptr){ char buf[128]; strcpy(buf, ptr); } void parent(char *ptr) { try { vulnerable(ptr); … exception … } except(…) { }

ntdll!_except_handler4 9/12/2018 10:40 PM SEHOP Explained Normal SEH Chain Corrupt SEH Chain N H app!_except_handler4 N H 0x7c1408ac N H k32!_except_handler4 0x414106eb pop eax ret N H ntdll!_except_handler4 An exception will cause 0x7c1408ac to be called as an exception handler as: EXCEPTION_DISPOSITION Handler( PEXCEPTION_RECORD Exception, PVOID EstablisherFrame, PCONTEXT ContextRecord, PVOID DispatcherContext); 0xffffffff © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ntdll!FinalExceptionHandler SEHOP Explained Dynamic protection for SEH overwrites No compile/link time hints required Symbolic validation frame inserted as final entry in chain Corrupt Next pointers prevent traversal to validation frame N H app!_except_handler4 k32!_except_handler4 ntdll!FinalExceptionHandler app!_main+0x1c 0x41414141 Can’t reach validation frame! Valid SEH Chain Invalid SEH Chain ?

Validate Handle Usage Application Process Invalid handle 9/12/2018 10:40 PM Validate Handle Usage Application Process Trigger an exception when an invalid handle is used. Invalid handle © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Validate Image Dependency Integrity 9/12/2018 10:40 PM Validate Image Dependency Integrity HMODULE WINAPI LoadLibrary( _In_ LPCTSTR lpFileName ); Enforce code signing for Windows image depencency loading © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Validate Stack Integrity 9/12/2018 10:40 PM Validate Stack Integrity Arg 1 EIP Return EBP Frame Pointer XCHG reg, ESP; RETN  MOV  reg, ESP; RETN  CALL reg POP  reg; JMP reg ADD  ESP, offset; RETN ESP Local 1 Fake Arg 1 EIP - Malware EBP Frame Pointer Fake Arg 2 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Validate Stack Integrity Arg 1 EIP Return EBP Frame Pointer XCHG reg, ESP; RETN  MOV  reg, ESP; RETN  CALL reg POP  reg; JMP reg ADD  ESP, offset; RETN Local 1 Fake Arg 1 EIP - Malware EBP Frame Pointer ESP Local 1

Validate Stack Integrity 9/12/2018 10:40 PM Validate Stack Integrity Arg 1 EIP Return EBP Frame Pointer Upon entering a critical function, check to see if ESP is between the thread’s upper and lower stack limit. Local 1 Fake Arg 1 EIP - Malware EBP Frame Pointer ESP Local 1 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Mitigation Auditing

Applications and Services Log\ Microsoft\ Windows\ 9/12/2018 10:40 PM Applications and Services Log\ Microsoft\ Windows\ Security-Mitigations © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/12/2018 10:40 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session Tech Ready 15 9/12/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/12/2018 10:40 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.