Home > Research > Publications & Outputs > Fast and Furious

Electronic data

  • dimva20-paper37-accepted

    Accepted author manuscript, 3.46 MB, PDF document

    Available under license: CC BY-NC: Creative Commons Attribution-NonCommercial 4.0 International License

Links

Text available via DOI:

View graph of relations

Fast and Furious: Outrunning Windows Kernel Notification Routines from User-Mode

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

Published
Publication date7/07/2020
Host publicationDetection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2020. 
PublisherSpringer
Pages67-88
Number of pages12
ISBN (electronic)9783030526832
ISBN (print)9783030526825
<mark>Original language</mark>English
EventThe 17th Conference on Detection of Intrusions and Malware & Vulnerability Assessment - Lisbon, Portugal
Duration: 24/06/202026/06/2020

Conference

ConferenceThe 17th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
Abbreviated titleDIMVA 2020
Country/TerritoryPortugal
CityLisbon
Period24/06/2026/06/20

Conference

ConferenceThe 17th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
Abbreviated titleDIMVA 2020
Country/TerritoryPortugal
CityLisbon
Period24/06/2026/06/20

Abstract

Modern Operating Systems (OSs) enable user processes to obtain full access control over other processes initiated by the same user. In scenarios of sensitive security processes (e.g., antivirus software), protection schemes are enforced at the kernel level such as to confront arbitrary user processes overtaking with malicious intent. Within the Windows family of OSs, the kernel driver is notified via dedicated routines for user-mode processes that require protection. In such cases the kernel driver establishes a callback mechanism triggered whenever a handle request for the original user-mode process is initiated by a different user process. Subsequently, the kernel driver performs a selective permission removal process (e.g., read access to the process memory) prior to passing a handle to the requesting process. In this paper we are the first to demonstrate a fundamental user-mode process access control vulnerability, existing in Windows 7 up to the most recent Windows 10 OSs. We show that a user-mode process can indeed obtain a fully privileged access handlebe forethe kernel driver is notified, thus prior to the callback mechanism establishment. Our study shows that this flaw can be exploited by a method to (i) disable the antimalware suite Symantec Endpoint Protection; (ii) overtake VirtualBox protected processes; (iii) circumvent two major video game anti-cheat protection solutions, BattlEye and EasyAntiCheat. Finally we provide recommendations on how to address the discovered vulnerability.

Bibliographic note

The final publication is available at Springer via http://dx.doi.org/[insert DOI]