44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
-
Upload
44con -
Category
Technology
-
view
60.722 -
download
0
Transcript of 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
![Page 1: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/1.jpg)
Windows 102 Steps Forward, 1 Step Back
James Forshaw @tiraniddo44con 2015
1
![Page 2: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/2.jpg)
James Forshaw @tiraniddo
Obligatory Background Slide
2
● Researcher in Google’s Project Zero team● Specialize in Windows
○ Especially local privilege escalation● Never met a logical vulnerability I didn’t like
![Page 3: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/3.jpg)
James Forshaw @tiraniddo
What I’m Going to Talk About
● Some research on Windows 10 from the early preview builds● Why Windows 10 is awesome for security● Except for when it isn’t!● Very much looking at things from a local privilege escalation
perspective
3
![Page 4: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/4.jpg)
James Forshaw @tiraniddo
Windows 10
4
![Page 5: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/5.jpg)
James Forshaw @tiraniddo
Windows Local Attack Surface
5
![Page 6: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/6.jpg)
James Forshaw @tiraniddo
Local System Vulnerabilities are Dead!
6
#opfreecalc
![Page 7: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/7.jpg)
James Forshaw @tiraniddo
System Services and Drivers
7
Windows 7 SP1 Windows 8.1 Windows 10
Services 150 169 196
Drivers 238 253 291
7 8 10
![Page 8: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/8.jpg)
James Forshaw @tiraniddo
Service Privilege Levels
8
Windows 7 SP1 Windows 8.1 Windows 10
Local System 53.69% 56.89% 61.14%
Local Service 32.21% 31.14% 28.50%
Network Service 14.09% 11.98% 10.36%
7 8 10
![Page 9: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/9.jpg)
James Forshaw @tiraniddo
SVCHOST Running as User?
9
Malware? Nope!
![Page 10: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/10.jpg)
James Forshaw @tiraniddo
Service Start Mode
10
Windows 7 Windows 8.1 Windows 10
Auto 30.07% 26.19% 24.10%
Disabled 5.23% 3.57% 2.05%
Manual 53.59% 43.45% 42.56%
Triggered 11.11% 26.79% 31.28%
7 8 10
![Page 11: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/11.jpg)
James Forshaw @tiraniddo
Accessible Device Objects
11
7 8 10
Windows 7 Windows 8.1 Windows 10
Read/Write 64 54 52
Read-Only 6 6 5
![Page 12: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/12.jpg)
James Forshaw @tiraniddo
Isolated User Mode
12
![Page 13: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/13.jpg)
James Forshaw @tiraniddo
Isolated LSASS
13
Image from http://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130
![Page 14: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/14.jpg)
James Forshaw @tiraniddo
But Sadly
● Not available in consumer builds only Enterprise● Can’t use your own code to isolate anything● Very restrictive use
14
![Page 15: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/15.jpg)
James Forshaw @tiraniddo
Edge Browser
15
![Page 16: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/16.jpg)
James Forshaw @tiraniddo
Microsoft Edge Security
16
ActiveX is gone(ish)
AppContainer Sandbox Always On
![Page 17: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/17.jpg)
James Forshaw @tiraniddo
Microsoft Edge and Flash
17
Nope!
![Page 18: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/18.jpg)
James Forshaw @tiraniddo
Has No One Learnt from the Past?
18
![Page 19: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/19.jpg)
James Forshaw @tiraniddo
Guess Trident Wasn’t a Suitable Base?
19
![Page 20: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/20.jpg)
James Forshaw @tiraniddo
User Account Control
20
![Page 21: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/21.jpg)
James Forshaw @tiraniddo
They’ve Fixed Some Bugs I’ve Reported
21
https://code.google.com/p/google-security-research/issues/detail?id=156
https://code.google.com/p/google-security-research/issues/detail?id=220
![Page 22: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/22.jpg)
James Forshaw @tiraniddo
UAC Auto Elevation Directory Check
22
c:\windows\ c:\windows\tracing\app.exe app.exe
ALLOWED BANNED
![Page 23: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/23.jpg)
James Forshaw @tiraniddo
Folder Permissions
23
c:\windows\ c:\windows\tracing\app.exe app.exe
ALLOWED BANNED
![Page 24: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/24.jpg)
James Forshaw @tiraniddo
AiCheckSecureApplicationDirectory Bypass
24
● Need to be able to write a file with a secure path● How can we write to C:\Windows without writing to C:\Windows?
c:\windows\ malicious.exe
ALLOWED
c:\windows\ ????
ALLOWED?
![Page 25: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/25.jpg)
James Forshaw @tiraniddo
NTFS Alternate Data Streams FTW!
25
c:\windows\ tracing:malicious.exe
ALLOWED● Only need FILE_WRITE_DATA/FILE_ADD_FILE access right on
directory to created named stream.
![Page 26: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/26.jpg)
James Forshaw @tiraniddo
Didn’t Fix All my UAC Bypasses Though
26
https://code.google.com/p/google-security-research/issues/detail?id=219
![Page 27: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/27.jpg)
James Forshaw @tiraniddo
DEMOElevated Token Capture
27
![Page 28: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/28.jpg)
James Forshaw @tiraniddo 28
Well MS Almost Did
If Token Level < Impersonate
If Process has Impersonate
Privilege
ALLOWEDRestrict to
Identification Level
If Process IL < Token IL
If Process User == Token User
Elevation Check
![Page 29: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/29.jpg)
James Forshaw @tiraniddo
Elevated Token Impersonation
● Blocks impersonating an elevated token unless process token is also elevated
● Must be enabled in SeCompatFlags kernel flag
29
if (SeTokenIsElevated(ImpersonationToken)) { if ((SeCompatFlags & 1) && !SeTokenIsElevated(ProcessToken)) { return STATUS_PRIVILEGE_NOT_HELD; }}
![Page 30: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/30.jpg)
James Forshaw @tiraniddo
In The End Still the “Wrong” Default IMO!
30
![Page 31: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/31.jpg)
James Forshaw @tiraniddo
If You Change Task Manager Needs a Prompt
31
![Page 32: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/32.jpg)
James Forshaw @tiraniddo
Windows Symbolic Links
32
Windows NT 3.1 - July 27 1993Object Manager Symbolic LinksRegistry Key Symbolic Links
Windows 2000 - Feb 17 2000NTFS Mount Points and Directory Junctions
Windows Vista - Nov 30 2006NTFS Symbolic Links
![Page 33: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/33.jpg)
James Forshaw @tiraniddo
Mitigated in Sandboxes
33
NTFS Mount Points
Registry Key Symbolic Links
Object Manager Symbolic Links
BANNED
LIMITED
LIMITED
![Page 34: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/34.jpg)
James Forshaw @tiraniddo
Mitigations Backported
34
![Page 35: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/35.jpg)
James Forshaw @tiraniddo
DEMONTFS Mount Point Mitigation Bypass
35
![Page 36: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/36.jpg)
James Forshaw @tiraniddo
Win32k Hardening
36
![Page 37: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/37.jpg)
James Forshaw @tiraniddo
Fonts Are Bad
37
![Page 38: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/38.jpg)
James Forshaw @tiraniddo
Making it Less Bad
User Mode Font Driver
38
Disable Custom Font Policy (undocumented)
PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = { 0 };
policy.DisableNonSystemFonts = 1;policy.AuditNonSystemFontLoading = 1;
SetProcessMitigationPolicy( ProcessFontDisablePolicy, &policy, sizeof(policy));
![Page 39: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/39.jpg)
James Forshaw @tiraniddo
User Mode Font Driver
Only SYSTEM can open process?Running as user in AppContainer
39
![Page 40: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/40.jpg)
James Forshaw @tiraniddo
Process Token Default DACL
After September Patch
40
Before September Patch
![Page 41: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/41.jpg)
James Forshaw @tiraniddo
Thread DACLs Allow User Access
41
![Page 42: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/42.jpg)
James Forshaw @tiraniddo
Extra, UMFD Only Win32k Escape Calls
42
NtGdiEscape Command UMFD Escape Call
13 UmfdEscEngGetFileChangeTime
14 UmfdEscEngGetFilePath
15 UmfdEscEngComputeGlyphSet
16 UmfdEscEngCreateFile
17 UmfdEscParseFontResources
18 atmfdFontManagement (enable kernel ATMFD driver)
And Others ...
![Page 43: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/43.jpg)
James Forshaw @tiraniddo
UmfdEscEngCreateFile in Win32kFull.sys
// Name is only \SystemRoot\System32\FAC.ATMHANDLE EngCreateFile(UNICODE_STRING Name) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN;
InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); IoCreateFile(&FileHandle, FILE_GENERIC_READ, &Attrs, ..., FILE_OPEN, ..., IO_FORCE_ACCESS_CHECK);
return FileHandle;}
43
// Name is \SystemRoot\System32\QLCLF.ATM, // ATMLIB.DLL or FAC.ATMHANDLE EngCreateFile(UNICODE_STRING Name, BOOL ReadOnly) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN;
if (!ReadOnly) { Access |= FILE_WRITE_DATA; Disposition = FILE_OPEN_IF; }
InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); ZwCreateFile(&FileHandle, Access, &Attrs, ..., Disposition, ...);
return FileHandle;}
Before September Patch After September Patch
![Page 44: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/44.jpg)
James Forshaw @tiraniddo
UmfdEscEngCreateFile in Win32kFull.sys
// Name is only \SystemRoot\System32\FAC.ATMHANDLE EngCreateFile(UNICODE_STRING Name) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN;
InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); IoCreateFile(&FileHandle, FILE_GENERIC_READ, &Attrs, ..., FILE_OPEN, ..., IO_FORCE_ACCESS_CHECK);
return FileHandle;}
44
// Name is \SystemRoot\System32\QLCLF.ATM, // ATMLIB.DLL or FAC.ATMHANDLE EngCreateFile(UNICODE_STRING Name, BOOL ReadOnly) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN;
if (!ReadOnly) { Access |= FILE_WRITE_DATA; Disposition = FILE_OPEN_IF; }
InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); ZwCreateFile(&FileHandle, Access, &Attrs, ..., Disposition, ...);
return FileHandle;}
Before September Patch After September Patch
Attacker Controlled
No Security Check All Gone
![Page 45: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/45.jpg)
James Forshaw @tiraniddo
Process Silos
● New process container mechanism● Possibly related to docker support● Works in a similar fashion to process jobs
45
NTSTATUS NtCreateSiloObject( PHANDLE handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
![Page 46: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/46.jpg)
James Forshaw @tiraniddo
Opening Device Object
46
\Device\Harddisk1\SomeName
\Device\Harddisk1 \SomeNameDevice Path
Native NT Path
Device Namespace Path
Harddisk Driver
Create File Handler
Driver Responsible for Security
![Page 47: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/47.jpg)
James Forshaw @tiraniddo
Replace the Root Object Directory
47
// Create anonymous directory objectInitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);NtCreateDirectoryObject(&hDir, &ObjectAttributes, ...);
NtSetInformationSiloObject(hSilo, SiloObjectRootDirectory, &hDir, sizeof(hDir));NtAssignProcessToSiloObject(hSilo, GetCurrentProcess());// Process root directory now empty
Exploit: https://code.google.com/p/google-security-research/issues/detail?id=459
![Page 48: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/48.jpg)
James Forshaw @tiraniddo
Fixed in RTM
● Silo functionality rolled into Job objects● Changed object directory now behind a TCB check● Shame for Chrome, would have been a useful feature
48
![Page 49: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/49.jpg)
James Forshaw @tiraniddo
Public Service Announcement
Doing too much security research on Beta software
can make you sad
49
![Page 50: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/50.jpg)
James Forshaw @tiraniddo
(Dis)Honourable Mentions
Control Flow Guard (CFG)Privacy OptionsCumulative UpdatesMicrosoft Cross-Signed Drivers
50
![Page 51: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/51.jpg)
James Forshaw @tiraniddo
Conclusions
51
2 steps forward, 1 step back. Still plenty of things to attack!
![Page 52: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/52.jpg)
James Forshaw @tiraniddo
DEMOLocal System Elevation
52
![Page 53: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/53.jpg)
James Forshaw @tiraniddo
Good Old Issue 222
53
https://code.google.com/p/google-security-research/issues/detail?id=222
![Page 54: 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back](https://reader031.fdocuments.net/reader031/viewer/2022030211/58a2fae11a28ab5d1c8b672b/html5/thumbnails/54.jpg)
James Forshaw @tiraniddo
Questions?
54