Windows HIPS & LDF
-
Upload
roberto-battistoni -
Category
Documents
-
view
517 -
download
2
description
Transcript of Windows HIPS & LDF
Roberto Battistoni!([email protected])
Information Security Lessons 2012/2013 (prof. Luigi V. Mancini) – 12/12/2012
v Introduction to Windows internals!
v Two open source projects:
o WHIPS: Windows Host Intrusion Prevention System
o FoXP: Computer Forensic eXPerience
2!
Windows Seven is the evolution of Windows NT 4.0. The first OS based on the
NT technology was Windows NT 3.5 in 1993. NT was created from a Digital
Research project. Its name originally was “VMS NT” then it was changed in
“Windows NT”.
3!
4!
5!
6!
7!
Local Security Authority subsystem (Lsass): A user-mode process running the image “Lsass.exe” that is responsible for the local system security policy (such as which users are allowed to log on to the machine, password policies, privileges granted to users and groups, and the system security auditing settings), user authentication, and sending security audit messages to the Event Log. !!Security reference monitor (SRM): A component in the Windows executive (Ntoskrnl.exe) that is responsible for defining the access token data structure to represent a security context, performing security access checks on objects, manipulating privileges (user rights), and generating any resulting security audit messages.!
When a process tries to open an object, the integrity check takes place before the standard Windows DACL check in the kernel’s SeAccessCheck function because it is faster to execute and can quickly eliminate the need to perform the full discretionary access check. Given the default integrity policies, a process can only open an object for write access if its integrity level is equal to or higher than the object’s integrity level and the DACL also grants the process the accesses it desires. !
Two methods are used for determining access to an object:!!• The mandatory integrity check, which determines whether the integrity level of the caller is high enough to access the resource, based on the resource’s own integrity level and its mandatory policy (Biba?).!• The discretionary access check, which (the owner) determines the access that a specific user account has to an object.!
1 1 1 1 1 1!5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0!+-------------------------------------------------------------+!| SubAuthorityCount |Reserved1 (SBZ)| Revision |!+-------------------------------------------------------------+!| IdentifierAuthority[0] | !+-------------------------------------------------------------+!| IdentifierAuthority[1] | !+-------------------------------------------------------------+!| IdentifierAuthority[2] | !+-------------------------------------------------------------+!| |!+- - - - - - - - SubAuthority[] - - - - - - - - - + !| |!+-------------------------------------------------------------+
SIDs identify the entities whose execute operations in the system and represent every user, group, machine or domain.!
Possible identifier authority values are:!
• 0 - Null Authority!
• 1 - World Authority!
• 2 - Local Authority!
• 3 - Creator Authority!
• 4 - Non-unique Authority!
• 5 - NT Authority!
• 9 - Resource Manager Authority!
C:\>psgetsid Z24!!PsGetSid v1.43 - Translates SIDs to names and vice versa!Copyright (C) 1999-2006 Mark Russinovich!Sysinternals - www.sysinternals.com!!SID for WAM2\Z24:!S-1-5-21-1993962763-2139871995-725345543-1003!
9!
§ The protection context of a process or a thread is made from information which describe its privileges, account or groups and it is represented by the Access Token!
§ A privilege in Windows is the right to operate on the whole system without distinction through the objects in it.!
§ The Security Reference Monitor (SRM) uses the Access Tokens to allow or deny the access to the system objects in relation to the protection context of the process or thread;!
§ All the programs (processes) opened by the user inherit a copy of the initial token made at the user’s log-on and at the creation of the user’ shell (explorer.exe);!
10!
§ There are two kind of Access Token: Primary Token and Impersonation Token!
• The impersonation allow to migrate the security context of a process or a thread. A process inherit the primary token or it receives a new impersonation token;!
• In Windows (>=VISTA) if a user belong to Administrators the process assigned to the user has two distinct Access Tokens: one with user rights and the other one with Administrator rights. The mechanism that allows to choose the needed Access Token is called UAC (User Account Control)!
11!
Discretionary Access Control List (DACL): An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.!
A system access control list (SACL) enables administrators to log attempts to access a secured object.!
A security descriptor contains the security information associated with a securable object. A security descriptor consists of a SECURITY_DESCRIPTOR structure and its associated security information. A security descriptor can include the following security information:!
• Security identifiers (SIDs) for the owner and primary group of an object.!
• A DACL that specifies the access rights allowed or denied to particular users or groups.!
• A SACL that specifies the types of access attempts that generate audit records for the object.!
• A set of control bits that qualify the meaning of a security descriptor or its individual members.!
12!
13!
14!
• A privileged process is a process to which has been assigned some “Windows privileges”.!
• A privileged process with dangerous privileges is a dangerous process.!• Windows Services, that are very similar to Unix daemons, are dangerous
process.!• Almost all the Windows 2000 Services did the authentication with very high
privileged account: LocalSystem. LocalSystem belongs to the Administrators group.!
• Starting from Windows XP a lot of Windows Services use two new less privileged account to authenticate themselves: LocalService e NetworkService.!
• A Service vulnerability allows a malicious user to gain the rights of LocalSystem, LocalService or NetworkService. A lot of attacks are made onto Services that are listening to TCP ports: Privilege Escalation.!
• System calls are critical when they can be used by a malware or an hacker. They are dangerous if used in attacks and called by a dangerous process like a Service.!
15!
• S-1-5-18: Local System!• S-1-5-19: Local Service!• S-1-5-20: Network Service!• S-1-5-80: Per Service SID!
!If exists a Group SID equals to ServiceSID !!“S-1-5-6”.!
16!
17!
ntdll!ZwReadFile: 77f8c552 mov eax,0xa1 77f8c557 lea edx,[esp+0x4] 77f8c55b int 2e 77f8c55d ret 0x24
!• Native APIs are exported by the Windows Kernel with two different
name prefix: Zw* and Nt*. The formers always call the dispatcher “KiSystemService()” the latter not. !
• Not all the native APIs are exported by the NTOSKRNL.LIB (into the Windows DDK). In some case you have to use the API’s physical address into the kernel.!
• To invoke a native API we needed to raise an interrupt: 0x2E. Now (from XP) it is no more used and the code calls directly a CPU function called SYSENTER.!
“Newer versions of Windows no longer use INT 2E or go through the IDT to request the services in the system call table. Instead, they use the fast call method. !!In this case, NTDLL loads the EAX register with the system call number of the requested service and the EDX register with the current stack pointer, ESP. NTDLL then issues the Intel instruction SYSENTER.”!
ntdll!ZwReadFile: 77f4302f mov eax,0xbf 77f43034 mov edx,0x7ffe0300 77f43039 call edx 77f4303b ret 0x24
SharedUserData!SystemCallStub: 7ffe0300 mov edx,esp 7ffe0302 sysenter 7ffe0304 ret
18!
19!
20!
21!
22!
23!
24!
OK!!
LAN, Intranet, Internet, local
attack.!
Here is the Windows Service to attack!!!!!
WHIPS!!
Malicious Native API!!
Good Native API!!
25!
26!
27!
WHIPS changes the native original pointers in SSDT with pointers to new native API that are called “WHIPS wrappers” and where their names start with “NewNt....”.!
• Pointer initialization • Service control message
• Syscall Index Set data structures • SST Protection (from Windows XP)
• Memory mapping (MDL) • Control Register 0 (write protection)
disabling • SST update with Interlocked operation
(multiprocessor safe)
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) _Orig = (PVOID) InterlockedExchange((PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
28!
• How many parameters does a syscall have? • HookPacket structure • ReferenceMonitor call
29!
• Retrieving the calling User Mode Process within the Syscall
• Execut ive Process B lock structure
• Query process information • Retrieving process executable image path
30!
31!
• To increase: • Stability • Reliability (still not so high) • Performance
• Security issues • Secure boot • Non-paged memory amount • Authentication between components • Integrity and availability of used files • Secure channel communication
32!
33!
34!
v Completeness: system has to collect enough information to intercept the user’s activity
v Integrity: nobody can modify the log without being properly authorized
v Authenticity: logs have to be authenticated
v Non bypassable: nobody can escape the log activity or stop the logging without authorization
v Transparency: logging has to be invisible to the user
v Reproducibility: knowing for every activity “who” and “what”
v Efficiency: minimizing the log dimension and the node overhead.
35!
• Continuity: shu_ing down a system could represent a big problem in environments that cannot be stopped;
• Real Time analysis: LDF intercepts activities while the system is running and no one knows about it; It can allow the CF expert and the admin to analyze (in RT) what happens and to prevent malicious activities;
• Proactivity: In the classic Computer Forensic the approach is only “Reactive” whereas in the LDF it is “Proactive”.
LDF (Live Digital Forensic) has three key aspects related to the “Live” part:
36!
37!
u Usage of System Call interposition for Computer Forensic purposes
u Real Time System Call interception leads to Live Digital Forensic (LDF)
u Distributed collection of intercepted system calls
u The prototype (FOXP) is released as an open source project
38!
Scenario: • N controlled nodes, every node sends its
logs to the central server • A server node receives node logs and
organizes them into a R-‐‑DBMS • R-‐‑DBMS for data collection: is a support for
a be_er forensic analysis
FOXP: an open source Computer Forensic system for Windows network
where every node has a Windows NT family OS.
39!
Client Side: logger component collects and sends data to the central server (Windows NT family OS)
Secure Communication: to provide a u t h e n t i c i t y , i n t e g r i t y a n d confidentiality
Server Side: is a server application that collects data sent from various clients; this data is available for forensic analysis
40!
Logging syscall
Mgmt Console
Node j
Command
Audit Server
To Analyze States & Logs
States & Logs
41!
FOXP Mgmt Service (FOXP-‐‑MS): it manages the Agent and the Logger on e v e r y n o d e a s w e l l a s t h e i r communications with the centralized server of the architecture: • It receives commands from the Mgmt Console for the Agent rules update;
• It forwards commands directly to the Logger;
• It sends node live state to the Audit Server;
• It receives messages from the Agent and send commands to the Logger;
• It sends to the Collector Server the data collected from the Logger.
Nod
e Li
ve s
tate
Agen
t rul
es u
pdat
e
Dat
a co
llect
ed
• FOXP Agent (FOXP-‐‑A): It is like an IDS that executes basic analysis of node activities (all the agents realize a Distributed IDS). If an anomaly is detected, than the logging is activated;
• FOXP Logger (FOXP-‐‑L): it intercepts the system calls invoked on the node and keeps track of them in a logging file;
42!
• FOXP Collector Server (FOXP-‐‑CS): it receives and stores logs from every network node;
• FOXP Audit Server (FOXP-‐‑AS): it receives and stores the state of the nodes. It receives commands from the FOXP-‐‑MC and forwards them to the FOXP-‐‑MS of the destination nodes;
• FOXP Management Console (FOXP-‐‑MC): it r emo t e l y manage s n e two rk node s communicating with the FOXP-‐‑MS on every node. It monitors the state of the nodes, configures and updates the Agent rules, manages the FOXP-‐‑Logger;
• FOXP Forensic Analysis Tools (FOXP-‐‑FAT): it executes the analysis of the collected logs and states.
43!
� It is the WHIPS core function � Interception technique extended to all the 284 system calls of Windows XP and VISTA
and Seven (we hope...) � It uses the system call index instead of its explicit name
44!
Ø Assessing the efficiency and efficacy of the FOXP system with more experimentations;
Ø Classifying the system calls according to their level of dangerousness;
Ø Communication security with authenticity and non-repudiability of
collected logs, is currently under investigation and will be presented in a different paper.
45!
See you next week…maybe!
47!
• This security model is directed toward data integrity (rather than confidentiality) and is characterized by the phrase: "no read down, no write up". This is in contrast to the Bell-LaPadula model which is characterized by the phrase "no write down, no read up".
• In the Biba model, users can only create content at or below their own integrity level (a monk may write a prayer book that can be read by commoners, but not one to be read by a high priest). Conversely, users can only view content at or above their own integrity level.
• The Biba model defines a set of security rules similar to the Bell-LaPadula model. These rules are the reverse of the Bell-LaPadula rules: o The Simple Integrity Axiom states that a subject at a given level of integrity must not read an object at
a lower integrity level (no read down). o The * (star) Integrity Axiom states that a subject at a given level of integrity must not write to any
object at a higher level of integrity (no write up).
49!
• CPU Cycle Counting: In Windows Vista, the scheduler uses the cycle counter register of modern processors to track precisely how many CPU cycles a thread executes.!
• Multimedia Class Scheduler Service: Windows Vista introduces MMCSS to manage the CPU priorities of multimedia threads. A multimedia app like Windows Media® Player 11 registers with MMCSS using new APIs that indicate its multimedia characteristics. MMCSS has a priority-management thread that runs at priority 27. This thread boosts the priority of registered multimedia threads.!
• File-Based Symbolic Links: The Windows Vista I/O-related changes include file-based symbolic links, more efficient I/O completion processing, comprehensive support for I/O cancellation, and prioritized I/O.!
• I/O Completion and Cancellation: There are a number of under-the-hood changes to the I/O system that can improve the performance of server applications. These applications commonly use a synchronization object called a completion port to wait for the completion of asynchronous I/O requests. On Windows Vista, the I/O completion processing is performed not necessarily by the thread that issued the I/O, but instead by the one that is waiting for the completion port to wake it up.!
• I/O Priority: While Windows has always supported prioritization of CPU usage, it hasn't included the concept of I/O priority. Windows Vista introduces two new types of I/O prioritization in order to help make foreground I/O operations get preference: priority on individual I/O operations and I/O bandwidth reservations.!
50!
• SuperFetch: Windows XP introduced prefetching support that improved boot and application startup performance by performing large disk I/Os to preload memory with code and file system data that it expected, based on previous boots and application launches. Windows Vista goes a big step further with SuperFetch, a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management.!
• ReadyBoost: While RAM is ideal for caching disk data, it is relatively expensive. Flash memory, however, is generally cheaper and can service random reads up to 10 times faster than a typical hard disk. Windows Vista, therefore, includes a feature called ReadyBoost to take advantage of flash memory storage devices by creating an intermediate caching layer on them that logically sits between memory and disks.!
• ReadyBoot: After every boot, the ReadyBoost service (the same service that implements the ReadyBoost feature just described) uses idle CPU time to calculate a boot-time caching plan for the next boot. It analyzes file trace information from the five previous boots and identifies which files were accessed and where they are located on disk.!
• Dynamic Kernel Address Space: In 32-bit Windows Vista, the Memory Manager dynamically manages the kernel's address space, allocating and deallocating space to various uses as the demands of the workload require. Thus, the amount of virtual memory used to store paged buffers can grow when device drivers ask for more, and it can shrink when the drivers release it.!
• Memory Priorities: Just as Windows Vista adds I/O priorities, it also implements memory priorities. On Windows Vista, every page of memory has a priority in the range of 0 to 7, and so the Memory Manager divides the Standby List into eight lists that each store pages of a particular priority. When the Memory Manager wants to take a page from the Standby List, it takes pages from low-priority lists first.!
51!
• Boot Configuration Database: Startup has improved with the introduction of the Boot Configuration Database (BCD) for storing system and OS startup configuration, a new flow and organization of system startup processes, new logon architecture, and support for delayed-autostart services. Windows Vista shutdown changes include pre-shutdown notification for Windows services, Windows services shutdown ordering, and a significant change to the way the OS manages power state transitions.!
• Startup Processes: Several system processes were re-architected for Windows Vista. Session Manager (Smss.exe) is the first user-mode process created during the boot as in previous versions of Windows, but on Windows Vista the Session Manager launches a second instance of itself to configure Session 0, which is dedicated solely to system processes. The Session Manager process for Session 0 launches the Windows Startup Application (Wininit.exe), a Windows subsystem process (Csrss.exe) for Session 0, and then it exits. The Windows Startup Application continues by starting the Service Control Manager, the Local Security Authority Subsystem, and a new process, Local Session Manager (Lsm.exe), which manages terminal server connections for the machine.!
• Credential Providers: Instead of a GINA, Windows Vista uses the new Credential Provider architecture.!
• Delayed-Autostart Services: Windows Vista introduces a new service start type called delayed automatic start, which services can use if they don't have to be active immediately after Windows boots.!
• Shutdown: Some services, like those that have network-related shutdown operations or have to save large amounts of data to disk, might require more time and so Windows Vista allows a service to request pre-shutdown notification.!
• Power Management: In Windows Vista, the kernel's Power Manager still informs drivers and applications of power-state changes so that they can prepare for them, but it no longer asks for permission.!
52!
• Kernel Transaction Manager: When an application wants to make a number of related changes, it can either create a Distributed Transaction Coordinator (DTC) transaction and a KTM transaction handle, or create a KTM handle directly and associate the modifications of the files and registry keys with the transaction.!
• Enhanced Crash Support: Windows Vista reduces the window of time where no dump file is generated by initializing dump file support after all the boot-start device drivers are initialized but before loading system-start drivers.!
• Volume Shadow Copy: Windows XP introduced a technology called Volume Shadow Copy to make point-in-time snapshots of disk volumes. Windows Vista also takes advantage of volume snapshots to unify user and system data protection mechanisms and avoid saving redundant backup data.!
• BitLocker: Windows Vista introduces a full-volume encryption feature called Windows BitLocker Drive Encryption. Unlike EFS, which is implemented by the NTFS file system driver and operates at the file level, BitLocker encrypts at the volume level using the Full Volume Encryption (FVE) driver!
• Code Integrity Verification: The Windows Vista code integrity for kernel-mode code feature, also known as kernel-mode code signing (KMCS), only allows device drivers to load if they are published and digitally signed by developers who have been vetted by one of a handful of certificate authorities (CAs). KMCS is enforced by default on Windows Vista for 64-bit systems.!
• Protected Processes: Protected processes restrict access to a limited set of informational and process management interfaces that include querying the process's image name and terminating or suspending the process.!
• Address Space Load Randomization: The Windows Vista Address Space Load Randomization (ASLR) feature makes it impossible for malware to know where APIs are located by loading system DLLs and executables at a different location every time the system boots.!
53!
• WHIPS Driver
• Developed in ANSI C with the Windows Driver Development Kit (DDK);
• Boot-time loading.
• WHIPS Service
• Developed in C# on the Microsoft .NET 2.0;
• Proxy between Driver and GUI.
• WHIPS Agent and minimal GUI Application
• Developed in C# on the Microsoft .NET 2.0;
• Notifications from the driver;
• Configuration of the driver policy.
54!
55!
• Installation • InstallUtil.exe
• Windows Registry entry
• Automatic starting
• LocalSystem account
• It extends ServiceBase Class
• Developed in C#
Using System.ServiceProcess;!Public class WHIPSService : ServiceBase {!
!public WHIPSService() {!! !this.ServiceName = “WhipsService”;!! !this.CanStop = true;!!}!!public static void main() {!! !ServiceBase.Run(new
WHIPSService());!!}!
} !56!
• Like a reference monitor
• Game management
• App2Drv/Drv2App IRPs
• Overlapped (Asynchronous IO)
• Named Pipe Manager
• Communication events
57!
#define HOOK(APIName, NewAPIPtr, OldAPIPtr) OldAPIPtr=ExchangePointers(&SSDT[Index(APIName)],NewAPIPtr) … HOOK( ZwOpenFile , NewZwOpenFile , OldZwOpenFile );
NewZwOpenFile(OUT PHANDLE phFile,…,IN ULONG OpenMode) !{ !
doLog(“ZwOpenFile”, phFile,…, OpenMode);! OldZwOpenFile(phFile,…,OpenMode );!
}
Macro to exchange pointers in SSDT:
Example of a new native API: NewZwOpenFile:
58!
Internet Explorer Remote Code Execution Exploit v 0.1
<input type="checkbox" id='a'>!<script>!-- malicious code --!var r = document.getElementById('a').createTextRange();!</script>!
NtOpenFile !!(!OUT PHANDLE phFile:34c|IN ACCESS_MASK DesiredAccess:1000a1|!IN POBJECT_ATTRIBUTES ObjectAttributes:/??/C:/WINDOWS/system32/cmd.exe|!OUT PIO_STATUS_BLOCK pIoStatusBlock:0|IN ULONG ShareMode:5|!IN ULONG OpenMode:60 !!) called by:!/Device/HarddiskVolume2/Program/Internet Explorer/IEXPLORE.EXE!
59!