A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Finding a Weak Link: Attacking Windows OEM Kernel Drivers - Braden Hollembaek, Adam Pond Derbycon 2016 (Hacking Illustrated Series InfoSec Tutorial Videos)

Finding a Weak Link: Attacking Windows OEM Kernel Drivers
Braden Hollembaek, Adam Pond
Derbycon 2016

The security of OEM drivers is an oft-overlooked blind spot that serves to undermine platform hardening efforts. To show that the rigorous security development lifecycle applied to Microsoft developed software does not extend to the OEM developers that bundle kernel drivers in with their hardware, we developed tools, methods, and techniques to efficiently produce exploitable kernel driver vulnerabilities in our fully patched Windows 10 installations. This talk will dive into the methodology and tools we created as well as the vulnerabilities we found during this investigation. We will take a close look at effective driver fuzzing and how modifications we made to a public fuzzing tool resulted in exploitable crashes. We introduce and demo our new IDA Pro plugin, DriverBuddy, that automates much of the repetitive tedium involved with kernel driver reverse engineering. We will then discuss vulnerability analysis techniques, such as the efficient triaging of crash dumps and patterns of exploitability. Finally, we will discuss the results of our methods by analyzing some of the vulnerabilities we discovered and deep-diving an exploit against our Windows 10 laptops that allows us to map and read physical memory, including the kernel memory containing the Bitlocker AES key, as an unprivileged user.

Braden Hollembaek: Braden is a Senior Security Consultant for NCC Group with a focus on blackbox binary testing and C/C++ code review. Previously, Braden worked as a researcher in the OSIRIS information security lab at the University of Oregon, where he worked on applied SSL/TLS security. Adam Pond: Adam Pond is a security consultant at NCC group with a focus on native application security testing and reverse engineering.

Braden Hollembaek - @bhollemb, Adam Pond - @pondsploit

Back to Derbycon 2016 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast