Matousec has been one of these unsung Internet heroes for sometime already. I know them from actively testing Windows software firewalls and openly sharing the test results as well as the testing methods on
their website. But what may have started in 2006 as a small security software testing group, have by now truly matured into a cutting edge research crew.
They published a somewhat groundbreaking vulnerability advisory
2010-05-05.01 on their website last week. The vulnerability and the attack is explained in the accompanying article entitled
KHOBE – 8.0 Earthquake For Windows Desktop Security Software.
Matousec did not publicly release the KHOBE engine code with all the research implemented, but apparently they have created a tool to successfully bypass the majority, if not almost all, of the kernel mode security checks performed by the current Windows security software. Think malware checks by the anti-virus software, traffic content checks by the software firewall, all bypassed in the final frontier in kernel mode.
In short the attack exploits a specific type of
race condition previously known as time-of-check-to-time-of-use (
TOCTTOU) bug, which (apparently almost constantly) occur when Windows security software is performing its various check ups on application behavior. The attack was documented already in 1996 in the
Checking for Race Conditions in File Accesses (PDF) paper by Matt Bishop and Michael Dilger and the vulnerability was detailed further by Andrey Kolishak in the end of 2003 in his
Bugtraq mailing list post entitled
TOCTOU with NT System Service Hooking.
The attack happens on the
thread level in the system. There in the grey area between the
user mode and the
kernel mode where the application threads are
calling various operating system services in order to install and execute correctly in the system. There the modern security software appears as additional or
hooked functionality to the operating system usually adding some type of
mandatory access control for calls to the
Windows registry, running
process and files among other things.
The security applications usually modify the System Service Descriptor Table (
SSDT) in Windows replacing various entries in the table and thus causing the calls and the parameters passed to these services to be examined by the security application. Matousec presented calls to load system drivers and calls to terminate processes as examples, but there are multiple calls that get intercepted by similar methods.
The vulnerability is largely due to the fact that although the hooks may be in kernel mode, the actual memory buffer content and the parameter content of the calls are in the user mode address space and therefore accessible to the attacker. He would need to run two threads, but he will be able to manipulate the buffer or the parameter content concurrently while it is being checked by the security thread. The attacker is able to pass a legitimate value to the security thread and have it validated as acceptable, but then get the concurrently manipulated malicious value to be actually passed to and processed by the called system service.
Sounds very theoretic and applicable only with good luck and with the famous specific conditions? According to Matousec the current version of the KHOBE engine successfully and reliably bypassed the tested security checks in ALL tested software on Windows XP SP3 and Windows Vista SP1 systems running on 32-bit hardware. They point out that with some "smart manipulation" of the thread priorities and the ever more common multicore/multiprocessor hardware allowing them to literally run their attack threads parallel in time to the security threads, they are able to create the necessary conditions for a successful attack in the matter of seconds.
Do not sleep on the bolded comment made by Matousec when listing the known affected products that due to "time limitation" only limited number of products have been tested, but they suspect that majority of the Windows security software is/was vulnerable to the attack. Matousec also states that the KHOBE engine should work equally on Windows 7 and on 64-bit hardware, but this has not been tested yet. Apparently the currently used methods to hook the security software functionality to both user mode and kernel mode are vulnerable by design regardless of platform version.
Matousec did not publish their suggested solution for the attack publicly, but my guess is this will be hard to fix. First thing that come to mind is attempting to limit the time the security check ups take in order to narrow down the race condition time frame, but obviously this would be only mitigation, not the solution. Maybe the memory areas under examination could be locked for the time it takes to verify them. In any case there is very little a system administrator or an user can do. The changes needed here have to happen in the operating systems or in the security software.
Symantec by the way have acknowledged the validity of the attack in a communication sent to their enterprise customers. They do not however consider it a vulnerability in their products for now, but rather (a bit confusingly) a problem present in "any product that implements kernel-mode hooking". For mitigation they recommend to harden the other layers of defense in order to prevent this type of malicious code from getting into the system.
No comments:
Post a Comment