lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4D2CC131.4030301@gmail.com>
Date: Tue, 11 Jan 2011 21:44:33 +0100
From: j00ru <j00ru.vx@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Windows Kernel-mode GS Cookies subverted (paper)

Hi,

We've published a paper about reducing the effective entropy of GS
cookies found in the Windows drivers (both 32 and 64bits). The document
aims to outline some of the techniques, which can be employed to predict
the cookie value of a kernel module with up to 50% accuracy.
Experimental results included.

http://vexillium.org/dl.php?/Windows_Kernel-mode_GS_Cookies_subverted.pdf

More information is available on our blogs:
http://j00ru.vexillium.org/?p=690
http://gynvael.coldwind.pl/?id=371

Abstract: This paper describes various techniques that can be used to
reduce the effective entropy of GS cookies implemented in a certain
group of Windows kernel-mode executable images by roughly 99%, or
otherwise defeat it completely. This reduction is made possible due to
the fact that GS uses a number of extremely weak entropy sources, which
can be predicted by the attacker with varying (most often - very high)
degree of accuracy. In addition to presenting theoretical considerations
related to the problem, the paper also contains a great amount of
experimental results, showing the actual success / failure rate of
different cookie prediction techniques, as well as pieces of
hardware-related information. Furthermore, some of the possible problem
solutions are presented, together with a brief description of potential
attack vectors against these enhancements. Finally, the authors show how
the described material can be practically used to improve kernel
exploits’ reliability - taking the CVE-2010-4398 kernel vulnerability as
an interesting example.

Comments are welcome!

Take care,
Matt "j00ru" Jurczyk, Gynvael Coldwind

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ