[Full-disclosure] Windows Kernel-mode GS Cookies subverted (paper)


We've published a paper about reducing the effective entropy of GS
cookies found in the Windows drivers (both 32 and 64bits). The document
aims to outline some of the techniques, which can be employed to predict
the cookie value of a kernel module with up to 50% accuracy.
Experimental results included.


More information is available on our blogs:

Abstract: This paper describes various techniques that can be used to
reduce the effective entropy of GS cookies implemented in a certain
group of Windows kernel-mode executable images by roughly 99%, or
otherwise defeat it completely. This reduction is made possible due to
the fact that GS uses a number of extremely weak entropy sources, which
can be predicted by the attacker with varying (most often - very high)
degree of accuracy. In addition to presenting theoretical considerations
related to the problem, the paper also contains a great amount of
experimental results, showing the actual success / failure rate of
different cookie prediction techniques, as well as pieces of
hardware-related information. Furthermore, some of the possible problem
solutions are presented, together with a brief description of potential
attack vectors against these enhancements. Finally, the authors show how
the described material can be practically used to improve kernel
exploits’ reliability - taking the CVE-2010-4398 kernel vulnerability as
an interesting example.

Comments are welcome!

Take care,
Matt "j00ru" Jurczyk, Gynvael Coldwind

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: udev and devfs - The final word
    ... As each device driver loads and registers with the kernel, ... 'cookies' can be written out to keep them separately ID'd. ... e.g. increasing error rates and aging silicon will ... send the line "unsubscribe linux-kernel" in ...
  • Re: udev and devfs - The final word
    ... > A third driver has no stable information at all about the device. ... Yes, device numbers are cookies, but a reasonable ... Either the kernel can make a guarantee, or it should very much not make a ... What about kernel upgrades? ...
  • Re: udev and devfs - The final word
    ... On Wed, 2003-12-31 at 14:23, Greg KH wrote: ... > cookies and never need to be inspected except in very small parts of ... kernel can pull that number from anywhere, ... send the line "unsubscribe linux-kernel" in ...