DEP/ASLR in a kernel driver

Hello,
are the security features DEP, ASLR, SafeSEH and /GS available in kernel drivers?

For Dll and Exe files the Visual Studio tool dumpbin displays whether some of these features are activated. For UserSpace programs they are Opt-In by default. The support seems to vary depending on the compilation target (x84/amd64).

/gs is available, /dep is not available, but in w8 the concept of non executable np pool was introducer, /aslr doesn’t exist in km, and for /safeseh, support is there IIRC
d

dent from pjone


From: xxxxx@gmx.demailto:xxxxx
Sent: ?12/?10/?2012 5:07 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: [ntdev] DEP/ASLR in a kernel driver

Hello,
are the security features DEP, ASLR, SafeSEH and /GS available in kernel drivers?

For Dll and Exe files the Visual Studio tool dumpbin displays whether some of these features are activated. For UserSpace programs they are Opt-In by default. The support seems to vary depending on the compilation target (x84/amd64).


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

This article has some information about /GS (in German):
http://de.slideshare.net/johanneshoh/stack-und-heapoverflowschutz-bei-windows-xp-und-windows-vista#btnNext

“If the attacker has the opportunity to do a write access with size 4 byte before the cookie check is done it is possible to overwrite the master cookie with a known value. Because in the current implementation there are only 256 possible positions for the cookie and the memory range is writable, brute force attacks are feasible.”

A big security threat is that the attacker overwrites the exception handler and causes an exception. This should be prevented via SafeSEH. The article says that /GS without SafeSEH is useless. It refers to the user mode implementation, I don’t know whether it’s the same in kernel mode. 64 bit kernel code is always signed, but I would feel better with the checks implemented.

Are /GS and SafeSEH activated in device drivers by default? I didn’t find an option in build.exe.

I don’t think I get the comment " /aslr doesn’t exist in km". Don’t
the virtual addresses where the kernel and drivers are loaded change
for each boot sessions (much the same way the memory location of
ntdll, kernel32, etc. change on each boot)? If so, doesn’t it mean
address space randomization is indeed happening?

On Mon, Dec 10, 2012 at 7:30 AM, Doron Holan wrote:
> /gs is available, /dep is not available, but in w8 the concept of non
> executable np pool was introducer, /aslr doesn’t exist in km, and for
> /safeseh, support is there IIRC
> d
>
> dent from pjone
> ________________________________
> From: xxxxx@gmx.de
> Sent: 12/10/2012 5:07 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] DEP/ASLR in a kernel driver
>
> Hello,
> are the security features DEP, ASLR, SafeSEH and /GS available in kernel
> drivers?
>
> For Dll and Exe files the Visual Studio tool dumpbin displays whether some
> of these features are activated. For UserSpace programs they are Opt-In by
> default. The support seems to vary depending on the compilation target
> (x84/amd64).
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

There is no formal aslr in the kernel and I don’t think the linker lets you set the flag along with /driver. Drivers have never been able to rely on fixed addresses of other modules, so in effect, aslr has always been present since nt3.1

d


From: Puchu Pachokmailto:xxxxx
Sent: ?12/?16/?2012 1:01 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: Re: [ntdev] DEP/ASLR in a kernel driver

I don’t think I get the comment " /aslr doesn’t exist in km". Don’t
the virtual addresses where the kernel and drivers are loaded change
for each boot sessions (much the same way the memory location of
ntdll, kernel32, etc. change on each boot)? If so, doesn’t it mean
address space randomization is indeed happening?

On Mon, Dec 10, 2012 at 7:30 AM, Doron Holan wrote:
> /gs is available, /dep is not available, but in w8 the concept of non
> executable np pool was introducer, /aslr doesn’t exist in km, and for
> /safeseh, support is there IIRC
> d
>
> dent from pjone
> ________________________________
> From: xxxxx@gmx.de
> Sent: 12/10/2012 5:07 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] DEP/ASLR in a kernel driver
>
> Hello,
> are the security features DEP, ASLR, SafeSEH and /GS available in kernel
> drivers?
>
> For Dll and Exe files the Visual Studio tool dumpbin displays whether some
> of these features are activated. For UserSpace programs they are Opt-In by
> default. The support seems to vary depending on the compilation target
> (x84/amd64).
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

Puchu Pachok wrote:

I don’t think I get the comment " /aslr doesn’t exist in km". Don’t
the virtual addresses where the kernel and drivers are loaded change
for each boot sessions (much the same way the memory location of
ntdll, kernel32, etc. change on each boot)? If so, doesn’t it mean
address space randomization is indeed happening?

If your driver set doesn’t change, then all kernel drivers in your next
boot will have the same addresses they had in this boot. The boot
process is deterministic. Kernel32.dll is a user-mode DLL, where ASLR
makes the module address assignments non-deterministic.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

The kernel has provided ASLR for kernel mode modules since Vista SP1/WS08. The statements earlier in the thread aren’t fully correct for these and newer Windows versions. There is no need to opt in to kernel ASLR with the dynamicbase flag for kernel mode modules; it is automatically applied on supported kernels.

Prior to Vista SP1, drivers had no preferred base address but would tend to load at the same base address for a given static mix of drivers on a particular machine.

NX is also enforced for drivers. There is no need to set the nxcompat flag for kernel mode modules to opt in to this. If an allocation is not protected as executable in kernel mode, then it cannot be executed from unless the user completely disabled NX for the whole system with /noexecute=disable in the OS load options.

On Win8 and above, you can request non executable pool allocations from NonPagedPool using the new NonPagedPoolNx pool type http://msdn.microsoft.com/en-us/library/windows/hardware/hh920391(v=vs.85).aspx has details. There is a mechanism to request NX NP pool on Win8, while automatically falling back to executable NP pool on earlier OS versions within the same driver binary; see the MSDN link for details. Drivers built for architectures other than x86/amd64/ia64 (i.e., ARM) default to using NonPagedPoolNx for the NonPagedPool constant unless the NonPagedPoolExecute constant is used in source text.

Converting to NX pool is worth doing; your customers would much rather have a vulnerability exist and not be exploited than to be compromised from said issue, and NX pool raises the difficulty in writing working kernel exploit code.

  • S (Msft)

From: Tim Robertsmailto:xxxxx
Sent: ?12/?17/?2012 9:58
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: Re: [ntdev] DEP/ASLR in a kernel driver

Puchu Pachok wrote:
> I don’t think I get the comment " /aslr doesn’t exist in km". Don’t
> the virtual addresses where the kernel and drivers are loaded change
> for each boot sessions (much the same way the memory location of
> ntdll, kernel32, etc. change on each boot)? If so, doesn’t it mean
> address space randomization is indeed happening?

If your driver set doesn’t change, then all kernel drivers in your next
boot will have the same addresses they had in this boot. The boot
process is deterministic. Kernel32.dll is a user-mode DLL, where ASLR
makes the module address assignments non-deterministic.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>