Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

DEP/ASLR in a kernel driver

Chris_TroesterChris_Troester Member Posts: 20
Hello,
are the security features DEP, ASLR, SafeSEH and /GS available in kernel drivers?

For Dll and Exe files the Visual Studio tool dumpbin displays whether some of these features are activated. For UserSpace programs they are Opt-In by default. The support seems to vary depending on the compilation target (x84/amd64).

Comments

  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,410
    /gs is available, /dep is not available, but in w8 the concept of non executable np pool was introducer, /aslr doesn't exist in km, and for /safeseh, support is there IIRC
    d

    dent from pjone
    ________________________________
    From: xxxxx@gmx.de
    Sent: ?12/?10/?2012 5:07 AM
    To: Windows System Software Devs Interest List
    Subject: [ntdev] DEP/ASLR in a kernel driver

    Hello,
    are the security features DEP, ASLR, SafeSEH and /GS available in kernel drivers?

    For Dll and Exe files the Visual Studio tool dumpbin displays whether some of these features are activated. For UserSpace programs they are Opt-In by default. The support seems to vary depending on the compilation target (x84/amd64).

    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    d
  • Chris_TroesterChris_Troester Member Posts: 20
    This article has some information about /GS (in German):
    http://de.slideshare.net/johanneshoh/stack-und-heapoverflowschutz-bei-windows-xp-und-windows-vista#btnNext

    "If the attacker has the opportunity to do a write access with size 4 byte before the cookie check is done it is possible to overwrite the master cookie with a known value. Because in the current implementation there are only 256 possible positions for the cookie and the memory range is writable, brute force attacks are feasible."

    A big security threat is that the attacker overwrites the exception handler and causes an exception. This should be prevented via SafeSEH. The article says that /GS without SafeSEH is useless. It refers to the user mode implementation, I don't know whether it's the same in kernel mode. 64 bit kernel code is always signed, but I would feel better with the checks implemented.

    Are /GS and SafeSEH activated in device drivers by default? I didn't find an option in build.exe.
  • 0xD00D0xD00D Member Posts: 69
    I don't think I get the comment " /aslr doesn't exist in km". Don't
    the virtual addresses where the kernel and drivers are loaded change
    for each boot sessions (much the same way the memory location of
    ntdll, kernel32, etc. change on each boot)? If so, doesn't it mean
    address space randomization is indeed happening?

    On Mon, Dec 10, 2012 at 7:30 AM, Doron Holan <xxxxx@microsoft.com> wrote:
    > /gs is available, /dep is not available, but in w8 the concept of non
    > executable np pool was introducer, /aslr doesn't exist in km, and for
    > /safeseh, support is there IIRC
    > d
    >
    > dent from pjone
    > ________________________________
    > From: xxxxx@gmx.de
    > Sent: 12/10/2012 5:07 AM
    > To: Windows System Software Devs Interest List
    > Subject: [ntdev] DEP/ASLR in a kernel driver
    >
    > Hello,
    > are the security features DEP, ASLR, SafeSEH and /GS available in kernel
    > drivers?
    >
    > For Dll and Exe files the Visual Studio tool dumpbin displays whether some
    > of these features are activated. For UserSpace programs they are Opt-In by
    > default. The support seems to vary depending on the compilation target
    > (x84/amd64).
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,410
    There is no formal aslr in the kernel and I don't think the linker lets you set the flag along with /driver. Drivers have never been able to rely on fixed addresses of other modules, so in effect, aslr has always been present since nt3.1

    d
    ________________________________
    From: Puchu Pachok
    Sent: ?12/?16/?2012 1:01 AM
    To: Windows System Software Devs Interest List
    Subject: Re: [ntdev] DEP/ASLR in a kernel driver

    I don't think I get the comment " /aslr doesn't exist in km". Don't
    the virtual addresses where the kernel and drivers are loaded change
    for each boot sessions (much the same way the memory location of
    ntdll, kernel32, etc. change on each boot)? If so, doesn't it mean
    address space randomization is indeed happening?

    On Mon, Dec 10, 2012 at 7:30 AM, Doron Holan wrote:
    > /gs is available, /dep is not available, but in w8 the concept of non
    > executable np pool was introducer, /aslr doesn't exist in km, and for
    > /safeseh, support is there IIRC
    > d
    >
    > dent from pjone
    > ________________________________
    > From: xxxxx@gmx.de
    > Sent: 12/10/2012 5:07 AM
    > To: Windows System Software Devs Interest List
    > Subject: [ntdev] DEP/ASLR in a kernel driver
    >
    > Hello,
    > are the security features DEP, ASLR, SafeSEH and /GS available in kernel
    > drivers?
    >
    > For Dll and Exe files the Visual Studio tool dumpbin displays whether some
    > of these features are activated. For UserSpace programs they are Opt-In by
    > default. The support seems to vary depending on the compilation target
    > (x84/amd64).
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer

    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    d
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,757
    Puchu Pachok wrote:
    > I don't think I get the comment " /aslr doesn't exist in km". Don't
    > the virtual addresses where the kernel and drivers are loaded change
    > for each boot sessions (much the same way the memory location of
    > ntdll, kernel32, etc. change on each boot)? If so, doesn't it mean
    > address space randomization is indeed happening?

    If your driver set doesn't change, then all kernel drivers in your next
    boot will have the same addresses they had in this boot. The boot
    process is deterministic. Kernel32.dll is a user-mode DLL, where ASLR
    makes the module address assignments non-deterministic.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,556
    The kernel has provided ASLR for kernel mode modules since Vista SP1/WS08. The statements earlier in the thread aren't fully correct for these and newer Windows versions. There is no need to opt in to kernel ASLR with the dynamicbase flag for kernel mode modules; it is automatically applied on supported kernels.

    Prior to Vista SP1, drivers had no preferred base address but would tend to load at the same base address for a given static mix of drivers on a particular machine.

    NX is also enforced for drivers. There is no need to set the nxcompat flag for kernel mode modules to opt in to this. If an allocation is not protected as executable in kernel mode, then it cannot be executed from unless the user completely disabled NX for the whole system with /noexecute=disable in the OS load options.

    On Win8 and above, you can request non executable pool allocations from NonPagedPool using the new NonPagedPoolNx pool type http://msdn.microsoft.com/en-us/library/windows/hardware/hh920391(v=vs.85).aspx has details. There is a mechanism to request NX NP pool on Win8, while automatically falling back to executable NP pool on earlier OS versions within the same driver binary; see the MSDN link for details. Drivers built for architectures other than x86/amd64/ia64 (i.e., ARM) default to using NonPagedPoolNx for the NonPagedPool constant unless the NonPagedPoolExecute constant is used in source text.

    Converting to NX pool is worth doing; your customers would much rather have a vulnerability exist and not be exploited than to be compromised from said issue, and NX pool raises the difficulty in writing working kernel exploit code.

    - S (Msft)
    ________________________________
    From: Tim Roberts
    Sent: ?12/?17/?2012 9:58
    To: Windows System Software Devs Interest List
    Subject: Re: [ntdev] DEP/ASLR in a kernel driver

    Puchu Pachok wrote:
    > I don't think I get the comment " /aslr doesn't exist in km". Don't
    > the virtual addresses where the kernel and drivers are loaded change
    > for each boot sessions (much the same way the memory location of
    > ntdll, kernel32, etc. change on each boot)? If so, doesn't it mean
    > address space randomization is indeed happening?

    If your driver set doesn't change, then all kernel drivers in your next
    boot will have the same addresses they had in this boot. The boot
    process is deterministic. Kernel32.dll is a user-mode DLL, where ASLR
    makes the module address assignments non-deterministic.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.


    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 4 Feb 2019 OSR Seminar Space
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Kernel Debugging and Crash Analysis 25 Mar 2019 OSR Seminar Space