Proposal / Submission Type
Peer Reviewed Paper
Location
Mori Hosseini Student Union: Event Center
Start Date
15-5-2019 3:00 PM
Abstract
Windows OS kernel memory is one of the main targets of cyber-attacks. By launching such attacks, hackers are succeeding in process privilege escalation and tampering with users' data by accessing kernel-mode memory. This paper considers a new example of such an attack, which results in access to the files opened in an exclusive mode. Windows built-in security features prevent such legal access, but attackers can circumvent them by patching dynamically allocated objects. The research shows that the Windows 10, version 1809 x64 is vulnerable to this attack. The paper provides an example of using MemoryRanger, a hypervisor-based solution to prevent such attack by running kernel-mode drivers in isolated kernel memory enclaves.
Scholarly Commons Citation
Korkin, Igor, "Memoryranger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel" (2019). Annual ADFSL Conference on Digital Forensics, Security and Law. 7.
https://commons.erau.edu/adfsl/2019/paper-presentation/7
Memoryranger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
Mori Hosseini Student Union: Event Center
Windows OS kernel memory is one of the main targets of cyber-attacks. By launching such attacks, hackers are succeeding in process privilege escalation and tampering with users' data by accessing kernel-mode memory. This paper considers a new example of such an attack, which results in access to the files opened in an exclusive mode. Windows built-in security features prevent such legal access, but attackers can circumvent them by patching dynamically allocated objects. The research shows that the Windows 10, version 1809 x64 is vulnerable to this attack. The paper provides an example of using MemoryRanger, a hypervisor-based solution to prevent such attack by running kernel-mode drivers in isolated kernel memory enclaves.