Finding a Weak Link: Attacking Windows OEM Kernel Drivers

DerbyCon 6.0 - Recharge

Presented by: Braden Hollembaek, Adam Pond
Date: Sunday September 25, 2016
Time: 13:00 - 13:50
Location: Keeneland
Track: The 3-Way

The security of OEM drivers is an oft-overlooked blind spot that serves to undermine platform hardening efforts. To show that the rigorous security development lifecycle applied to Microsoft developed software does not extend to the OEM developers that bundle kernel drivers in with their hardware, we developed tools, methods, and techniques to efficiently produce exploitable kernel driver vulnerabilities in our fully patched Windows 10 installations. This talk will dive into the methodology and tools we created as well as the vulnerabilities we found during this investigation. We will take a close look at effective driver fuzzing and how modifications we made to a public fuzzing tool resulted in exploitable crashes. We introduce and demo our new IDA Pro plugin, DriverBuddy, that automates much of the repetitive tedium involved with kernel driver reverse engineering. We will then discuss vulnerability analysis techniques, such as the efficient triaging of crash dumps and patterns of exploitability. Finally, we will discuss the results of our methods by analyzing some of the vulnerabilities we discovered and deep-diving an exploit against our Windows 10 laptops that allows us to map and read physical memory, including the kernel memory containing the Bitlocker AES key, as an unprivileged user.

Braden Hollembaek

Braden is a Senior Security Consultant for NCC Group with a focus on blackbox binary testing and C/C++ code review. Previously, Braden worked as a researcher in the OSIRIS information security lab at the University of Oregon, where he worked on applied SSL/TLS security.

Adam Pond

Adam Pond is a security consultant at NCC group with a focus on native application security testing and reverse engineering.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats