The security of OEM drivers is an oft-overlooked blind spot that serves to undermine platform hardening efforts. To show that the rigorous security development lifecycle applied to Microsoft developed software does not extend to the OEM developers that bundle kernel drivers in with their hardware, we developed tools, methods, and techniques to efficiently produce exploitable kernel driver vulnerabilities in our fully patched Windows 10 installations. This talk will dive into the methodology and tools we created as well as the vulnerabilities we found during this investigation. We will take a close look at effective driver fuzzing and how modifications we made to a public fuzzing tool resulted in exploitable crashes. We introduce and demo our new IDA Pro plugin, DriverBuddy, that automates much of the repetitive tedium involved with kernel driver reverse engineering. We will then discuss vulnerability analysis techniques, such as the efficient triaging of crash dumps and patterns of exploitability. Finally, we will discuss the results of our methods by analyzing some of the vulnerabilities we discovered and deep-diving an exploit against our Windows 10 laptops that allows us to map and read physical memory, including the kernel memory containing the Bitlocker AES key, as an unprivileged user.
Braden is a Senior Security Consultant for NCC Group with a focus on blackbox binary testing and C/C++ code review. Previously, Braden worked as a researcher in the OSIRIS information security lab at the University of Oregon, where he worked on applied SSL/TLS security.
Adam Pond is a security consultant at NCC group with a focus on native application security testing and reverse engineering.