Overview
Explore the intricacies of Windows 10's virtualization-based security (VBS) in this 51-minute Black Hat conference talk. Delve into the VBS implementation details and assess its unique attack surface, focusing on potential vulnerabilities arising from platform complexity, particularly UEFI firmware. Witness demonstrations of actual exploits, including a non-critical bypass of a VBS feature and a critical firmware vulnerability. Gain insights into VBS architecture, Credential Guard, code integrity enforcement, and kernel HVCI bypass. Examine root partition privileges, unfiltered MMCFG access issues, and SMM abuse examples. Enhance your understanding of Windows 10 security architecture and potential attack vectors in this comprehensive analysis presented by Rafal Wojtczuk.
Syllabus
Intro
VBS architecture
Credential Guard architecture
CG RPC interface
CG scenario 2
VBS-enforced code integrity
Kernel HVCI bypass, MS16-066
Necessary support
Root partition privileges
Problem 1-unfiltered MMCFG • MMCFG is a region of physical address space, access
Overlap VTd bars
S4 sleep
SMM abuse example
Questions?
Taught by
Black Hat