Overview
Explore the hidden Linux kernel within Windows 10 in this 52-minute Black Hat conference talk. Dive deep into the implementation of "Project Astoria," which allows Windows to run native, unmodified Linux binaries. Learn about the Ring 0 driver with kernel privileges that enables this functionality, and understand its implications for security, including potential vulnerabilities and attack surfaces. Examine how this new paradigm affects security software, process management, and system calls. Discover the challenges posed by this integration, including the potential for Linux/Android malware to target Windows machines. Gain insights into the internals of this groundbreaking feature, uncovering design flaws and security challenges in Windows 10 Anniversary Update.
Syllabus
Intro
INTRODUCTION
MINIMAL PROCESS
PICO PROCESS
PICO PROVIDERS
PICO PROVIDER SECURITY
WSL COMPONENT OVERVIEW
SYSTEM CALLS
DEVICE OBIECT INTERFACES
BUS INSTANCES
SOCKETS / FILES
BUS IPC MARSHALLING
BUS IPC DATA EXCHANGE
INITIAL ANALYSIS
ATTACK SURFACE ANALYSIS
PROCESS / THREAD NOTIFICATIONS & BEHAVIOR
CONCLUSION
Taught by
Black Hat