POPKORN: Popping Windows Kernel Drivers At Scale
Authors: 
Rajat Gupta, Lukas Patrick Dresel, Noah Spahn, Giovanni Vigna, Christopher Kruegel, Taesoo KimAuthors Info & Claims
Pages 854 - 868
Abstract
External vendors develop a significant percentage of Windows kernel drivers, and Microsoft relies on these vendors to handle all aspects of driver security. Unfortunately, device vendors are not immune to software bugs, which in some cases can be exploited to gain elevated privileges. Testing the security of kernel drivers remains challenging: the lack of source code, the requirement of the presence of a physical device, and the need for a functional kernel execution environment are all factors that can prevent thorough security analysis. As a result, there are no binary analysis tools that can scale and accurately find bugs at the Windows kernel level.
To address these challenges, we introduce POPKORN, a lightweight framework that harnesses the power of taint analysis and targeted symbolic execution to automatically find security bugs in Windows kernel drivers at scale. Our system focuses on a class of bugs that affect security-critical Windows API functions used in privilege-escalation exploits. POPKORN analyzes drivers independently of both the kernel and the device, avoiding the complexity of performing a full-system analysis.
We evaluate our system on a diverse dataset of 212 unique signed Windows kernel drivers. When run against these drivers, POPKORN reported 38 high impact bugs in 27 unique drivers, with manual verification revealing no false positives. Among the bugs we found, 31 were previously unknown vulnerabilities that potentially allow for Elevation of Privilege (EoP). During this research, we have received two CVEs and six acknowledgments from different driver vendors, and we continue to work with vendors to fix the issues that we identified.
References
[1]
Angr. 2018. Programming SimProcedures. angr. https://docs.angr.io/extending-angr/simprocedures
[2]
Gogul Balakrishnan and Thomas Reps. 2008. Analyzing stripped device-driver executables. In Tools and algorithms for the construction and analysis of systems, C. R. Ramakrishnanand Jakob Rehof (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 124–140.
[3]
Thomas Ball, Byron Cook, Vladimir Levin, and Sriram Rajamani. 2004. SLAM and static driver verifier: Technology transfer of formal methods inside microsoft. Technical Report MSR-TR-2004-08. Springer-Verlag. 22 pages. https://www.microsoft.com/en-us/research/publication/slam-and-static-driver-verifier-technology-transfer-of-formal-methods-inside-microsoft/
[4]
Armin Biere, Alessandro Cimatti, Edmund M Clarke, Ofer Strichman, and Yunshan Zhu. 2009. Bounded Model Checking.Handbook of satisfiability 185, 99 (2009), 457–481.
[5]
Ruben Boonen. 2017. Part 19: Kernel Exploitation -> Logic bugs in Razer rzpnk.sys. FuzzySecurity. https://www.fuzzysecurity.com/tutorials/expDev/23.html
[6]
Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In 17th USENIX Security Symposium (USENIX Security 08) (San Diego, California) (OSDI’08). USENIX Association, USA, 209–224.
[7]
Mengchen Cao, Xiantong Hou, Tao Wang, Hunter Qu, Yajin Zhou, Xiaolong Bai, and Fuwei Wang. 2019. Different is Good: Detecting the Use of Uninitialized Variables through Differential Replay. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. ACM, London United Kingdom, 1883–1897. https://doi.org/10.1145/3319535.3345654
[8]
Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A platform for in-Vivo multi-path analysis of software systems. In Proceedings of the sixteenth international conference on architectural support for programming languages and operating systems(ASPLOS XVI). Association for Computing Machinery, New York, NY, USA, 265–278. https://doi.org/10.1145/1950365.1950396 521 citations (Semantic Scholar/DOI) [2022-06-06] Number of pages: 14 Place: Newport Beach, California, USA.
[9]
J. Choi, K. Kim, D. Lee, and S. Cha. 2021. NTFUZZ: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis. In 2021 2021 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA, 677–693. https://doi.org/10.1109/SP40001.2021.00114
[10]
Jonathan Corbet. 2018. Direct Memory Access and Bus Mastering. O’Reilly Media, Inc. https://www.oreilly.com/library/view/linux-device-drivers/0596000081/ch13s04.html
[11]
Jake Corina, Aravind Machiry, Christopher Salls, Yan Shoshitaishvili, Shuang Hao, Christopher Kruegel, and Giovanni Vigna. 2017. DIFUZE: Interface Aware Fuzzing for Kernel Drivers. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security(CCS ’17). Association for Computing Machinery, New York, NY, USA, 2123–2138. https://doi.org/10.1145/3133956.3134069 event-place: Dallas, Texas, USA.
[12]
[12] Eclypsium.2019. https://eclypsium.com/wp-content/uploads/2019/08/EXTERNAL-Get-off-the-kernel-if-you-cant-drive-DEFCON27.pdf
[13]
William Engelmann. 2015. Universal Extractor 2. https://github.com/Bioruebe/UniExtract2/
[14]
David Gens, Simon Schmitt, Lucas Davi, and Ahmad-Reza Sadeghi. 2018. K-Miner: Uncovering Memory Corruption in Linux. In Proceedings 2018 Network and Distributed System Security Symposium. Internet Society, San Diego, CA, 1–15. https://doi.org/10.14722/ndss.2018.23326
[15]
Owen S. Good. 2018. Counter-Strike pro get caught cheating during a major esports tournament. Polygon, Vox Media. https://www.polygon.com/2018/10/21/18006358/counter-strike-esports-cheating-shanghai-video
[16]
Google. 2021. google/syzkaller. https://github.com/google/syzkaller original-date: 2015-10-12T06:05:05Z.
[17]
Matt Hand. 2020. Methodology for Static Reverse Engineering of Windows Kernel Drivers. Specter Ops, Inc. https://posts.specterops.io/methodology-for-static-reverse-engineering-of-windows-kernel-drivers-3115b2efed83
[18]
Johannes Kinder and Helmut Veith. 2010. Precise static analysis of untrusted driver binaries. In Formal methods in computer aided design. FMCAD Association, Lugano, Switzerland, 43–50.
[19]
Volodymyr Kuznetsov, Vitaly Chipounov, and George Candea. 2010. Testing Closed-Source Binary Device Drivers with DDT. In Proceedings of the 2010 USENIX Conference on USENIX Annual Technical Conference (Boston, MA) (USENIXATC’10). USENIX Association, USA, 12.
[20]
Kaspersky Lab. 2018. The Slingshot APT. Kaspersky. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf
[21]
Aravind Machiry, Chad Spensky, Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna. 2017. DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1007–1024. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/machiry
[22]
Dominik Maier and Fabian Toepfer. 2021. BSOD: Binary-Only Scalable Fuzzing Of Device Drivers. Association for Computing Machinery, New York, NY, USA, 48–61. https://doi.org/10.1145/3471621.3471863
[23]
Debasish Mandal. 2021. debasishm89/iofuzz. https://github.com/debasishm89/iofuzz original-date: 2014-03-16T17:17:46Z.
[24]
Microsoft. 2017. Driver Verifier. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/driver-verifier
[25]
Microsoft. 2017. Introduction to WDM. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-wdm
[26]
Microsoft. 2017. I/O Stack Locations. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/i-o-stack-locations
[27]
Microsoft. 2017. IO_STACK_LOCATION structure (wdm.h). Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_io_stack_location
[28]
Microsoft. 2017. IRP_MJ_DEVICE_CONTROL. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/irp-mj-device-control
[29]
Microsoft. 2017. Kernel-Mode Driver Architecture Design Guide. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/
[30]
Microsoft. 2017. Overview of Windows Components. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/overview-of-windows-components
[31]
Microsoft. 2017. Section Objects and Views. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/section-objects-and-views
[32]
Microsoft. 2017. Types of WDM Drivers. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/types-of-wdm-drivers#possible-driver-layers
[33]
Microsoft. 2017. User mode and kernel mode. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode
[34]
Microsoft. 2017. Using Nt and Zw Versions of the Native System Services Routines. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/using-nt-and-zw-versions-of-the-native-system-services-routines?redirectedfrom=MSDN
[35]
Microsoft. 2017. Using WDF to Develop a Driver. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/wdf/using-the-framework-to-develop-a-driver
[36]
Microsoft. 2017. WHQL Release Signature. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/install/whql-release-signature
[37]
Microsoft. 2018. Device Input and Output Control (IOCTL). Microsoft. https://docs.microsoft.com/en-us/windows/win32/devio/device-input-and-output-control-ioctl-
[38]
Microsoft. 2018. DeviceIoControl function (ioapiset.h). Microsoft. https://docs.microsoft.com/en-us/windows/win32/api/ioapiset/nf-ioapiset-deviceiocontrol
[39]
Microsoft. 2018. IoAllocateMdl function (wdm.h). Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-ioallocatemdl
[40]
Microsoft. 2018. MmMapIoSpace function (wdm.h). Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmmapiospace
[41]
Microsoft. 2018. MmMapLockedPages function (wdm.h). Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmmaplockedpages
[42]
Microsoft. 2018. ZwMapViewOfSection function (wdm.h). Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwmapviewofsection
[43]
Microsoft. 2018. ZwOpenProcess function (ntddk.h). Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-zwopenprocess
[44]
Microsoft. 2019. Bug Check 0x3B: SYSTEM_SERVICE_EXCEPTION. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x3b–system-service-exception
[45]
Microsoft. 2019. Bug Check 0xBE: ATTEMPTED_WRITE_TO_READONLY_MEMORY. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xbe–attempted-write-to-readonly-memory
[46]
Microsoft. 2019. Static Driver Verifier. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/static-driver-verifier
[47]
Microsoft. 2020. Bug Check 0xC4: DRIVER_VERIFIER_DETECTED_VIOLATION. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xc4–driver-verifier-detected-violation
[48]
Microsoft. 2020. Bug Check Code Reference. Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference2
[49]
Microsoft. 2021. memmove function from C runtime library. Microsoft. https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/memmove-wmemmove?view=msvc-160
[50]
MITRE. 1999. CVE - CVE. https://cve.mitre.org/
[51]
MITRE. 1999. CVE - Download CVE List. https://cve.mitre.org/data/downloads/index.html
[52]
CVE MITRE. 2021. CVE-2021-21551. MITRE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21551
[53]
Sophos News. 2020. Living off another land: Ransomware borrows vulnerable driver to remove security software. Sophos. https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/
[54]
Dmytro Oleksiuk. 2021. Cr4sh/ioctlfuzzer. https://github.com/Cr4sh/ioctlfuzzer original-date: 2015-06-06T12:45:14Z.
[55]
Hui Peng and Mathias Payer. 2020. USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Online, 2559–2575. https://www.usenix.org/conference/usenixsecurity20/presentation/peng
[56]
Threat Post. 2020. BYO-Bug Tactic Attacks Windows Kernel with Outdated Driver. Thread Post. https://threatpost.com/byo-bug-windows-kernel-outdated-driver/152762/
[57]
rzpnk.sys driver ZwOpenProcess Razer Synapse. 2017. CVE-2017-9769. MITRE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9769
[58]
The Register. 2020. Windows kernel vulnerability disclosed by Google’s Project Zero after bug exploited in the wild by hackers. The Register. https://www.theregister.com/2020/10/30/windows_kernel_zeroday/
[59]
Matthew J. Renzelmann, Asim Kadav, and Michael M. Swift. 2012. SymDrive: Testing Drivers without Devices. In 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI 12). USENIX Association, Hollywood, CA, 279–292. https://www.usenix.org/conference/osdi12/technical-sessions/presentation/renzelmann
[60]
ESET Research. 2018. LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group. ESET. https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
[61]
Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel, and Thorsten Holz. 2017. kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 167–182. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/schumilo
[62]
Dokyung Song, Felicitas Hetzelt, Jonghwan Kim, Brent ByungHoon Kang, Jean-Pierre Seifert, and Michael Franz. 2020. Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Online, 2541–2557. https://www.usenix.org/conference/usenixsecurity20/presentation/song
[63]
Phillip Tinner. 2020. Valorant Anti-Cheat Exploit Discoveries Can Net Players $100,000. ScreenRant. https://screenrant.com/valorant-anti-cheat-exploit-hacker-cracker/
[64]
The Verge. 2020. The World’s Biggest PC Games are fighting a new surge of Cheaters and Hackers. The Verge. https://www.theverge.com/2020/5/6/21246229/pc-gaming-cheating-aimbots-wallhacks-hacking-tools-developer-response-problem
[65]
Fish Wang and Yan Shoshitaishvili. 2017. Angr-the next generation of binary analysis. In 2017 IEEE Cybersecurity Development (SecDev). IEEE, IEEE, Cambridge, MA, USA, 8–9.
[66]
Wenwen Wang, Kangjie Lu, and Pen-Chung Yew. 2018. Check It Again: Detecting Lacking-Recheck Bugs in OS Kernels. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, Toronto Canada, 1899–1913. https://doi.org/10.1145/3243734.3243844
[67]
Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, and M Frans Kaashoek. 2012. Improving integer security for systems with {KINT}. In 10th {USENIX} Symposium on Operating Systems Design and Implementation ({OSDI} 12). USENIX, Hollywood, Los Angeles, CA, USA, 163–177.
[68]
Ubuntu Wiki. 2019. EFI/UEFI Boot Loaders. Ubuntu. https://wiki.ubuntu.com/EFIBootLoaders
[69]
Wikipedia. 2017. Formal verification. Wikipedia. https://en.wikipedia.org/wiki/Formal_verification
[70]
Wikipedia. 2018. Extended Validation Certificate. Wikipedia. https://en.wikipedia.org/wiki/Extended_Validation_Certificate
[71]
Wikipedia. 2018. Peripheral Component Interconnect. Wikipedia. https://en.wikipedia.org/wiki/Peripheral_Component_Interconnect
[72]
Wikipedia. 2018. Protection ring. Wikipedia. https://en.wikipedia.org/wiki/Protection_ring
[73]
Wikipedia. 2021. Portable Executable. Wikipedia. http://web.archive.org/web/20210604044347/https://en.wikipedia.org/wiki/Portable_Executable
[74]
xst3nz. 2012. ioctlbf: Scanning IOCTLs & Fuzzing Windows kernel drivers. https://code.google.com/archive/p/ioctlbf/
[75]
ZDNET. 2020. Ransomware installs Gigabyte driver to kill antivirus products. ZDNET. https://www.zdnet.com/article/ransomware-installs-gigabyte-driver-to-kill-antivirus-products/
Index Terms
- POPKORN: Popping Windows Kernel Drivers At Scale
Recommendations
Taint Analysis of Security Code in the KLEE Symbolic Execution Engine
Information and Communications SecurityAbstractWe analyse the security of code by extending the KLEE symbolic execution engine with a tainting mechanism that tracks information flows of data. We consider both simple flows from direct assignment operations, and (more subtle) indirect flows ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2022
1021 pages
ISBN:9781450397599
DOI:10.1145/3564625
Copyright © 2022 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 05 December 2022
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
Conference
ACSAC
Acceptance Rates
Overall Acceptance Rate 104 of 497 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 3,958Total Downloads
- Downloads (Last 12 months)2,562
- Downloads (Last 6 weeks)219
Reflects downloads up to 16 Nov 2024
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in