Presentation Title Subverting Windows 7 x64 Kernel with DMA Attacks
Presentation Abstract
Traditionally, operating systems implicitely trust the hardware.
This presentation will focus on concrete examples of compromising the Windows 7 x64 operating system, in effect bypassing two major security mecanisms: code signing and integrity verification (PatchGuard).
First, we’ll explain the internal structures of the operating system, and how they differ from previous versions. Then we describe how to alter these structures in order to gain control over the execution flow. The implementation of this attack is then presented, using an embedded soft-core MIPS CPU implemented on an FPGA PCMCIA/CardBus card.
Finally, we will conclude on the importance of new protection features included in recent CPUs, in particular the IOMMU and TXT.
About Christophe
Christophe Devine is a security researcher at Sogeti/ESEC since 2009. Previously, he worked on wireless security; he developed aircrack (now aircrack-ng) and xyssl (now polarssl). In 2009, he ported the FireWire attack using an FPGA-based PCMCIA card.
About Damien
Damien Aumaitre is a security researcher at Sogeti/ESEC since 2007. He has been working on virtual memory reconstruction under Windows and Mac OS X, applied first on the FireWire. He is currently implementing a debugger based on hardware virtualization, named virtdbg, to be presented at SSTIC 2010.