The release of the Windows Subsystem for Linux (WSL) brings exciting new changes to the Windows ecosystem -- the ability to run unmodified Linux ELF Binaries in an environment that provides a 75%+ system call compatibility layer with the Linux Kernel API/ABI, access to sockets, the file system, pipes, and a private driver/IPC bus mechanism, all while leveraging the DrawBridge "Pico Process" research. At the same time, today's defense products and engines are not adapted to this reality. Forensically difficult to understand, poorly internally documented outside of some technical blog posts, and unusual-by-design (ELF binaries utilizing a kernel driver for I/O, leveraging poorly understood NTFS features), WSL is a great place for future attackers to invade, if the blue team doesn't get there first.
This presentation will expose some of the difficulties in dealing with WSL processes for forensics, IR, and endpoint detection and response. It will also call out certain undisclosed risks and actual vulnerabilities, regarding file system EoP attacks, mitigation bypasses, system call vulnerabilities, and bugs regarding Windows handle usage. As future Windows releases increase the capabilities of WSL, it's important to address these issues systematically with fuzzing, SDL processes, and a better understanding of the risks and interactions between NT and Linux. Finally, we'll provide ideas & suggestions for how security-minded vendors and administrators can get some visibility into WSL.