On Windows, drivers which pre-date the Windows Driver Model (WDM), also known as legacy drivers, are commonly distributed as components of many software packages. Rather than being tied to a particular piece of hardware these drivers run in kernel space and process developer-defined requests on behalf of usermode processes. Device drivers allow the usermode component(s) to query privileged resources and perform privileged operations. However, this low-level access also means that vulnerabilities in device drivers lead to total system compromise.
This talk is a case study of a systemic security issue when developing a subset of device drivers based on a previously unexplored exploitation vector: unrestricted or improperly validated access to the privileged Model Specific Register (MSR) instructions. The talk will begin with a review of how to audit device drivers for potential vulnerabilities and how to reliably exploit them if an issue is found, including a discussion of Supervisor Mode Execution Protection (SMEP) and other mitigation bypasses. We will then discuss the specific mechanics of how attacker-controlled MSR access can be exploited and how developers and security vendors can prevent these attacks.
The exploit primitive discussed in this talk was found in over 15 separate device drivers from different vendors and software packages. Often the software performs similar functionality, and in many cases the code written to exploit one of these device drivers can be reused without any modification to successfully exploit the others. The code similarity across software packages suggests either a lack of industry understanding of the security impact of these privileged operations, or a single piece of incorrect code that has propagated throughout it.