Uninformed: Informative Information for the Uninformed

Vol 8» 2007.Sep


The classic separation of privileges between user-mode and kernel-mode has been a common feature included in most modern operating systems. This separation allows operating systems to make security guarantees relating to process isolation, kernel-user isolation, kernel-mode integrity, and so on. These security guarantees are needed in order to prevent a lesser privileged user-mode process from being able to take control of the system itself. A kernel-mode backdoor is one method of bypassing these security restrictions.

There are many different techniques that can be used to backdoor the kernel. For the purpose of this document, a backdoor will be considered to be something that provides access to resources that would otherwise normally be restricted by the kernel. These resources might include executing code with kernel-mode privileges, accessing kernel-mode data, disabling security checks, and so on. To help further limit the scope of this document, the authors will focus strictly on techniques that can be used to provide local backdoors into the kernel on Windows. In this context, a local backdoor is a backdoor that does not rely on or make use of a network connection to provide access to resources. Instead, local backdoors can be viewed as ways of weakening the kernel in an effort to provide access to resources from non-privileged entities, such as user-mode processes.

The majority of the backdoor techniques discussed in this paper have been written about at length and in great detail in many different publications[20,8,12,18,19,21,25,26]. The primary goal of this paper is to act as a point of reference for some of the common, as well as some of the not-so-common, local kernel-mode backdoor techniques. The authors have attempted to include objective measurements for each technique along with a description of how each technique works. As a part of defining these objective measurements, the authors have attempted to research the origins of some of the more well-known backdoor techniques. Since many of these techniques have been used for such a long time, the origins have proven somewhat challenging to uncover.

The structure of this paper is as follows. In §2, each of the individual techniques that can be used to provide a local kernel-mode backdoor are discussed in detail. §3 provides a brief discussion into general strategies that might be employed to prevent some of the techniques that are discussed. §4 attempts to refute some of the common arguments against preventing kernel-mode backdoors in and of themselves. Finally, §5 attempts to clarify why Microsoft's PatchGuard should not be considered a security solution with respect to kernel-mode backdoors.