Uninformed: Informative Information for the Uninformed

Vol 8» 2007.Sep

Prevention & Mitigation

The primary purpose of this paper is not to explicitly identify approaches that could be taken to prevent or mitigate the different types of attacks described herein. However, it is worth taking some time to describe the virtues of certain approaches that could be extremely beneficial if one were to attempt to do so. The subject of preventing backdoors from being installed and persisted is discussed in more detail in section 4 and therefore won't be considered in this section.

One of the more interesting ideas that could be applied to prevent a number of different types of backdoors would be immutable memory. Memory is immutable when it is not allowed to be modified. There are a few key regions of memory used by the Windows kernel that would benefit greatly from immutable memory, such as executable code segments and regions that are effectively write-once, such as the SSDT. While immutable memory way work in principle, there is currently no x86 or x64 hardware (that the authors are aware of) that permits this level of control.

Even though there appears to be no hardware support for this, it is still possible to implement immutable memory in a virtualized environment. This is especially true in hardware-assisted virtualization implementations that make use of a hypervisor in some form. In this model, a hypervisor can easily expose a hypercall (similar to a system call, but traps into the hypervisor) that would allow an enlightened guest to mark a set of pages as being immutable. From that point forward, the hypervisor would restrict all writes to the pages associated with the immutable region.

As mentioned previously, particularly good candidates for immutable memory are things like the SSDT, Window's ALMOSTRO write-once segment, as well as other single-modification data elements that exist within the kernel. Enforcing immutable memory on these regions would effectively prevent backdoors from being able to establish certain types of hooks. The downside to it would be that the kernel would lose the ability to hot-patch itself9. Still, the security upside would seem to out-weigh the potential downside. On x64, the use of immutable memory would improve the resilience of PatchGuard by allowing it to actively prevent hot-patching rather than relying on detecting it with the use of a polling cycle.