06-30, 10:00–11:00 (US/Eastern), Grand Salon
In this talk, we’ll uncover a previously-unnamed vulnerability class in Windows, showing how long-standing incorrect assumptions in the design of core Windows features can result in undefined behavior and security vulnerabilities. We will demonstrate how one such vulnerability in the Windows 11 kernel can be exploited to achieve arbitrary code execution with kernel privileges.
Digital code signatures provide a cryptographically-verifiable, tamper-evident way to attest that code was produced by a particular entity. Starting with Windows Vista, Microsoft requires all kernel drivers to be digitally signed - a feature called Driver Signing Enforcement (DSE). DSE allows Microsoft to control which entities are allowed to execute code with kernel privileges, keeping rootkits and other malware from tampering with core OS components in memory and on disk.
After defining the vulnerability class and covering its brief history, we will demonstrate how the Windows 11 kernel can be exploited to bypass DSE and load arbitrary unsigned drivers without the use of any third-party code such as Bring-Your-Own-Vulnerable-Drivers. We will then describe a small kernel change that can fix this vulnerability, and show how defenders can detect this attack today.
Beyond Windows itself, this class of vulnerability can affect any user- or kernel-mode software that relies on documented Windows behavior. This talk will be accompanied by the release of a tool demonstrating the DSE exploit, alongside a mitigation that detects and stops it.
See abstract.
Gabriel Landau is a principal at Elastic Security. His research focuses on attack and defense of AV, EDR, and the Windows kernel. He has presented research at Black Hat USA, ShmooCon, and Black Hat Asia. His non-public work includes endpoint protections, exploit mitigation, and malware reversing. Though he mostly wears blue these days, his heart will always be red.