Recon 2024

Hypervisor-enforced Paging Translation - The end of non data-driven Kernel Exploits?
06-29, 13:00–14:00 (US/Eastern), Grand Salon

Would you like to know about the state of Kernel Exploit mitigations in Windows? Are you curious about HVPT, Hypervisor-enforced paging translation, the new technology designed to stop exploiting one of the last weak point in the Windows kernel?


In this talk, we are going to introduce the current latest state of the Exploit mitigations in the Windows 11 operating system. A discussion leading to the presentation of possible "weak points" for Exploiting the OS kernel follows, explaining why protecting the "Page tables" is important. The main topic of the talk is the new Hypervisor-enforced paging translation mitigation, explaining what is it, how is it implemented, and why the Microsoft Kernel Team took so long to made it real... If you are into the Windows Kernel internals and the hardware-provided security features, this talk is for you.

See also: Hypervisor-enforced Paging Translation - The end of non data-driven Kernel Exploits

Andrea Allievi is a system-level developer and security research engineer with more than 18 years of experience. He graduated from the University of Milano-Bicocca in 2010 with a bachelor’s degree in computer science. For his thesis, he developed a Master Boot Record (MBR) Bootkit entirely in 64-bits, capable of defeating all the Windows 7 kernel-protections (PatchGuard and Driver Signing enforcement). Andrea is also a reverse engineer who specializes in operating systems internals, from kernel-level code all the way to user-mode code. He was the original designer of the first UEFI Bootkit (developed for research purposes and published in 2012), multiple PatchGuard bypasses, and many other research papers and articles. He is the author of multiple system tools and software used for removing malware and advanced persistent threads. In his career, he has worked in various computer security companies—Italian TgSoft, Saferbytes (now MalwareBytes), and Talos group of Cisco Systems Inc. He originally joined Microsoft in 2016 as a Security Research Engineer in the Microsoft Threat Intelligence Center (MSTIC) group. Since January 2018, Andrea has been a Principal Core OS engineer in the Kernel Security Core team of Microsoft, where he mainly maintains and develops new features (like Retpoline, Speculation Mitigations, Function Overrides, ARM64 Import Optimization, Trusted Apps and many more...) for the NT and Secure Kernel. He is one of the main author of the Windows Internals book.

Andrea continues to be active in the security research community, authoring technical articles on new kernel features of Windows in the Microsoft Windows Internals blog, and speaking at multiple technical conferences, such as Recon and Microsoft BlueHat.

Satoshi (@standa_t) is a security researcher, software engineer, and trainer with over 15+ years of experience. He works on virtualization and security for game console and previously worked at security software vendors as a developer, researcher, and reverse engineer. In his spare time, he enjoys studying system software security and has discovered vulnerabilities in hypervisors, drivers, and UEFI firmware.