Windows kernel exploits can kill all security, says Bromium

Windows kernel exploits can disable just about every security software product, claims Bromium Labs

Exploits of a Windows operating system kernel vulnerability can enable attackers to bypass just about every security software product, claims security firm Bromium Labs.

The firm's researchers found that small adjustments to the recent public exploit of EPATHOBJ Windows kernel vulnerability can be used to bypass a range of security controls.

These include application sandboxes, anti-virus, host-based intrusion prevention, rootkit detectors, Microsoft's Enhanced Mitigation Experience Toolkit (EMET) and Intel's Supervisor Mode Execution Protection (SMEP).

According to the researchers, attackers can exploit the vulnerability to gain system privileges to disable security technologies and run any malicious code or compromise other machines on the same network.

The discovery of the TDL4 rootkit for exploiting kernel code at the end of 2013 was largely ignored, but that was a substantial error in judgement, said Rahul Kashyap, head of research at Bromium.

"Such vulnerabilities can prove lethal to enterprise security and are likely to go unnoticed for lengthy periods," he said.

Multi-layer penetration

The researchers found that, by tweaking the exploit, they were able to bypass all the layers of security software that an enterprise might typically deploy.

Almost all endpoint technologies rely on the integrity of the kernel. If that becomes compromised, the attackers can disable them without detection, they warned.

In other technologies, such as application sandboxes, the kernel exploits can be designed to bypass the sandbox, the researchers said.

Unlike application sandboxes, any security technology that isolates threats needs to be able to protect the integrity of the operating system kernel, they said.

"Each kernel exploit can be converted into a 'Swiss army knife' attack that can be delivered through a spear phishing email or as a second-stage payload after exploiting a Java or browser vulnerability," said Kashyap.

"The Windows kernel has an attack surface of many millions of lines of code, with flaws being discovered all the time."

Holistic evaluation

As a result of the research findings, Bromium is encouraging all organisations not to rely only on anti-virus or similar technologies, and to evaluate the entire stack to identify any common weaknesses.

"Attackers will always try to exploit the Achilles heel in any system, such as the operating system kernel," said Kashyap.

"Organisations should design a layered architecture that covers all aspects and types of threat."

While a layered approach is still the only way to protect organisations, Kashyap said it is vital to be aware of fundamental technology limitations at each level and add layers to address those weaknesses.

Isolation measures

Bromium has tackled the problem by developing its vSentry endpoint security software that isolates and secures every untrusted network task in its own tiny virtual machine or microVM.

The firm claims it is possible to protect endpoints using highly granular virtualisation in combination with hardware-enforced isolation.

VSentry assumes all internet tasks are untrusted and automatically puts each task into its own microVM, which is destroyed when the task is completed.

If an attack occurs during any of these tasks, the malware remains contained and isolated inside the microVM, unable to escape and access any system or network resource.

Because vSentry is completely transparent to the user – even during a malware attack – there is no affect on user experience or performance, according to Bromium.

This approach, the security firm claims, de-couples protection for the first time and provides 100% protection against all malware attacks as it does not use any "detection" technologies.

To validate this claim, research organisation NSS Labs completed an independent security validation exercise on vSentry.

The results, published in February 2013, stated that vSentry protected endpoints from every attack, including 166 embedded exploits delivered through email and drive-by attacks.

VSentry also protected targets against 15 advance attacks using the Metasploit penetration testing toolset that incorporated advanced obfuscation and evasion techniques in an attempt to bypass protection.

Read more on endpoint security:

  • Managing BYOD endpoint security
  • A CIO's five-point plan for managing endpoint security
  • Tactical Success for Multiplatform Endpoint Security
  • Endpoint device management key to controlling corporate data
  • Antivirus alternatives: Evolving enterprise endpoint security strategy
  • McAfee Focus 2012: Endpoint security key to Security Connected strategy
  • Endpoint management FAQ for desktop admins

Read more on IT risk management