Windows Kernel-mode GS Cookies and 1 bit of entropy

I would like to present the results of a research performed by¬†Gynvael Coldwind and me during the last three or four weeks – an almost 40-page long article, entitled “Exploiting the otherwise non-exploitable: Windows Kernel-mode GS cookies subverted” (yes, that’s an obvious reference to the “Exploiting the otherwise non-exploitable on Windows” by Skywing and Skape, Uninformed 4). The paper aims to describe the current protection level of a specific stack protection found in a majority of Windows device drivers (both default and 3rd party) – the GS cookies, and cover the cookie generation weaknesses, found in the actual protection implementations on Windows XP, Windows Vista and Windows 7 (both 32-bit and 64-bit platforms).

As it turns out, all of the entropy sources used to form the final cookie value – preventing the attacker from hijacking the return address – are extremely weak, and therefore easy to guess or calculate by a potential attacker. A total of five cookie-prediction techniques can be found in the article; three of which are designed to estimate the system tick count (the only truly unknown factor of the cookie value), with the highest possible accuracy degree. Apart from theoretical considerations, we have also performed a number of practical tests, proving the real effectiveness of the presented methods. By making use of the most precise measurement techniques we are currently aware of, we have managed to reach around 50% of cookie prediction reliability (and thus, the same degree of stack-based vuln exploitability).

Read more