FYI: Printable “Windows Kernel Address Protection” paper out

That’s just a short notification that I decided to release the Windows Security Hardening Through Kernel Address Protection article published in Hack in the Box Magazine #7 over a month ago (see HITB #7 on the wild, at last). The paper is now available in a nicely formatted, printer-friendly format. If you missed it then, here’s your chance to take a look :-)

Download: Windows Security Hardening Through Kernel Address Protection (382 kB, PDF)


As more defense-in-depth protection schemes like Windows Integrity Control or sandboxing technologies are deployed, threats affecting local system components become a relevant issue in terms of the overall operating system user’s security plan. In order to address continuous development of Elevation of Privileges exploitation techniques, Microsoft started to enhance the Windows kernel security, by hardening the most sensitive system components, such as Kernel Pools with the Safe Unlinking mechanism introduced in Windows 7. At the same time, the system supports numerous both official and undocumented services, providing valuable information regarding the current state of the kernel memory layout. In this paper, we discuss the potential threats and problems concerning unprivileged access to the system address space information. In particular, we also present how subtle information leakages can prove useful in practical attack scenarios. Further in the document, we conclusively provide some suggestions as to how problems related to kernel address information availability can be mitigated, or entirely eliminated.