Get off the Kernel if you can’t Drive

Conference:  Defcon 27



For software to communicate with hardware, it needs to talk to a kernel-mode driver that serves as a middle-man between the two, helping to make sure everything operates as it should. In Windows that is done using the Kernel-Mode Driver Framework (KMDF). These drivers are used to control everything in your computer, from small things like CPU fan speed, color of your motherboard LED lights, up to flashing a new BIOS. However, as the code in these drivers runs with the same privileges as the rest of the kernel, malicious drivers can be used to compromise the security of the platform. To that end, Microsoft relies on WHQL, code signing, and EV Signing to prevent drivers which have not been approved by Microsoft from being loaded into the kernel. Unfortunately, security vulnerabilities in signed drivers can be used to as a proxy to read and write hardware resources such as kernel memory, internal CPU configuration registers, PCI devices, and more. These helpful driver capabilities can even be misused to bypass and disable Windows protection mechanisms. Let us teach you how these drivers work, show you the unbelievable risk they pose, and enjoy our walk of shame as we parade all the silly and irresponsible things we discovered in our research.