Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces

Conference:  BlackHat EU 2018



The presentation discusses the importance of protecting kernel mode drivers and allocated memory in order to prevent data theft and privilege escalation attacks.
  • Memory Ranger protects memory according to the principle of least privilege, allowing only authorized drivers to access allocated data
  • Memory Ranger prevents drivers code from being dumped and prevents read and write access to allocated data
  • An anecdote is given to illustrate how unprotected drivers and allocated memory can be exploited by hackers to steal private data and escalate privileges
  • The presentation emphasizes the need for proper protection of kernel mode drivers and allocated memory to prevent data theft and privilege escalation attacks
The presenter uses an analogy of two houses with private art collections to illustrate how unprotected drivers and allocated memory can be exploited by hackers to steal private data. The attacker successfully dumps the code of both drivers and steals the private data stored in allocated memory. The attacker is even able to modify the data and escalate process privileges.


In Windows 10, Microsoft is introducing a new memory protection concept: Windows Defender Device Guard, which provides code integrity for all modules in the kernel-mode, while PatchGuard prevents patching the kernel. These features do not protect the kernel-mode memory completely. Malware can steal and modify allocated memory of third-party drivers without any BSOD. Also, elevating process privileges by patching EPROCESS.Token does not cause a BSOD. The reason for that is that kernel-mode drivers share the same memory space with the rest of the kernel. Security researchers are trying to fill this gap. For example "LKRG" provides only code integrity without any protection of allocated memory, while AllMemPro protects allocated memory but not the code. "LKM guard" does not restrict the OS kernel. "Hypernel" provides kernel integrity, but only for limited kernel objects. The goal is to move kernel-mode drivers into separate memory enclosures. This is possible by applying VT-x and EPT features. As a result, guest-physical addresses are translated by traversing a set of EPT paging structures. The EPT feature provides trapping memory access attempts, redirecting them, as well as allocating several EPT structures with various access configurations.This idea is implemented in MemoryRanger (MR) in the following way: Initially MR allocates the default EPT structure and puts all loaded drivers and kernel inside it. After a new driver is loaded, MR allocates and configures a new EPT structure so that only this new driver and OS kernel are executed here. Each time after this driver allocates memory MR updates all EPTs: the allocated memory is accessible only for this driver, while all other EPTs exclude this memory. MR skips the legal memory access attempts and prevents the illegal ones. MR isolates execution of drivers by switching between EPTs. The source code and demo of MemoryRanger are here – https://github.com/IgorKorkin/MemoryRanger, https://www.youtube.com/watch?v=IMePtijD3TY&vq=hd1080.