Abstract: This paper describes various techniques that can be used to reduce the effective entropy of GS cookies implemented in a certain group of Windows kernel-mode executable images by roughly 99%, or otherwise defeat it completely. This reduction is made possible due to the fact that GS uses a number of extremely weak entropy sources, which can be predicted by the attacker with varying (most often - very high) degree of accuracy. In addition to presenting theoretical considerations related to the problem, the paper also contains a great amount of experimental results, showing the actual success / failure rate of different cookie prediction techniques, as well as pieces of hardware-related information. Furthermore, some of the possible problem solutions are presented, together with a brief description of potential attack vectors against these enhancements. Finally, the authors show how the described material can be practically used to improve kernel exploits’ reliability - taking the CVE-2010-4398 kernel vulnerability as an interesting example.
Download: Windows_Kernel-mode_GS_Cookies_subverted.pdf