Windows Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again

TL;DR

This paper demonstrates that MemoryRanger effectively prevents new kernel data hijacking attacks in Windows, addressing security gaps despite recent OS protections.

Contribution

It introduces three new hijacking attacks on Windows kernel data and shows how MemoryRanger's hypervisor-based approach mitigates these vulnerabilities.

Findings

MemoryRanger blocks three new kernel hijacking attacks

It supports Windows 10 1903 x64

MemoryRanger enhances kernel data security

Abstract

The security of a computer system depends on OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, as these are used by hackers. The purpose of this paper is to continue research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the capacity of MemoryRanger to prevent these attacks. This paper discusses three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts have issued new protection features, access attempts to the dynamically allocated data in the kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.