HitB2012Ams: WinRT: The Metropolitan Museum of SecurityFrank Breedijk
The researchers tried to find out what was new new in Windows 8 vs. Windows 7:
- New kernel function: NTCreateLowBoxToken
- New user interface: Metro interface
- WinRT is a net backbone for metra appes and has a new programming model
What are the key points of these new Metro applications:
- Distributed only via the Windows Store
- Executed in an “App Container”
- Secured through a sandvbox
- Severely limited resource access
- Need explicit permissions to access resources
- Restricted subset of Win32 and .NET API
Win32 is still at the core of WinRT.
Metro applications are different that usual applications:
- They are installed per users
- They are packaged in .appx format:
- Zipfile compression
- Signed using certificates
- Contains all needed files (no dependency hell, but all ddls needed by the app need to be provided by the packager)
- Can target multiple platforms (x86, x64, ARM)
- They contain an XML file that is imported into the registry (HKCU) at install time
The XML manifest defines the permissions of the applications in terms of network, filesystem and devices.
All applications are classes within .NET, and are e.g. run by implementing the lauch contract.
Renaud and Sebastian showed us how a Metro Application is programmed in C++ and how such and object is then created. They then disassambled a compiled object.
The Windows Store
Microsoft controls which applications can go into the Windows Store by controlling the singing certificate and key. In order to be allow to appear in the the store applications must be well behaved. They must not hang or crash, not call forbidden API’s, etc.
However the researcher were able to create a program that passed the certification criteria but still call CMD.EXE which is forbidden. This will be fixed by Microsoft soon.
WinRT implements sandboxes to isolate processes from the OS and each other.
The Windows sandbox mechanism has some limitations:
- Applications cannot be forbidden to make system calls (like seccomp)
- Some ojbects cannot be secured by design (e.g. fat filesystem)
WinRT has a new design and new API based on COM.
The AppContainer provides some level of isolation, it is transparent to users and developers and is implemented in the kernel.
Materials available from http://conference.hitb.org/hitbsecconf2012ams/materials/
ABOUT SEBASTIEN RENAUD
Sébastien Renaud is a senior security researcher at Quarkslab focusing on reverse engineering, vulnerability research and analysis with an emphasis on the Windows operating system. He enjoys programming tools and dissecting file formats and network protocols.
ABOUT KEVIN SZKUDLAPSKI
Kevin Szkudlapski is a junior security researcher working on reverse engineering and low level development. He enjoys studying new architectures and analyses how softwares communicate with hardware. He is the main developer of the medusa disassembler.