windows-kernel-driver-pipeline

This master thesis project continuously collects and analyses Microsoft Windows kernel drivers using static and dynamic methods to help security researcher in evaluating and uncovering vulnerabilities.

https://github.com/toroto006/windows-kernel-driver-pipeline

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (12.1%) to scientific vocabulary

Keywords

kernel-driver security windows
Last synced: 10 months ago · JSON representation

Repository

This master thesis project continuously collects and analyses Microsoft Windows kernel drivers using static and dynamic methods to help security researcher in evaluating and uncovering vulnerabilities.

Basic Info
  • Host: GitHub
  • Owner: Toroto006
  • License: gpl-3.0
  • Language: C
  • Default Branch: main
  • Homepage:
  • Size: 13.6 MB
Statistics
  • Stars: 11
  • Watchers: 1
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Topics
kernel-driver security windows
Created almost 2 years ago · Last pushed over 1 year ago
Metadata Files
Readme Contributing License Citation

README.md

Efficient Pipelining for Windows Driver Vulnerability Research

Overview

This repository contains the source code for the system developed to enhance Windows kernel driver security during my master thesis. The system is designed to continuously gather, analyze, and evaluate Windows device drivers for potential vulnerabilities and present these results to security researchers in an efficient way.

An export of my final presentation can be found at FinalPresentation and the thesis at MasterThesis.

Motivation

The Windows operating system's widespread use in business operations necessitates robust security measures, particularly concerning kernel drivers. These drivers operate with high-level privileges and are a prime target for attacks due to their critical role in interfacing applications with hardware components. Despite Microsoft's driver signing requirements and use of frameworks like Windows Driver Model, Windows Driver Framework, and Driver Module Framework, vulnerabilities in these drivers can still be exploited by threat actors.

Challenges

  1. Collection and Centralization: There is no centralized repository for all Windows drivers, and existing block lists are incomplete, complicating the identification of already known vulnerable drivers.
  2. Dynamic and Static Analysis: Executing drivers for dynamic analysis requires specific environments, while static analysis is hindered by driver complexity and lack of ARM architecture support.
  3. Optimization of Research Time: Avoiding false positives and negatives is crucial to efficiently allocate security researchers time and resources.

Solution

The solution implemented in this thesis involves a system that:

  1. Continuous Collection: Gathers drivers from multiple sources.
  2. Vulnerability Analysis: Checks drivers against known vulnerabilities and applies both static and dynamic analysis techniques, through IDA Pro scripting and automated fuzz testing with kAFL.
  3. Prioritization: Highlights the most likely vulnerable drivers for researchers to focus on.

The system has processed over 27,000 drivers during the time of the thesis. 140 were manually reviewed, resulting in the identification of 14 unique drivers with 28 vulnerabilities - four of which were already published, and ten were previously unknown.

Repository Contents

  • Pipeline: The implementation of the driver collection and analysis system.
  • EvaluationScripts: Implementation of statistic and result figure generation for the thesis.

Industry Collaboration

The project benefited from collaboration with industry experts, including access to a Security Operations Center (SOC) team and an operationally active Red Team, which provided invaluable resources and insights.

Contribution

Contributions are welcome. Please follow the guidelines outlined in CONTRIBUTING.md for submitting issues, feature requests, or pull requests.

License

This project is licensed under the GPLv3 License where applicable. For more details, refer to the LICENSE file. Additionally, some components are licensed under the MIT License due to their reliance on prior work that was released under MIT.

Owner

  • Name: Tobias Oberdoerfer
  • Login: Toroto006
  • Kind: user

GitHub Events

Total
  • Issues event: 2
  • Watch event: 11
  • Issue comment event: 1
  • Push event: 1
  • Fork event: 1
Last Year
  • Issues event: 2
  • Watch event: 11
  • Issue comment event: 1
  • Push event: 1
  • Fork event: 1