windows-kernel-driver-pipeline
This master thesis project continuously collects and analyses Microsoft Windows kernel drivers using static and dynamic methods to help security researcher in evaluating and uncovering vulnerabilities.
Science Score: 26.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
○CITATION.cff file
-
✓codemeta.json file
Found codemeta.json file -
✓.zenodo.json file
Found .zenodo.json file -
○DOI references
-
○Academic publication links
-
○Academic email domains
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (12.1%) to scientific vocabulary
Keywords
Repository
This master thesis project continuously collects and analyses Microsoft Windows kernel drivers using static and dynamic methods to help security researcher in evaluating and uncovering vulnerabilities.
Basic Info
Statistics
- Stars: 11
- Watchers: 1
- Forks: 0
- Open Issues: 0
- Releases: 0
Topics
Metadata Files
README.md
Efficient Pipelining for Windows Driver Vulnerability Research
Overview
This repository contains the source code for the system developed to enhance Windows kernel driver security during my master thesis. The system is designed to continuously gather, analyze, and evaluate Windows device drivers for potential vulnerabilities and present these results to security researchers in an efficient way.
An export of my final presentation can be found at FinalPresentation and the thesis at MasterThesis.
Motivation
The Windows operating system's widespread use in business operations necessitates robust security measures, particularly concerning kernel drivers. These drivers operate with high-level privileges and are a prime target for attacks due to their critical role in interfacing applications with hardware components. Despite Microsoft's driver signing requirements and use of frameworks like Windows Driver Model, Windows Driver Framework, and Driver Module Framework, vulnerabilities in these drivers can still be exploited by threat actors.
Challenges
- Collection and Centralization: There is no centralized repository for all Windows drivers, and existing block lists are incomplete, complicating the identification of already known vulnerable drivers.
- Dynamic and Static Analysis: Executing drivers for dynamic analysis requires specific environments, while static analysis is hindered by driver complexity and lack of ARM architecture support.
- Optimization of Research Time: Avoiding false positives and negatives is crucial to efficiently allocate security researchers time and resources.
Solution
The solution implemented in this thesis involves a system that:
- Continuous Collection: Gathers drivers from multiple sources.
- Vulnerability Analysis: Checks drivers against known vulnerabilities and applies both static and dynamic analysis techniques, through IDA Pro scripting and automated fuzz testing with kAFL.
- Prioritization: Highlights the most likely vulnerable drivers for researchers to focus on.
The system has processed over 27,000 drivers during the time of the thesis. 140 were manually reviewed, resulting in the identification of 14 unique drivers with 28 vulnerabilities - four of which were already published, and ten were previously unknown.
Repository Contents
- Pipeline: The implementation of the driver collection and analysis system.
- EvaluationScripts: Implementation of statistic and result figure generation for the thesis.
Industry Collaboration
The project benefited from collaboration with industry experts, including access to a Security Operations Center (SOC) team and an operationally active Red Team, which provided invaluable resources and insights.
Contribution
Contributions are welcome. Please follow the guidelines outlined in CONTRIBUTING.md for submitting issues, feature requests, or pull requests.
License
This project is licensed under the GPLv3 License where applicable. For more details, refer to the LICENSE file. Additionally, some components are licensed under the MIT License due to their reliance on prior work that was released under MIT.
Owner
- Name: Tobias Oberdoerfer
- Login: Toroto006
- Kind: user
- Website: https://tobias-oberdoerfer.matrx.me
- Twitter: toroto008
- Repositories: 2
- Profile: https://github.com/Toroto006
GitHub Events
Total
- Issues event: 2
- Watch event: 11
- Issue comment event: 1
- Push event: 1
- Fork event: 1
Last Year
- Issues event: 2
- Watch event: 11
- Issue comment event: 1
- Push event: 1
- Fork event: 1