1
00:00:02,270 --> 00:00:05,900
Security boundaries start with a physical computer.

2
00:00:06,030 --> 00:00:13,030
We've also covered the subsequent boundaries and operating system boundary and a user session boundary.

3
00:00:13,130 --> 00:00:18,790
Let's try to discover if a process also sets another system security boundary.

4
00:00:18,880 --> 00:00:21,150
What's the meaning of a process to begin with.

5
00:00:23,920 --> 00:00:26,840
The system test manager uses the term incorrectly.

6
00:00:28,480 --> 00:00:36,900
A process is a binary code saved to a file a part of the virtual memory address to a system encode metadata

7
00:00:37,020 --> 00:00:39,380
are allocated to an executable code.

8
00:00:40,980 --> 00:00:46,240
The metadata includes mostly handles that enables the process to communicate with external processes.

9
00:00:48,170 --> 00:00:55,200
A process also involves a security context that describes it these elements constitute a process as

10
00:00:55,200 --> 00:01:03,610
such returning to the task manager the process tab shows elements that are not actual processes.

11
00:01:05,120 --> 00:01:09,070
What's more some launched by Neriah objects are contained here multiple times

12
00:01:14,310 --> 00:01:17,060
modern operating systems including Windows.

13
00:01:17,280 --> 00:01:23,750
Don't use a process to set a security boundary or process defines a reliability boundary and is managed

14
00:01:23,750 --> 00:01:32,620
by an operating system that allocates CPQ and RAM to processes.

15
00:01:32,630 --> 00:01:38,390
This means that a single process can read modify the data other processes work with in a way that is

16
00:01:38,390 --> 00:01:47,880
uncontrolled by the system this occurs within a user session and we run an untrusted program or an untrusted

17
00:01:47,880 --> 00:01:50,040
process in our session.

18
00:01:50,040 --> 00:01:55,290
This implies that we practically lose control over not only the results of the program's operation but

19
00:01:55,290 --> 00:01:56,860
over the entire session.

20
00:01:58,450 --> 00:02:05,170
This is important security wise and will bring this up more than once later.

21
00:02:05,330 --> 00:02:10,740
We need to trust that a launch program will work as described by its developer.

22
00:02:10,840 --> 00:02:14,750
Otherwise we need to verify this on our own.

23
00:02:14,780 --> 00:02:19,700
We can conclude that we shouldn't normally use the Administrator account because a process run with

24
00:02:19,700 --> 00:02:27,430
administrator privileges can affect also other processes run by other users a process that is run in

25
00:02:27,430 --> 00:02:30,010
this way it crosses the boundary of a user session

26
00:02:34,600 --> 00:02:37,130
Watchguard is another technology we'll talk about.

27
00:02:38,870 --> 00:02:43,430
This technology has been developed to prevent the installation of programs running in the kernel mode

28
00:02:45,150 --> 00:02:50,610
these programs operate at low level and can directly access other system processes which means that

29
00:02:50,610 --> 00:02:53,580
they are able to access computer resources indirectly

30
00:02:59,250 --> 00:03:06,560
Watchguard is a security solution deployed in 64 bit systems the working principle behind this technology

31
00:03:06,560 --> 00:03:08,150
looks as follows.

32
00:03:08,600 --> 00:03:14,350
If patch code detects a modification of the system processes that is unsupported by Microsoft.

33
00:03:14,350 --> 00:03:22,250
The system halts as a stop errors reported all the most important system processes and toe's kernel

34
00:03:22,280 --> 00:03:35,830
X-C all the L-L id t ss d t and MSR are protected using patch card.

35
00:03:35,850 --> 00:03:37,800
What's the purpose of this mechanism.

36
00:03:38,960 --> 00:03:46,140
We're developing programs that run in kernel mode these programs include above all drivers and low level

37
00:03:46,140 --> 00:03:56,830
services their creators or software manufacturers I guess viz many software manufacturers develop programs

38
00:03:56,830 --> 00:04:00,600
that patch the kernel to make it compatible with their company's designs.

39
00:04:02,100 --> 00:04:09,540
This meant that the programs made use of undocumented functions and features of the kernel what followed

40
00:04:09,540 --> 00:04:14,550
is that any modification of these undocumented functionalities entailed the shutdown of a number of

41
00:04:14,550 --> 00:04:16,440
programs used on the computer.

42
00:04:18,260 --> 00:04:25,410
This practice resulted in Microsoft having their hands tied and an amendment or change in the system's

43
00:04:25,410 --> 00:04:30,840
structure could bring about a failure of multiple programs and a round of disputes with ISV is about

44
00:04:30,840 --> 00:04:32,200
making them work again.

45
00:04:34,320 --> 00:04:38,980
To streamline this process the PESCHARDT technology has been implemented.

46
00:04:39,230 --> 00:04:46,530
The solution report's critical errors which are signaled by the characteristic stop message this provides

47
00:04:46,530 --> 00:04:52,430
a software developer with a clear sign that the program they are developing and testing uses an undocumented

48
00:04:52,440 --> 00:04:57,520
functionality and patches the kernel in a way that is not supported by a system manufacturer.

49
00:04:59,960 --> 00:05:03,370
These insured are the goals of patch card.

50
00:05:03,430 --> 00:05:09,890
The goal was never to protect systems against malicious modifications of system processes.

51
00:05:09,910 --> 00:05:14,620
Remember that you shouldn't base your security policy on solutions that weren't created with security

52
00:05:14,620 --> 00:05:21,600
in mind this issue is all the more vital because the misconception is quite common.

53
00:05:22,830 --> 00:05:25,870
This is why attacks occasionally target patch card as well.

54
00:05:27,670 --> 00:05:31,210
Results of these attempts are later published and discussed at conferences.

55
00:05:32,650 --> 00:05:36,490
It's been repeatedly proved that the technology can be successfully bypassed

56
00:05:39,500 --> 00:05:42,490
Microsoft doesn't seem to react to these claims in any way.

57
00:05:44,640 --> 00:05:50,460
The company doesn't treat bypassing patch card for example modifying a system process to your liking

58
00:05:50,730 --> 00:05:55,440
and not following Microsoft recommendations as a security boundary violation.

59
00:05:56,390 --> 00:06:01,500
So the vulnerabilities won't be patched in nor will any steps be taken to mitigate the threat.

60
00:06:01,970 --> 00:06:04,460
The attacks are feasible and quite easy to run

61
00:06:08,330 --> 00:06:13,140
Watchguard operates as a kernel process so it can't protect other processes that have similar level

62
00:06:13,140 --> 00:06:17,210
of privileges.

63
00:06:17,230 --> 00:06:20,210
The program doesn't protect files stored on the disk either.

64
00:06:21,300 --> 00:06:24,750
The only objects that are protected are the process is loaded into memory.