Annual Computer Security Applications Conference (ACSAC) 2022

Full Program »

POPKORN: Popping Windows Kernel Drivers At Scale

External vendors develop a significant percentage of Windows kernel drivers, and Microsoft relies on these vendors to handle all aspects of driver security. Unfortunately, device vendors are not immune to software bugs, which in some cases can be exploited to gain elevated privileges. Testing the security of kernel drivers remains challenging: the lack of source code, the requirement of the presence of a physical device, and the need for a functional kernel execution environment are all factors that can prevent thorough security analysis. As a result, there are no binary analysis tools that can scale and accurately find bugs at the Windows kernel level.

To address these challenges, we introduce POPKORN, a lightweight framework that harnesses the power of taint analysis and targeted symbolic execution to automatically find security bugs in Windows kernel drivers at scale. Our system focuses on a class of bugs that affect security-critical Windows API functions used in privilege-escalation exploits. POPKORN analyzes drivers independently of both the kernel and the device, avoiding the complexity of performing a full-system analysis.

We evaluate our system on a diverse dataset of 212 unique signed Windows kernel drivers. When run against these drivers, POPKORN reported 38 high-impact bugs in 27 unique drivers, with manual verification revealing no false positives. Among the bugs we found, 31 were previously unknown vulnerabilities that potentially allow for Elevation of Privilege (EoP). During this research, we have received two CVEs and six acknowledgments from different driver vendors, and we continue to work with vendors to fix the issues that we identified.

Rajat Gupta
Georgia Institute of Technology

Lukas Dresel
University of California, Santa Barbara

Noah Spahn
University of California, Santa Barbara

Giovanni Vigna
University of California, Santa Barbara

Christopher Kruegel
University of California, Santa Barbara

Taesoo Kim
Georgia Institute of Technology

Paper (ACM DL)



Powered by OpenConf®
Copyright©2002-2023 Zakon Group LLC