I this post
I will show how it's possible to disable Windows 10 Virtualization Based
Security (VBS), Credential and Device Guard, by corrupting in-memory structures
prior to operating system boot.
For this
attack to succeed the target computer must not be protected by a pre-boot
authentication password. Auto-booting Bitlocker with TPM and/or Network unlock
will work. The target computer is also required to have Direct Memory Access (DMA) capable ports and a
BIOS which will allow DMA before operating system boot.
- Intel NUC Skull Canyon with a Skylake i7 CPU. 32GB RAM. M.2 SSD.
- Windows 10 Enterprise version 1607.
The NUC
have two options for DMA. The obvious choice is the USB-C port at the back which is capable of Thunderbolt 3. Thunderbolt is however secure by
default on the NUC - which is unfortunate for us. The Thunderbolt to
PCI-Express adapters I use also doesn't seem to be working prior to OS boot
even in the less secure Thunderbolt Legacy Mode.
The second
option is to use one of the M.2 slots inside the NUC. M.2 is pretty much just
another from factor for PCI-Express. The M.2 slots are easily accessible;
just unscrew the bottom cover and open up the NUC. In this example I will
connect PCILeech to the available M.2 slot.
 |
| The M.2 to PCIe adapter and PCILeech mounted in one of the NUC M.2 slots. |
Windows 10
Enterprise version 1607 was installed and the computer joined to an AD. Group Policies enabling virtualization based security with UEFI lock and Bitlocker with with secure boot validation was deployed to the system.
 |
| The relevant GPO VBS and Bitlocker settings deployed to Windows on the NUC. |
The result is that Windows 10 enabled the virtualization based security features. It's not possible to disable them by altering the GPO since the UEFI lock was configured. The test system have a BIOS password configured so it shouldn't be possible to get into the BIOS to disable it. The system should be secure even though auto-booting Bitlocker is deployed.
If we check the task manager we see that the secure system is up and running as well as other secure processes such as LsaIso.
 |
| The Secure System including LsaIso is running on the NUC together with Bitlocker. |
Overwriting the DMAR ACPI table
The DMAR ACPI table is an in-memory reporting structure used to report the memory mapped location of the IOMMU to the operating system. DMAR is short for DMA Remapping. If the OS cannot read the configuration data from a valid DMAR table it cannot locate the IOMMU and cannot enable the virtualization features.
The DMAR table is not protected or signed. It loads at a predictable memory address on the NUC (also on other tested hardware). It is possible to overwrite the DMAR table on the NUC before the OS boots.
This attack was discussed on a theoretical level already back in 2009 in the paper Another Way to Circumvent Intel® Trusted Execution Technology by Rutkowska et al.
It's possible to search for the DMAR table in memory by using PCILeech since it's starting with the signature DMAR. It turns out that while entirely possible to do so it was a bit problematic on the tested hardware. When PCILeech encounters unreadable memory it needs to be power-cycled before able to read memory again. It was easier to boot into Ubuntu on an USB stick and check the location of the DMAR table with the dmesg command.
 |
| The DMAR ACPI table is located at address: 0x3A529CB0. |
Once knowledge of the memory address of the DMAR table has been gained it's possible to overwrite it. The address is usually completely static between reboots. It might change if extensive changes are made to the BIOS configuration - such as enabling/disabling secure boot though.
We'll overwrite the beginning of the DMAR table before Windows starts to boot. Just issue the command:
pcileech.exe write -min 0x3a529cb0 -in 000000000000000000000000000000000000000000000000
which will effectively overwrite the start of the DMAR table with 24 bytes of null data.
 |
| The obligatory before/after image. The original DMAR table to the left. The overwritten DMAR table to the right. |
The Result
Even though the beginning of the DMAR table is now overwritten Bitlocker will unlock the OS disk allowing Windows to boot. Windows don't find the DMAR table so it can't locate the IOMMU. Even though UEFI lock has been configured Windows will just disable virtualization based security features and continue to boot normally.
 |
| Windows with Bitlocker. Credential and Device Guard not started despite configuration. PCILeech kernel module loaded. |
Other
- It's possible to nuke the DMAR table on other hardware as well.
- Virtualization Based Security isn't designed to fully protect against physical and firmware based attacks.
- Issue mentioned to MSRC in July as part of pre-existing case. Case closed after DEF CON talk Direct Memory Attack the Kernel.
- BIOS version: KYSKLi70.86A.0037.2016.0603.1032.
- Did I miss something? Please let me know.
Conclusions
- Computers with active DMA ports and auto-booting full disk encryption might be at risk if physical access could be gained.
- Windows 10 Virtualization Based Security might not fully protect against physical DMA attacks with PCILeech on autobooting systems.
- It's possible to disable unused M.2 slots and set a BIOS password on the NUC if one wish to be extra secure.