阿隆·列维夫_利用Windows更新的降级攻击.pdf

1、Windows Downdate:Downgrade Attacks Using Windows UpdatesAlon LevievSecurity Researcher SafeBreach22-years-oldSelf-taughtOS internals,reverse engineering and vulnerability researchFormer BJJ world and european championCreator of PoolParty process injection techniquesAgendaResearch BackgroundDowngrade

2、 Attacks Using Windows UpdatesVirtualization-Based Security VulnerabilitiesWindows Update Restoration VulnerabilityClosing RemarksResearch BackgroundWINDOWS DOWNDATEWhat are Downgrade Attacks?Immune SoftwareVulnerable SoftwareDowngrade immunesoftware to vulnerablesoftwareAttackerDowngrade Attacks In

3、-The-Wild BlackLotus UEFI BootkitThe BlackLotus UEFI bootkit employed a downgrade attack to bypass Secure BootThe Secure Boot bypass worked on fully updated Windows 11 machinesCaused a massive panic in the cyber security industrySecure Boot In a NutshellUEFI FirmwareUEFI Boot ManagerWindows Boot Man

4、agerWindows Boot LoaderWindows KernelVerifyEach component in the boot chain must be digitally signedVerifyVerifyVerifyBlackLotus Secure Boot BypassBlackLotus downgraded the Windows Boot Manager to signed but vulnerableversion of itUEFI FirmwareUEFI Boot ManagerWindows Boot ManagerWindows Boot Loader

5、Windows KernelVerifyVerifyVerifyVerifyRevocation ListMicrosofts Mitigation Against Secure Boot DowngradesMicrosofts mitigation included adding signed but vulnerable boot managers to revocation listsRevoked boot managers are not allowedUEFI FirmwareUEFI Boot ManagerWindows Boot ManagerWindows Boot Lo

6、aderWindows KernelVerifyVerifyVerifyVerifyResearch MotivationAre there any components affected by downgrade attacks other then Secure Boot?Research GoalsEvaluate the state of downgrade attacks on WindowsFind if any other critical components have been overlookedDowngrade VisionBring Your Own Vulnerab