OVERVIEW

Its difficult to describe something as complex as Windows in a few short paragraphs,
and were not even going to try here. Instead, were going to provide a somewhat
oversimplified description of the Windows security architecture, paying close attention
to points that have been attacked in the past.
Perhaps the most obvious initial observation to make about the Windows architecture
is that it is two-tiered. The most privileged tier of operating system code runs in so-called
kernel mode and has effectively unrestricted access to system resources. User mode
functionality has much more restricted access and must request services from the kernel
in many instances to complete certain tasks, such as accessing hardware resources,
authenticating users, and modifying the system.
Based on this simple separation, we can contemplate two basic attack methodologies:
attack the kernel, or attack user mode. These two basic approaches are illustrated in
Figure 2-1, which shows a malicious hacker accessing the kernel via physical device/
media interface, and also attacking a user mode security context by compromising the
credentials of a valid system user. (Note that the attacker may then also compromise the
kernel if he or she hacks an administrative user context.) Lets explore both of these
approaches i
n more detail.

Attacking the Kernel
The kernel mode interface is an obviously attractive boundary that attackers have
historically sought to cross. If someone can insert code of their choosing into kerne
mode, the system is utterly compromised (as you will see in Chapters 6 and 8). As you
might imagine, Windows provides substantial barriers to running arbitrary code in
kernel mode, and it is generally quite difficult for low-privileged entities to do so.
Of course, there are always exceptions. Two primary classes of kernel mode
compromises can occur: Physical attacks against kernel-resident device drivers that parse raw input,
such as from network connections or inserted media. The wireless networking
attacks published by Johnny Cache and others and the Sony CD-ROM rootkit
incident are examples of each of these, respectively (see References and
Further Reading).
Logical attacks against critical operating system structures that provide access to
kernel mode. These structures include certain protected kernel images (such as
ntoskrnl.exe, hal.dll, and ndis.sys), the Global Descriptor Table (GDT) and the
Interrupt Descriptor Table (IDT), the System Service Descriptor Table (SSDT),
certain critical processormodel-speci? c registers (MSRs), and some internal
routines that are used for debugging purposes by the kernel.