Einschränken von Applikationen mittels verfügbarer Werkzeuge für Windows Systeme Confining applications by using available tools for Windows Systems Master Thesis Submitted in partial fulfillment of the requirements for the degree of Master of Science in Engineering to the University of Applied Sciences FH Campus Wien Master Degree Program: IT-Security - Master Author: Martin Vaclavik Student identification number: 1610537016 Supervisor: Priv.-Doz. Mag. DI. DI. Dr.techn. Karl Michael Göschka Reviewer: (optional) Date: May 11, 2018 Declaration of authorship: I declare that this Master Thesis has been written by myself. I have not used any other than the listed sources, nor have I received any unauthorized help. I hereby certify that I have not submitted this Master Thesis in any form (to a reviewer for assessment) either in Austria or abroad. Furthermore, I assure that the (printed and electronic) copies I have submitted are iden- tical. Date: May 11, 2018 Signature: Kurzfassung In dieser Arbeit geht es um Windows Filter Treiber und wie man mit diesen, Dateizugriffe Beschränken kann anhand von Prozess-ids. Mit dieser Technik soll der Schaden einer Infek- tion durch eine Ransomware Attacke verringert werden, indem unbekannten Prozessen nicht erlaubt wird auf bestimmte Dateien zu schreiben. Der Benutzer hat dabei die Möglichkeit mit der C# Applikation auszuwählen, welche Prozesse, Zugriff auf Dateien bekommen und welche nicht. Deswegen ist eine der Fragestellungen, wie eine Ransomware Attacke abläuft, ein Fokus dieser Arbeit. Dadurch, dass es immer mehr Ransomware Attacken gibt, steigt auch der IT-Security Fokus, bezüglich diesem Threat-Modell. Dies ist vor allem durch die große Anzahl an Sicherheitssystemen zu sehen, die sich um das Eliminieren von Ransomware kümmern sollen. Diese Ransomware Tools sind in den meisten Fällen "Blackboxes" und es ist nicht wirklich klar, wie diese Systeme tatsä chlich funktionieren. Dies ist die Motivation dieser Arbeit, um ein Open-Source System zu bauen, welches Nachvollziehbar arbeitet und mit dem der Schaden einer Ransomware Attacke verringert werden kann. Windows Filter Treiber bieten einem sehr viele Möglichkeiten an, um Ransomware Attacken zu erkennen und zu verhindern. Das Problem mit dem man bei Windows Filter Treibern am meisten zu kä mpfen hat, ist das ganze System dahinter zu verstehen, da es ein sehr komplexes System ist und es nicht viele Arbeiten zu diesem Thema gibt, außer der offiziellen Microsoft Doku- mentation. Deswegen ist auch ein sehr großer Fokus dieser Arbeit, zu verstehen wie Filter Treiber funktionieren und wie sie genutzt werden können, um den Zugriff auf Dateien zu beschränken. Filter Treiber haben bewiesen, dass sie für diesen Einsatzzweck gewappnet sind. Dateizugriffe konnten Anhand von Prozess-ids verhindert werden. Das einzige Problem mit dem man als Benutzer solch eines Systems zu kämpfen hat ist, dass der Computer in den "test mode" ge- bracht werden muss, damit ein Filter Treiber erfolgreich in das System eingebunden werden kann. i Abstract This thesis focuses on Windows Filter Drivers and how they can be programmed to restrict IO access for specific process-ids. With this in mind the restriction should help prevent access to files by unknown programs that are running on the system. Preventing access to files is used to mitigate the damage of a ransomware attack, this means if a machine gets infected, the user needs to give permission to this process via the C# configurator tool to allow access to the restricted files. That is why a big part of this thesis focuses on how a ransomware attack starts and how it works in detail. Since the ransomware attacks are rather popular nowadays there are already a lot of solutions available, however many of these tools are complete blackboxes and it is not really anywhere documented how a malicious intent is actually found and restricted. Therefore the motivation of this thesis is to create an open source tool to mitigate the damage done by ransomware attacks. Windows filter drivers are a very powerful toolset and offer functionality that can help identify and or restrict malicious intent. The main problem with filter drivers despite how powerful they are is, that the theory behind it is complex and there are not many papers available about the windows filter driver framework, except for the official Microsoft documentation. This is one of the reasons why the biggest part of this thesis focuses on understanding how filter drivers work and how they can be used to restrict access to files. Filter Drivers have proven to be very effective for this kind of approach and successful filtering by process-id was achieved, with the only downfall being, that the machine must be set into the "test mode" to allow attaching the self signed filter drivers onto Windows. ii Key Terms ACL - Access Control Lists CAPTCHA - Completely Automated Public Turing test to tell Computers and Humans Apart CRG - Challenge Response Generator C&C - Command & Control DRBG - Deterministic Random Bit Generator DNS - Domain Name System DLL - Dynamic-link library GUI - Graphical User Interface HSM - Hierarchical storage management HTTPS - Hypertext Transfer Protocol Secure I/O - Input/Output IOCTL - Input and Output Control OS - Operating System PED - Policy Enforcement Driver PSI - Policy Specification Interface SCSI - Small Computer System Interface SDK - Software Development Kit TCP - Transmission Control Protocol UEFI - Unified Extensible Firmware Interface USB - Universal Serial Bus WDK - Windows Driver Kit WDTF - Windows Driver Testing Framework WPF - Windows Presentation Foundation iii Contents 1. Introduction1 1.1. Security introduction . .1 1.2. Ransomware infection . .4 1.3. Goal . .5 2. Available information gathering tools and protection suites6 2.1. Investigating OS activity via Sysinternal tools . .6 2.2. Windows Defender Ransomware protection . 10 2.3. Disallow the execution of applications with policies . 10 2.4. Applocker . 11 3. Windows Filter Driver 14 3.1. Microsoft Filter Driver Definition from Microsoft . 14 3.2. Introduction to the windows driver model . 14 3.3. Windows Filter Driver features and requirements . 16 3.4. Getting started with the Windows Driver Kit . 19 3.5. Alternatives to Windows Filter Drivers . 23 4. Building the Program 25 4.1. Preparing the System . 25 4.2. Choosing the right project type . 25 4.3. Preparing a computer for remote deployment and debugging . 26 4.4. Removing remote deployment and debugging from the computer . 28 4.5. Configuring the Driver Project . 28 4.6. The final application . 29 4.7. typical file write operation . 32 4.8. Blocking mechanisms . 34 5. Project Overview 36 5.1. Tests . 36 5.2. Problems . 36 5.3. Filter drivers critical view . 36 5.4. Common errors . 37 5.5. Related work . 38 5.6. Future work . 41 5.7. Conclusion . 42 Bibliography 43 List of Figures 47 List of Tables 48 Listings 49 iv A. Appendix 49 v 1. Introduction Security is gaining more attention every day because of current threats and events in the computer universe. Many systems on which most devices rely on are using old technologies and mechanisms to protect itself from attackers. The best example are signature based pro- tection mechanisms in antivirus suites, which are not sufficient enough for advanced threads or specially tailored attacks. Signature based mechanisms are still used very often which is fine if it is used with different solutions simultaneously. For specially tailored ransomware not many protection mechanisms exists, due to its dynamic structure. Many security solutions are either using sand boxing or automated code-analysis. In this thesis an approach will be used that tries to restrict the operations an application can do to a specific subset of files and folders, through the usage of Windows Filter Drivers which will be explained in detail later on. The main direction of the paper, is to build a system for Windows to allow higher restric- tions against special threats. The idea is to let the user of a system gain more control of the operating system(OS) and allow better protection by being restrictive with every unknown application. This protection mechanism is used to prevent ransomware attacks by disallowing read and write operations by unknown processes. Filtering the file access with filter drivers does not prevent the infection of the device for which there are already many tools available, but it offers the user a way to restrict access to specific files by whitelisting process-ids. To whitelist the processes the user will be presented with a C# application. This thesis is split into multiple chapters which should help us to understand what the issue is, what the current available security standards are and how this approach tries to achieve similar behaviour with filter drivers. Chapter 1 - Introduction Offers a quick dive into the security issues that are arising with ransomware and some tips to mitigate the risk and the impact of a successful ran- somware attack. Chapter 2 - Available information gathering tools and protection suites Shows some avail- able information gathering sources and some already finished products that offer similar functionality that should be achieved in this paper. Chapter 3 - Windows Filter Driver Offers a good overview over the whole Windows filter system as well as all information to deploy a filter driver. Chapter 4 - Building the Program Focuses on how the project structure looks like and how calls are filtered. Chapter 5 - Project Overview shows the outcome of the system and a critical look on the filter drivers interception, as well as related and future work. 1.1. Security introduction The security industry is a very important field at the current age. With bot-nets and ransom- ware being constantly in the news, security experts are having difficulties protecting users against such a dynamic threat. Zero day exploits are also a big topic in the IT-Security field. 1 Chapter 1. Introduction The fact that our systems are growing to such a complexity where most parts cannot be checked for bugs so easily does not help this fact.