With the increasing popularity of Trusted Platform Modules (TPMs) in present-day Personal Computers, new challenges impose themselves in front of the software security industry. The future forecast suggests that TPM functionalities will be coupled with virtualised environments in order to manage secure domains where kernel layers and applications can scale in a trusted fashion. “Trust” does not necessarily imply “security”, but it can suggest it. Content providers will be having considerably more control over their data on the users’ desktops, which might bring a lot of controversy about end users’ authority over their machines. Meanwhile, despite the fact that all main-stream hardware and OS vendors have developed their own Trusted Computing (TC) models; none of those models has prevailed as the standard.

This eminent paradigm shift would radically change the legacy methods in which security products have dealt with malicious activities. The introduction of those locked-down layers might mean that anti-malware scanners will have to deal differently with adversaries who can achieve higher privileges (e.g. Originally, PatchGuard did not completely prevent patching the kernel, but it blocked security applications from accessing the kernel for legitimate reasons. So, malware could use those vulnerabilities, but anti-malware scanners could not).

The purpose of this paper is to explain the implications of the next generation of hardware platforms on the software security industry. These changes will not only affect the PC architecture, but will extend to the mobile platforms. Will immune implementations of trusted computing models ever render anti-malware scanners useless? Or, in fact, TC is the next weapon in the anti-malware industry’s arsenal?

As user-level security gets more robust, hackers continue to find vulnerabilities in the kernel. Each of these vulnerabilities requires new techniques and because any mistake can cause a blue-screen, reliability is paramount. In this talk, Kostya Kortchinsky will detail the results of his work while exploiting the MS08-001 IGMP kernel overflow vulnerability.

Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.

This talk aims to present exploitation methodologies against this increasingly complex target. I will demonstrate how the inherent design limitations of the protection mechanisms in Windows Vista make them ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers and other client applications.

Each of the aforementioned protections will be briefly introduced and its design limitations will be discussed. I will present a variety of techniques that can be used to bypass the protections and achieve reliable remote code execution in many different circumstances. Finally, I will discuss what Microsoft can do to increase the effectiveness of the memory protections at the expense of annoying Vista users even more.