Windows Vista: Network Attack Surface Analysis
I think that it goes without saying that Windows Vista is one of the most important technologies that we will see in the next year. With current versions of Windows appearing on well over 90% of desktop systems, Vista will undoubtedly become the dominant operating system within a few years. The appearance of Windows Vista gives Symantec an interesting opportunity to both perform new research, and to publish the findings of that research. First of all, Vista is a beta operating system, meaning that it is changing at an extremely rapid pace; bugs are getting fixed, and in some cases new ones are introduced. Second, there is more freedom to discuss it because it is being made available explicitly for this purpose (to undergo testing and scrutiny).
With that said, I am very happy to present the Symantec Advanced Threat Research team’s first publicly available research paper: Windows Vista Network Attack Surface
Analysis: A Broad Overview. This paper discusses the Windows Vista network stack. The Windows Vista network stack has been rewritten from the ground up; according to Microsoft this was done in order to allow for easier maintenance, improved performance, and improved stability. Over the course of several months, Symantec’s Advanced Threat Research team performed a broad attack surface analysis of this new stack. First, we looked at historical issues by performing regression tests for well known attacks that had been fixed in previous versions of Windows from years past. We then looked at stack behavior and capabilities from a protocol standpoint. Finally, we spent some time using random fault injection in order to identify stability issues. We focused primarily on Vista builds 5231 and 5270, but have also updated a number of sections to reflect the recent changes in 5384 (Beta 2).
We broke our tests down into layers by looking at each of the link, network, transport, and session layers. Our results fall into three main categories:
1. Stability issues – situations where the stack crashes.
2. Undocumented or unexpected behavior – undocumented protocols or behavior.
3. New Protocols – entirely new protocols (LLTD, IPv6, Teredo, SMB2), and encapsulation.
While our research has only scratched the surface, we hope that you will find our results thought provoking. After all, it’s not often that you can perform this type of research on a “virgin” network stack. Also, it’s not often that you find someone who has the impetus (or is willing to endure the punishment) to write a new network stack from scratch! It is certainly not an easy undertaking.
You will also notice in this paper that a number of the issues we had identified in the earlier Vista builds have already been fixed in later ones. We fully expect that trend to continue up until Vista’s final release. On the other hand, network stacks can take several years of real-world scrutiny before they are battle hardened. It will be interesting to observe to what degree the Windows Vista network stack accomplishes this in such a compressed timeframe.