It is common to refer to the kernel as trusted, due to its inherently higher level of privilege and isolation
通常认为内核值得信任,由于用用户模式被内核 做了高等级的隔离和特权限制。
from user-mode applications. Yet, countless third-party drivers are written each month—Microsoft has
还是有无数的第三方驱动被写入。微软说有100万驱动哈希值被看见----用这个遥测技术。
stated that a million unique driver hashes are seen through telemetry, monthly! Each of these can contain any number of vulnerabilities, not to mention purposefully malicious kernel-mode code. In
每个驱动都有弱点。更不用说以内核为目标性的危险性代码
such a reality, the idea that the kernel is a small, protected component, and that user-mode applications are
在这样的一个现实,内核要小,被保护的组件,用户的应用要 安全
“safe” from attack, is clearly an unrealized ideal. This state of affairs leads to an inability to fully trust
的想法是不可实现的。 这个状态影响导致 不可能完全信任内核
the kernel, and leaves key user-mode applications, which may contain highly private user data, open to
并且让关键的用户模式的应用----这些应用具有高度私密的用户数据,对第三方企业开放
compromise from other malicious user-mode applications (which exploit buggy kernel-mode components) or malicious kernel-mode programs.
有危险的用户模式的应用
As discussed in Chapter 2, “System architecture,” Windows 10 and Server 2016 include a virtualizationbased security (VBS) architecture that enables an additional orthogonal level of trust: the
像第二章说的,系统架构------win10和服务器2016包含了一个基于虚拟化的安全架构-----虚拟信任等级
virtual trust
level (VTL). In this section, you will see how Credential Guard and Device Guard leverage VTLs to protect
在这个章节,我 将会看见资质守卫和设备守卫等级如何去保护
user data and provide an additional hardware-trust-based layer of security for digital code-signing purposes. At the end of this chapter, you will also see how Kernel Patch Protection (KPP) is
用户的数据并且提供一个额外的硬件信任基础层 为了数字代码签名这个目标。这个章节的结束,你将会看到KPP被提供
provided through the PatchGuard component and enhanced by the VBS-powered HyperGuard technology.
通过Patch守卫组件和被加强通过VBS电影,超及守卫技术
As a reminder, normal user-mode and kernel code runs in VTL 0 and is unaware of the existence of
像被提到的,正常的用户模式和核心代码运行在VTL 0 并且 不知道VTL1的存在。
VTL 1. This means anything placed at VTL 1 is hidden and inaccessible to VTL 0 code. If malware is able
意思就是任何放置在VTL1的东西,VTL0代码看不见。
to penetrate the normal kernel, it still cannot gain access to anything stored in VTL 1, including even
如果危险能够穿透正常内核,他也不能获得权限去到VTL 1 ,
user-mode code running in VTL 1 (which is called Isolated User Mode). Figure 7-2 shows the main VBS
components we’ll be looking at in this section:
■ Hypervisor-Based Code Integrity (HVCI) and Kernel-Mode Code Integrity (KMCI), which power
Device Guard
■ LSA (Lsass.exe) and isolated LSA (LsaIso.exe), which power Credential Guard
Additionally, recall that the implementation of Trustlets, which run in IUM, was shown in Chapter 3,
“Process and jobs.