Blackhat session: Linux subsystem to present new attack surface in Windows 10

Reading time icon 2 min. read

Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more


The new Linux subsystem in Windows 10 Redstone is great news for cross-platform developers and administrators but could turn out to have hidden dangers for the rest of the Windows 10-using population.

Security company CrowdStrike will be delivering a talk at hacker conference Blackhat in August where they will be discussing the new opportunities the subsystem will offer to those trying to crack Windows 10.

In their abstract they write:

Initially known as “Project Astoria” and delivered in beta builds of Windows 10 Threshold 2 for Mobile, Microsoft implemented a full blown Linux 3.4 kernel in the core of the Windows operating system, including full support for VFS, BSD Sockets, ptrace, and a bonafide ELF loader. After a short cancellation, it’s back and improved in Windows 10 “Redstone” for Desktop and Server, under the guise of docker/container interoperability. This new kernel and related components can run 100% native, unmodified Linux binaries, meaning that NT can now execute Linux system calls, schedule thread groups, fork processes, and access the VDSO!

As it’s implemented using a full-blown, built-in, loaded-by-default, Ring 0 driver with kernel privileges, this not a mere wrapper library or user-mode system call converter like the POSIX subsystem of yore. The very thought of an alternate virtual file system layer, networking stack, memory and process management logic, and complicated ELF parser and loader in the kernel should tantalize exploit writers – why choose from the attack surface of a single kernel, when there’s now two?

But it’s not just about the attack surface – what effects does this have on security software? Do these frankenLinux processes show up in Procmon or other security drivers? Do they have PEBs and TEBs? Is there even an EPROCESS? And can a Windows machine, and the kernel, now be attacked by Linux/Android malware? How are Linux system calls?

As usual, we’ll take a look at the internals of this entirely new paradigm shift in the Windows OS, and touch the boundaries of the undocumented and unsupported to discover interesting design flaws and abusable assumptions, which lead to a wealth of new problems for security Windows 10 “Redstone” machines.

It is very likely that the more APIs an OS supports the more difficult it is to secure, but I think in terms of staying relevant and successful being useful and open is much more important than being locked down and secure. Do our readers agree?

More about the topics: blackhat, security, windows 10