Application security

Windows Subsystem for Linux

Security Ninja
March 30, 2018 by
Security Ninja

Microsoft has started developing cross-platform integrations into Windows 10. The Windows Subsystem for Linux (WSL) is an example of one these integrations that has developers excited. With these new integrations comes new security concerns. This article will examine how WSL works and concerns found thus far.

What is WSL?

The WSL allows Windows users to run various Linux distributions as a native app without the overhead of using a Virtual Machine. WSL introduced a Linux compatible kernel interface which allows it to run distributions on top of it.

A limitation of WSL is that it is compatible with only 64-bit systems running Windows 10 V 1607 or later. The latest addition is Kali Linux. It can be installed on the Windows 10 WSL compatible version. It also eliminates the need to use a separate VM. The WSL feature can be enabled using PowerShell via this specific command line, followed by a reboot:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux.

A common question that gets asked at this point is: Will an updated Windows Defender allow for the installation of Kali Linux modules? The answer to this is no. Windows Defender will flag it and restrict some of the Kali Linux modules as pieces of malicious code. A workaround to this whitelist in Defender the modules that you are trying to install.

The WSL contains both user-mode and kernel mode components, such as the following:

  • Bash.exe, which marks the instantiation of WSL.
  • Lxssmanager.exe, which is a user mode session manager service. It launches up a new instance of WSL upon execution.
  • Lxss.sys and lxcore.sys, these emulate the Linux kernel

A Review of the PICO Processes

An understanding of the PICO processes is important, as it is the foundation layer of the WSL. A PICO process is defined as a minimalist process. This is when an empty user mode does not possess the structure of a normal NT process.

This means that the Lxss.sys and Lxcore.sys files translate the Linux system calls into NT APIs. As a result, for any event that is triggered by the PICO process, the NT kernel forwards these requests to the PICO driver.

The driver computes the corresponding Linux syscall by inspecting the rax register value. After this occurs, it comes back to the NT kernel, and from there, it then places the return value back into the rax register. Finally, the sysret is reset to a user mode state.

In summary, PICO processes are containers which allow for the LINUX ELF binaries to be executed.

What is the Bashware Technique?

This is a specific technique to run Windows malware using the WSL environment from a Linux based instance. This can be accomplished by following these steps:

  1. The WSL feature on the affected machine needs to be activated. This requires administrative level access. Windows has many EOP (Elevation of Privilege) security flaws. That means that a Cyber attacker can easily escalate these administrative privileges.
  2. After the privileges have been escalated by the Cyber attacker, he or she can then enable the Windows 10 development mode. This can be achieved by modifying certain registries in the OS.
  3. Once the WSL feature has been enabled, the Cyber attacker can then force the OS to reboot for the WSL to be activated.
  4. Since the end user does not know that the WSL has been enabled, the Linux install does not actually exist on the victim's computer. As a result, the Cyber attacker can then extract the Lxrun.exe file and covertly launch that.
  5. After these steps have been executed, the Cyber attacker can then interact with the underlying Windows 10 OS. They can also secretly install "Wine." This functionality allows for various Windows-based applications to be run on a Unix based OS. With "Wine," the Cyber attacker can also install Windows malware on a WSL based distribution.

It is important to note that AV's cannot detect the PICO processes. However, with updates, Microsoft released various PICO APIs which can be used to monitor them.

In summary, the WSL is an innovative feature introduced by Microsoft which allows it to run Linux OSs without the need for Virtual Machines.

Security Ninja
Security Ninja