James Forshaw

New and Improved UMCI, Same Old Bugs

Abstract

User Mode Code Integrity (UMCI) restricts what executables can be run based on the signer. UMCI was introduced with the ARM based Windows RT in 2012, however ways of bypassing the signing restrictions were quickly discovered. In 2017 Microsoft introduced a new SKU of Windows 10, the Cloud Edition, better known as Windows 10S. This was the first x86 version of Windows which enabled UMCI by default, in this case to restrict the OS to only running MIcrosoft and Store signed executables for the purposes of security. It turns out that many of the same problems Microsoft had in Windows RT were applicable to Windows 10S and so it was possible to bypass UMCI to execute arbitrary code.

This presentation will describe how Windows 10S is configured, introduce some of the bypasses I’ve discovered including ones which haven’t been fixed and describe how you might go about finding new bypasses.

BIO

James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1 researcher for MSRC, as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate.