Windows Subsystem for Linux
Microsoft has started developing cross-platform integrations into Windows 10. The Windows Subsystem for Linux (WSL) is an example of one these integrations that has developers excited. With these new integrations comes new security concerns. This article will examine how WSL works and concerns found thus far.
What is WSL?
The WSL allows Windows users to run various Linux distributions as a native app without the overhead of using a Virtual Machine. WSL introduced a Linux compatible kernel interface which allows it to run distributions on top of it.
A limitation of WSL is that it is compatible with only 64-bit systems running Windows 10 V 1607 or later. The latest addition is Kali Linux. It can be installed on the Windows 10 WSL compatible version. It also eliminates the need to use a separate VM. The WSL feature can be enabled using PowerShell via this specific command line, followed by a reboot:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux.
A common question that gets asked at this point is: Will an updated Windows Defender allow for the installation of Kali Linux modules? The answer to this is no. Windows Defender will flag it and restrict some of the Kali Linux modules as pieces of malicious code. A workaround to this whitelist in Defender the modules that you are trying to install.
The WSL contains both user-mode and kernel mode components, such as the following:
- Bash.exe, which marks the instantiation of WSL.
- Lxssmanager.exe, which is a user mode session manager service. It launches up a new instance of WSL upon execution.
- Lxss.sys and lxcore.sys, these emulate the Linux kernel
A Review of the PICO Processes
An understanding of the PICO processes is important, as it is the foundation layer of the WSL. A PICO process is defined as a minimalist process. This is when an empty user mode does not possess the structure of a normal NT process.
This means that the Lxss.sys and Lxcore.sys files translate the Linux system calls into NT APIs. As a result, for any event that is triggered by the PICO process, the NT kernel forwards these requests to the PICO driver.
The driver computes the corresponding Linux syscall by inspecting the rax register value. After this occurs, it comes back to the NT kernel, and from there, it then places the return value back into the rax register. Finally, the sysret is reset to a user mode state.
In summary, PICO processes are containers which allow for the LINUX ELF binaries to be executed.
What is the Bashware Technique?
This is a specific technique to run Windows malware using the WSL environment from a Linux based instance. This can be accomplished by following these steps:
- The WSL feature on the affected machine needs to be activated. This requires administrative level access. Windows has many EOP (Elevation of Privilege) security flaws. That means that a Cyber attacker can easily escalate these administrative privileges.
- After the privileges have been escalated by the Cyber attacker, he or she can then enable the Windows 10 development mode. This can be achieved by modifying certain registries in the OS.
- Once the WSL feature has been enabled, the Cyber attacker can then force the OS to reboot for the WSL to be activated.
- Since the end user does not know that the WSL has been enabled, the Linux install does not actually exist on the victim's computer. As a result, the Cyber attacker can then extract the Lxrun.exe file and covertly launch that.
- After these steps have been executed, the Cyber attacker can then interact with the underlying Windows 10 OS. They can also secretly install "Wine." This functionality allows for various Windows-based applications to be run on a Unix based OS. With "Wine," the Cyber attacker can also install Windows malware on a WSL based distribution.
It is important to note that AV's cannot detect the PICO processes. However, with updates, Microsoft released various PICO APIs which can be used to monitor them.
11 courses, 8+ hours of training
In summary, the WSL is an innovative feature introduced by Microsoft which allows it to run Linux OSs without the need for Virtual Machines.
In this Series
- Windows Subsystem for Linux
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security