Recently, cybersecurity researchers at Deep Instinct have asserted that hackers can exploit the Windows container isolation framework to bypass the security defenses and mechanisms of organizations.
Containers revolutionize the way applications are packaged and isolated, empowering them with their complete runtime environment enclosed within.
That’s why the containers are crucial for resource efficiency and security. Besides this, Microsoft introduced Windows Container in Windows Server 2016, which offers the following two key distinct modes:-
Process isolation mode
Hyper-V isolation mode
Hackers Abuse Windows Container Isolation
Since Windows Server 2003, job objects group processes for unified management, as they control attributes like-
CPU
I/O
Memory
Network use
Besides this, in the case of managing multi-processed apps, Nested Jobs helps in doing so.
With extra features, Silos extend the jobs, while the containers use ‘Server Silo’ for process grouping and resource redirection. Besides this, by using the following APIs, the Windows Kernel detects the silo-assigned processes:-
PsIsCurrentThreadInServerSilo
PsIsProcessInSilo
Reparse points store user data, parsed by file system mini-filter drivers with unique identifying tags. Containers use dynamic images to avoid OS file copies, linking to originals through reparse points, reads Deep Instinct report.
The primary task of the Mini-filter drivers is to simplify the I/O filtering, and Microsoft’s filter manager does the following things:-
Aids legacy filters
Managing insertion
Request handling
Cross-platform support
For common operations, it also offers a dedicated API, which is the “Flt API.”
The wcifs mini-filter driver separates Windows containers from the host file system, managing ghost file redirection via reparse points.
Moreover, with this driver, the following main reparse tags are associated:-
IO_REPARSE_TAG_WCI_1
IO_REPARSE_TAG_WCI_LINK_1
At this point, the minifilters attach indirectly to file systems via the filter manager’s integer altitude values.
Here below, we have mentioned the functioning altitude range of the wcifs.sys driver and the antivirus filters:-
wcifs.sys driver: 180000-189999
Antivirus filters: 320000-329999
These altitude figures clearly depict that hackers could perform several file operations without triggering any callbacks.
In an attempt to combat threats like this, security vendors deploy mini-filter drivers for I/O monitoring, using algorithms to detect file system malware and prevent damage.
Mitigation
Here below, we have mentioned all the mitigations offered by the security researchers:-
Monitor DeviceIoControl calls + FSCTL_SET_REPARSE_POINT with IO_REPARSE_TAG_WCI_1 tag. Check-in PRE_WRITE callback, and scan in PRE_CLEANUP even if unchanged.
Make sure to validate wcifs’ communication port against non-system processes.
Always validate the container by comparing source and destination volumes.
Ensure wcifs are attached by a user process, not the system, or when the containers feature is off.