A handle, a token, a SYSTEM shell

A proof of concept for the MiniPlasma vulnerability was published this month. On an unpatched Windows host, a low-privileged process invoked a documented kernel interface, passed a structured object through a path the operating system has exposed for years, and received SYSTEM-level execution in return. No memory corruption was required in the classical sense. No exotic primitive was assembled. The call succeeded because the kernel accepted the request as well-formed and acted on it. The exploit did not break the system. It used the system.

The behaviour observed is consistent across reproductions. A handle is obtained through a sanctioned channel. A token operation is requested. The operation returns a result the caller is permitted to use. The privileged context is reached not by escaping a boundary but by walking through one. Telemetry on the affected hosts records the sequence as ordinary activity, because at every step the activity is ordinary. The artifacts are indistinguishable from work the operating system performs thousands of times per minute on a healthy machine.

This is the relevant fact, and the only one that matters at the outset. A documented surface, exposed for legitimate purposes, returned privileged outcomes to an unprivileged caller. The vulnerability is not a defect introduced by a single line of recent code. It is the externally visible behaviour of a system doing what it has been instructed to do for a long time. Whatever follows in patch notes and advisories begins from this observation: the kernel honoured the request.

Windows was built on a trust model that treats the local kernel as the final arbiter of authority. Inside that boundary, the operating system assumes that any caller able to reach a given interface has, by the act of reaching it, already satisfied the conditions required to use it. Access control is enforced at the entry. Once a caller is past the entry, the structures it presents are interpreted, not interrogated. The kernel does not ask why a handle exists. It asks only whether it is valid. Validity is a property of provenance, not of intent.

This assumption is older than most of the code that depends on it. It was made when the boundary between user and kernel was the dominant security boundary on a personal computer, when local code was overwhelmingly written by the same vendor that wrote the kernel, and when the surface area exposed to unprivileged callers was small enough to reason about by inspection. Under those conditions, treating the kernel as the authority and the entry point as the checkpoint was coherent. Trust was granted at one place, and the system behind that place could assume it had already been earned.

The model further assumed that privilege, once represented inside the kernel as a token or a handle, could be referenced by other kernel components without re-deriving how that representation came to exist. A token is a token. A handle is a handle. The structure is the receipt. The receipt is the right. Components were built to act on these structures because re-validating them at every interior call would have been prohibitively expensive and, under the original threat model, redundant. The interior of the kernel was a trusted region. Inside a trusted region, references are equivalent to verifications.

What changed is not the kernel and not the attacker. What changed is the population of callers the kernel exposes its interior to, and the conditions under which those callers can present structurally valid references. The number of code paths reachable from a low-integrity process has grown for two decades. Each addition extended the surface across which a caller can construct, obtain, or coerce a reference the kernel will treat as authoritative. The boundary did not move. The reachable interior expanded behind it.

The assumption that a valid reference inside the kernel implies a legitimate origin no longer holds. It holds in the cases the original designers had in mind, where the only producers of such references were components written under the same trust regime. It does not hold in a system where dozens of subsystems, drivers, compatibility shims, and inherited interfaces can produce, transform, or hand off references that downstream consumers cannot distinguish from those produced by the trusted core. The kernel still treats provenance as a property of structure. The structure no longer carries the property it once implied.

MiniPlasma is the externally observable consequence of this drift. The exploit does not defeat a check. It satisfies one. The system did not re-evaluate trust because it was never built to re-evaluate trust at that location. It inherited a decision made at the entry, propagated that decision through a chain of internal references, and arrived at a privileged outcome on the strength of a chain that, taken end to end, no longer means what each individual link was designed to mean. The control is intact. The condition it was meant to enforce has quietly ceased to be true.

The mechanism is not a bypass. Inside the kernel, privilege is represented as a structure. A token describes a security context. A handle describes a relationship to an object. When a component receives one of these structures, its work is to act on what the structure says, not to reconstruct how the structure came to exist. The structure is the receipt. The receipt is the right. The component does not call back to the producer to ask whether the producer intended this use. It does not re-derive the conditions that produced the contents of the field it is reading. It reads the field. It honours the field. The cost of doing otherwise, at every internal call site, would have collapsed the performance budget of the operating system. So the cost was not paid, and the design was made coherent by an assumption about who could produce such a structure in the first place.

Reference replaced validation by construction, not by accident. Each time a new subsystem was added that could obtain, transform, or pass a token or handle, the kernel acquired a new producer of authoritative references. The downstream consumers of those references did not learn the names of the new producers. They continued to read the structures as they always had. The identity of the source was absorbed into the structure of the artifact and then discarded. What remained was a field with a value. The value resolved. The resolution was the authority. This is the operating definition of trust inside the kernel: a structure that resolves is a structure that may be acted upon.

MiniPlasma is what this mechanism produces when an unprivileged caller becomes able to present a structure that resolves. The caller does not need to forge anything. It does not need to corrupt memory. It needs only to traverse a documented sequence of interfaces, each of which is willing to produce or transform a reference on its behalf, until the reference it holds is one a privileged consumer will read as authoritative. From the consumer’s perspective, nothing is wrong. The field has a value. The value is well-formed. The expected behaviour follows. The system has not been deceived in any sense it was built to detect. It has been used in the manner its interior contract describes. The exploit is the contract being executed against a caller the contract was never written to imagine.

The pattern is execution based on reference, not verification. A system that issues authoritative artifacts at one boundary, and then accepts those artifacts at interior boundaries as proof rather than as evidence, becomes a system in which the population of producers and the population of consumers are coupled by structure alone. Verification is performed once, at issuance. Every later use is a lookup against the artifact. The artifact carries no memory of its issuance conditions and no obligation to be reconciled with them. If the artifact resolves, the action proceeds. The trust boundary, in operational terms, is not the place where the policy is written. It is the place where the artifact is read.

This is the same pattern that governs dependency resolution in modern software supply chains. A package manifest names a version. A registry returns an artifact matching that name. A consuming system installs and executes the artifact because the reference resolved. The signature, where one exists, attests that the artifact was produced by the holder of a key. It does not attest that the contents of the artifact correspond to what any downstream user believed they were requesting. The reference is honoured. The receipt is the right. When a maintainer’s account is compromised, or when a name is transferred, or when a new version is published that bears no resemblance to the prior one, none of the consuming systems re-evaluate the trust they extended. They resolve the reference. They execute the contents. The supply chain is doing exactly what it was built to do.

In both cases the failure is not at the point of compromise. It is at the point of consumption. The consumer was built to trust the artifact because the artifact was produced inside a region the original designers considered trusted. The region has expanded. The producers have multiplied. The consumers have not been told. The structure of the artifact is identical to what it was when the assumption was sound, and so the artifact continues to be read as if the assumption were still sound. The mechanism does not distinguish between the original conditions and the present ones because it was never given the ability to distinguish. It was given the ability to resolve.

The kernel resolves the reference once. It does not revalidate. The privileged outcome follows from the structure, not from the caller.

The trust boundary is no longer the place the policy describes. It is the place the artifact is read. Every interior consumer of an authoritative reference is now a de facto entry point, whether the design acknowledges it or not.

The control exists. The outcome does not. MiniPlasma did not introduce this condition. It demonstrated it.