Article

Hacking techniques compromise Windows Vista heap

Robert Westervelt, News Director

    Requires Free Membership to View

You can potentially overflow anything and everything.
Ben Hawkes
Independent researcher
LAS VEGAS -- A researcher says design problems in Microsoft Windows Vista's memory allocation system could enable malicious hackers to compromise the OS.

In his Black Hat presentation, Attacking the Vista heap, Ben Hawkes, a New Zealand-based independent security researcher, explained how to conduct attacks against the Vista heap allocator. He presented several scenarios in which the Vista heap could be attacked to produce a buffer overflow and ultimately execute arbitrary code.

"The idea is to set up a structure to use in an attack," Hawkes said. "You can potentially overflow anything and everything."

The heap is an area of main memory storage within Vista used by the operating system to allocate resources for program processes. Hawkes' technique involves overwriting anything on the heap with a specially crafted payload and directing arbitrary code execution on the next heap allocation. The process of chaining together heap sprays is repeated until the entire space is filled with newly created heaps.

"Eventually you'll hit one that you can control the heap handle," Hawkes said. "The idea is that you're trying to get control of the structure."

Hawkes has conducted extensive research on attacking the heap implementation rather than the application itself. The security researcher said he is conducting his research to improve the security of the Vista heap, and offered suggestions on how to prevent malicious hackers from targeting memory corruption.

More from Black Hat 2008

Exclusive photos of Black Hat 2008.

Windows Vista security 'rendered useless' by researchers

Black Hat: Two researchers Thursday will demonstrate how to use Java, ActiveX controls and .NET objects to essentially bypass all the key security safeguards in Windows Vista.

Researchers develop lightweight Cisco IOS rootkit
Black Hat: Building on previous research against IOS, Core Security researchers have theoretically shown the plausibility of an IOS rootkit attack.    

Bluetooth 2.1 is easy to crack Black Hat: A cryptographer for Aladdin Knowledge Systems says Bluetooth version 2.1, designed to be more secure than previous versions, is actually extremely vulnerable to attackers.

He said Microsoft should add guard pages and guarded mappings, taking all the structures out of the heap that point to areas of potential corruption. The Vista heap checksum should always be validated before any use of the chunk headers, which would protect the adjacent chunk from being overwritten, Hawkes said. He said his suggestions are fairly simple to implement.

Said Hawkes, "There's no reason why they haven't been done already or they shouldn't be done in the future."

Microsoft has made improvements in heap security with the release of Windows Vista, including check summing heap blocks and encoding of heap block metadata elements. The base address of heaps is also randomized to make it more difficult to conduct a successful attack. Microsoft has said most applications within Vista are designed to terminate if a heap corruption is detected.

Research presented at Black Hat on Thursday focused on Windows Vista, with Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov of VMware Inc. introducing a way to use Java, ActiveX controls and .NET objects to essentially bypass all the key security safeguards in Windows Vista.

Dowd and Sotirof showed how an attacker could load arbitrary content into Web browsers. The researchers demonstrated a way to get around Microsoft's Address Space Layout Randomization (ASLR), which is meant to prevent attackers from predicting target memory addresses by randomly moving things, such as a process's stack, heap and libraries.

Also at Black Hat Thursday, researcher Su Yong Kim said that Windows Vista could be vulnerable to a combination of low-integrity folders and buffer overflows or privilege elevation.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: