In his Black Hat presentation, Attacking the Vista heap, Ben Hawkes, a New Zealand-based independent security researcher, explained how to conduct attacks against the Vista heap allocator. He presented several scenarios in which the Vista heap could be attacked to produce a buffer overflow and ultimately execute arbitrary code.
"The idea is to set up a structure to use in an attack," Hawkes said. "You can potentially overflow anything and everything."
The heap is an area of main memory storage within Vista used by the operating system to allocate resources for program processes. Hawkes' technique involves overwriting anything on the heap with a specially crafted payload and directing arbitrary code execution on the next heap allocation. The process of chaining together heap sprays is repeated until the entire space is filled with newly created heaps.
"Eventually you'll hit one that you can control the heap handle," Hawkes said. "The idea is that you're trying to get control of the structure."
Hawkes has conducted extensive research on attacking the heap implementation rather than the application itself. The security researcher said he is conducting his research to improve the security of the Vista heap, and offered suggestions on how to prevent malicious hackers from targeting memory corruption.
He said Microsoft should add guard pages and guarded mappings, taking all the structures out of the heap that point to areas of potential corruption. The Vista heap checksum should always be validated before any use of the chunk headers, which would protect the adjacent chunk from being overwritten, Hawkes said. He said his suggestions are fairly simple to implement.
Said Hawkes, "There's no reason why they haven't been done already or they shouldn't be done in the future."
Microsoft has made improvements in heap security with the release of Windows Vista, including check summing heap blocks and encoding of heap block metadata elements. The base address of heaps is also randomized to make it more difficult to conduct a successful attack. Microsoft has said most applications within Vista are designed to terminate if a heap corruption is detected.
Research presented at Black Hat on Thursday focused on Windows Vista, with Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov of VMware Inc. introducing a way to use Java, ActiveX controls and .NET objects to essentially bypass all the key security safeguards in Windows Vista.
Dowd and Sotirof showed how an attacker could load arbitrary content into Web browsers. The researchers demonstrated a way to get around Microsoft's Address Space Layout Randomization (ASLR), which is meant to prevent attackers from predicting target memory addresses by randomly moving things, such as a process's stack, heap and libraries.
Also at Black Hat Thursday, researcher Su Yong Kim said that Windows Vista could be vulnerable to a combination of low-integrity folders and buffer overflows or privilege elevation.