Major software makers such as Adobe and Microsoft have for a while been concentrating on driving up the cost of exploit writing for attackers, rather than driving down the number of vulnerabilities in their products. Having made the concession that perfect software is impossible, vendors are focusing on putting mitigations in place that make exploit writing time-consuming and less profitable for attackers.
Microsoft is taking a significant leap in this direction with updated Windows 8 security features. Enhanced memory protection features in the upcoming version of the operating system, due to be released in October, will go a long way toward stifling buffer overflow attacks that lead to privilege escalation attacks against applications or the kernel.
Researcher Chris Valasek, a senior security scientist with San Francisco, Calif.-based Coverity Inc., and Tarjei Mandt, a senior vulnerability researcher with Sydney, Austrilia-based Azimuth Security, have poked around in early, publicly available versions of Windows 8, from the developer preview to the current release preview, looking specifically at heap security features. They presented their research at Black Hat 2012.
"As someone who has written exploits, I'd rather write them for Windows 7 than Windows 8, in terms of heap corruption vulnerabilities," Valasek said. "[Microsoft] has come a long way and put a lot of thought into this."
Heap buffer overflows are more difficult to pull off than stack-based buffer overflows. Heap-based attacks overrun reserved memory space with a malicious executable and essentially trick the operating system into executing the command. Usually, a hacker can remotely attack a system and if the buffer overflow attack is successful, the attacker will assume the same system privileges as the application in question, or could gain root access to the kernel.
Windows 8 includes updated memory managers, the Windows Heap Manager and Windows Kernel Pool Allocator. The Heap Manager randomizes memory space allocations, making it difficult for attackers to predict where a buffer overflow attack should inject malicious code. In previous versions of Windows, memory space allocation was not randomized.
More from Black Hat 2012
See more of SearchSecurity.com's special coverage of Black Hat 2012
Windows 8 also includes AppContainers, which are security sandboxes that determine permissions for Windows applications. Windows 8 apps will be under tighter reins than Windows Vista or 7, which relied on Integrity Levels to control app functionality. Integrity Levels are much looser than the AppContainers, Valasek said.
These updates to Windows 8 aren’t Microsoft's first foray into protection built into the operating system. Microsoft's used Address Space Layout Randomization (ASLR) and Data Execution Protection (DEP) enhanced application security and kernel protections, starting in Windows Vista. ASLR and DEP were not enabled by default, unlike the memory protections here, Valasek said.
"These mitigations have been put in place to specifically address security," Valasek said. "They do make exploit techniques harder to achieve. Exploits, unfortunately, are not linear."