Over the weekend there was a lot of press about a talk given at Defcon titled, “How to Impress Girls with Browser Memory Protection Bypasses”. While it is unknown if the girls were impressed with the talk, the press sure was, and jumped on the story about how Vista’s memory protection is defeated. Sadly, all of the articles were FUD.
Researchers discuss how they bypassed memory protections in Windows. (IMG:J.Anderson)
The news coverage is sad because the press missed the complete point of the talk given by its authors Alexander Sotirov and Mark Dowd. Their paper, now online, discusses the limitations of Microsoft’s DEP, SafeSEH, GS, and ASLR protections. Data Execution Protection, or DEP, appeared with Windows XP SP2. However, researchers and criminals learned quickly how to remove the DEP protection, for example by using system DLL’s to execute code instead of their own, which prompted Microsoft to add other layers of protection to their operating systems.
The biggest backer to DEP protection is ASLR, or Address Space Layout Randomization, which randomizes the location of system DLLs, preventing attackers from assigning system DLLs execution rights to their code directly bypassing DEP protection. (ASLR appeared in Vista first, but is also used on Sever 2008) Another security feature in Vista is the layered checks the OS offers that detect “buffer overflows” and crash the application, thus halting the overflow exception and ending the chance to execute code. (Some argue that crashing is just a cop out way to stop execution of a malicious payload, I argue that it is better to kill the application than it is to allow the system to do the attacker’s dirty work for them.)
The ability to still go after a system and bypass memory protections is a big deal. However, it is not the end of the world, and is something many security experts are well aware of. Dowd and Sotirov produced quality work, and provide information on how to get around ASLR, DEP, and other protections Windows offers by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers. (However, as their research shows, while the focus is on Internet Explorer, other browsers are subject to the same attack vectors.)
Dino Dai Zovi was quoted the most in the press after the Bypass talk. "This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," Dai Zovi said to SearchSecurity. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."
The problem is that Dai Zovi is correct, but at the same time, Microsoft by their own admission is aware of some of the techniques used.
“What we've done is show that the exploitation prevention mechanisms implemented in Windows Vista (including DEP and ASLR) are ineffective at preventing the exploitation of browser memory corruption vulnerabilities,” Sotirov said, pointing out the three critical points addressed in the paper.
First, that the amount of control an attacker has over the state of the browser process can make preventing memory corruption ineffective. Second, the plug-in architecture that allows third party plugins (ala Java, Flash, Acrobat) weakens the built-in protections, leading to code execution or memory corruption. Finally, the architecture of the browsers, which run all code in the same process, and have no isolation between different components, will lead to the breakdown of the memory protections.
Another point missed is that the paper centers on browser research. Regarding Vista security, the authors themselves admit that ASLR and DEP, as well as the other layers of protection used in Vista, are “effective at preventing the exploitation of vulnerabilities in server processes, which is why I believe that Vista is still more secure than any previous version of Windows,” Sotirov pointed out.
So what you have, if you read the paper, is a decent amount of browser security research, and some steps to explain what the layers of security are and how they work. It is worth a read if you have some time. However, those who were expecting the world to end because of this research, will be seriously disappointed.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)