Windows 8 enhanced memory protection will be able to withstand buffer overflow attacks

Recently, major software vendors (such as Adobe and Microsoft) have focused on increasing the cost of attackers writing exploit code, rather than trying to reduce the number of vulnerabilities in their products. After realizing that perfect software is not possible, vendors are beginning to focus on mitigating attacks, and they strive to make attacker exploit code more time-consuming and less profitable. In the security features of the Windows 8 update, we see that Microsoft has made a major leap in this area. In the new version of the operating system that will be released in October, the enhanced memory protection will be able to withstand buffer overflow attacks, which mainly lead to privilege escalation attacks against applications or the kernel. Chris Valasek, senior security scientist and researcher at Coverity, and Tarjei Mandt, senior vulnerability researcher at Azimuth Security, studied early public releases of Windows 8 (from developer preview to the latest release preview), especially Windows 8. Heap security features. At the Black Hat 2012 conference, the two researchers will present their findings. “From the perspective of heap corruption, if I am an attacker, I would rather write exploit code for Windows 7, instead of Windows 8,” Valasek said, “Microsoft has come a long way.” The road, they have invested a lot of thoughts. & rdquo; Heap buffer overflow is more difficult to implement than stack-based buffer overflow. Heap-based attacks go beyond the memory space limit by malicious executables and essentially "spoof" the operating system to execute the command. Typically, an attacker can attack the system remotely, and if the buffer overflow attack succeeds, the attacker can gain the same system privileges as the attacked application or gain root-level access to the kernel. New features in Windows 8 include an updated memory manager, Windows Heap Manager, and the Windows Kernel Pool Allocator. The heap manager randomly allocates memory space, which makes it difficult for an attacker to predict where a buffer overflow attack should inject malicious code. In previous versions of Windows, memory space allocation was not random. Windows 8 also includes AppContainers, a security sandbox that determines permissions for Windows applications. Valasek said that Windows 8 applications are more tightly controlled than Windows Vista or Windows 7, after all, Windows Vista and Windows 7 rely on Integrity Level to control application functionality, knowing the integrity level. More relaxed than AppContainers. The security features of these updated Windows 8 are not Microsoft's first built-in security features into the operating system. Starting with Windows Vista, Microsoft uses Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to enhance application security and kernel protection. ASLR and DEP are not enabled by default, which is different from the memory protection of Windows 8. “These mitigations have been deployed to address security issues,” Valasek said. “They really make it harder to implement technology. However, exploits are ubiquitous. ”