RE: Defeating Microsoft Windows XP SP2 Heap protection
From: Erik Szewczyk [MVP] (erik_at_nospam.ahanw.org)
Date: 02/03/05
- Next message: Erik Szewczyk [MVP]: "RE: Russian company finds, patches hole in XP"
- Previous message: Kelly: "Re: Boot screen with SP2"
- In reply to: anonymous: "Defeating Microsoft Windows XP SP2 Heap protection"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 2 Feb 2005 22:31:01 -0800
Replying to this thread as well, even if it is a repost:
This is not a vulnerability or a security hole in XP/DEP. It just means that
there is a possibility that if an application is written a certain way and
contains a vulnerability that XP's software DEP wouldn’t be able to stop a
buffer overflow from occurring were that vulnerability to be attacked.
Fact is XP SP2 is still far less likely to be vulnerable to buffer overflow
attacks than it's predecessors because DEP can stop a lot of types of buffer
overflows from occurring.
"anonymous" wrote:
> -------------------------------------------------------------------
> This posting is provided "AS IS" with no warranties, and confers no
> rights. You assume all risk for your use.
> -------------------------------------------------------------------
>
> Defeating Microsoft Windows XP SP2 Heap protection
> and DEP bypass
>
>
> Alexander Anisimov, Positive Technologies.
> ( anisimov[at]ptsecurity.com, http://www.ptsecurity.com )
>
> Overview
>
>
> Memory protection
>
> Buffer overrun attacks are among the most common mechanisms, or
> vectors, for intrusion into computers. In this type of exploit, the
> attacker sends a long string to an input stream or control – longer
> than the memory buffer allocated to hold it. The long string injects
> code into the system, which is executed, launching a virus or worm.
>
>
>
> Windows XP Service Pack 2 uses two general categories of protection
> measures to inhibit buffer-overrun attacks. On CPUs that support it,
> the operating system can turn on the execution protection bit for
> virtual memory pages that are supposed to hold only data. On all CPUs,
> the operating system is now more careful to reduce both stack and heap
> buffer overruns, using "sandboxing" techniques.
>
>
>
> Execution Protection (NX)
>
> On the 64-bit AMD K8 and Intel Itanium processor families, the CPU
> hardware can mark memory with an attribute that indicates that code
> should not be executed from that memory. This execution protection
> (NX) feature functions on a per-virtual memory page basis, most often
> changing a bit in the page table entry to mark the memory page.
>
>
>
> On these processors, Windows XP Service Pack 2 uses the execution
> protection feature to prevent the execution of code from data pages.
> When an attempt is made to run code from a marked data page, the
> processor hardware raises an exception immediately and prevents the
> code from executing. This prevents attackers from overrunning a data
> buffer with code and then executing the code; it would have stopped
> the Blaster worm dead in its tracks.
>
>
>
> Although the support for this feature is currently limited to 64-bit
> processors, Microsoft expects future 32-bit and 64-bit processors to
> provide execution protection.
>
>
> Sandboxing
>
> To help control this type of attack on existing 32-bit processors,
> Service Pack 2 adds software checks to the two types of memory storage
> used by native code: the stack, and the heap. The stack is used for
> temporary local variables with short lifetimes; stack space is
> automatically allocated when a function is called and released when
> the function exits. The heap is used by programs to dynamically
> allocate and free memory blocks that may have longer lifetimes.
>
> The protection added to these two kinds of memory structures is called
> sandboxing. To protect the stack, all binaries in the system have been
> recompiled using an option that enables stack buffer security checks.
> A few instructions added to the calling and return sequences for
> functions allow the runtime libraries to catch most stack buffer
> overruns. This is a case where a little paranoia goes a long way.
>
> In addition, "cookies" have been added to the heap. These are special
> markers at the beginning and ends of allocated buffers, which the
> runtime libraries check as memory blocks are allocated and freed. If
> the cookies are found to be missing or inconsistent, the runtime
> libraries know that a heap buffer overrun has occurred, and raise a
> software exception.
>
>
>
> - from Microsoft.com
>
> Heap Design
>
>
>
> Heap is a reserved address space region at least one page large from
> which the heap manager can dynamically allocate memory in smaller
> pieces. The heap manager is represented by a set of function for
> memory allocation/freeing which are localised in two places: ntdll.dll
> and ntoskrnl.exe.
>
>
>
> Every process at creation time is granted with a default heap, which
> is 1MB large (by default) and grows automatically as need arise. The
> default heap is used not only by the win32 apps, but also by many
> runtime library functions which need temporary memory blocks. A
> process may create and destroy additional private heaps by calling
> HeapCreate()/HeapDestroy(). Use of the private heaps` memories is
> established by calling HeapAlloc() and HeapFree().
>
>
>
> [*] More detailed information about the heap management functions is
> provided in the Win32 API documentation.
>
>
>
> Memory in heaps is allocated by chunks called 'allocation units' or
> 'indexes' which are 8-byte large. Therefore, allocation sizes have a
> natural 8-byte granularity. For example if an application needs a
> 24-byte block the number of allocation units it gets 3 allocation
> units. In order to manage memory for every block a special header is
> created, which also has a size divisible by 8 (fig. 1, 2). Therefore a
> true memory allocation size is a total of the requested memory size,
> rounded up towards a nearest value divisible by 8 and the size of the
> header.
>
- Next message: Erik Szewczyk [MVP]: "RE: Russian company finds, patches hole in XP"
- Previous message: Kelly: "Re: Boot screen with SP2"
- In reply to: anonymous: "Defeating Microsoft Windows XP SP2 Heap protection"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
