Buffer Protection

By Larry Seltzer  |  Posted 2006-05-29 Print this article Print

Data Execution Protection. One of the ways buffer overflows are getting harder to exploit is because increasing prevalence of systems that support DEP (Data Execution Protection), which uses hardware to determine that a program is attempting to inject code into a running process.

This has been in Windows since Windows XP SP2 and Server 2003 SP1, but Vista should help bump this feature into more prominence, since new versions of Windows are always targets at the next generation of hardware and aim to sell new computers. Its another thing that happens every time: You dont want to try to run Vista on a computer from five years ago. Incidentally, the Windows security paper also makes vague claims about protecting operating system components against heap tampering, although it doesnt say how.

64-Bit Security Enhancements: Kernel Patch Protection and Mandatory Driver Signing. Ive written about this before: As of the 64-bit versions of Windows from Vista on, kernel-level code will have to be signed. And not just with any old signature, but a real code signing certificate issued by a real certificate authority. Even if a rootkit author were to go to the trouble and expense of obtaining such a certificate, it could be revoked for abuse. Sadly, this will be active only in the 64-bit versions.

User Account Control. This has received the most attention of security features in Vista: The standard user account is now a restricted account that cant do dangerous things like install applications. When elevated privileges are required (yes, this is basically just like in Mac OS X) the user is prompted for credentials of an account with sufficient privileges.

This is a good thing, but Im suspicious of the extent to which it will stop malware. The key is social engineering. It seems to me that in most cases where malware gets installed users know they are installing something and therefore will be willing to install what theyre told, and theyll need to have access to the administrator credentials, even if they dont run them regularly. And some users will just throw caution to the wind and run as administrator.

But even administrative accounts will be less-privileged and run in "Administrator Approval Mode," where some operations will require an extra approval. Extensive help is available on MSDN (and has been for a while) to help developers write applications that work well in a least-privileged environment.

Click here to read why analysts are saying that this could be Vistas "make or break" moment.

New Log-on Architecture. The Windows log-on architecture has been completely ripped out and replaced with one that makes it easier to support stronger authentication systems, such as biometrics and smart cards. This is another one of those changes that will cause friction with the rest of the industry, since companies with such log-on products had to write custom GINA (Graphical Identification and Authentication) programs to work with Windows in earlier versions, and now theyll have to write a new version and maintain two of them until everything prior to Vista is obsolete. Oh well, these things happen, and the new versions should be easier to write and maintain than a secure GINA.

The report describes other improvements, such as bundling Windows Defender, Microsofts anti-spyware application, and tightening of the Windows Firewall. Ive been wondering for a while if the bundling of Windows Defender extends to free updates to signatures used by it. Ive asked Microsoft and have gotten no clear answer. The document is written almost too carefully in this regard:
    Users who choose a third-party solution can keep Windows Defender enabled along with their preferred third-party solution, to provide added protection in the event one anti-spyware solution does not identify some spyware but the other one does. Also, if the users subscription to the third-party solution expires, the protection from Windows Defender will continue uninterrupted. Of course, users can turn off Windows Defender if they choose.
It goes on to say Windows Defender will be a free download for licensed users of Windows 2000, Windows XP and Windows Server 2003. But what of the updates? Youd get the impression from Microsofts description of it that Defender doesnt have signature updates of its own. Either that or Microsoft will provide them for free through the usual channels like Microsoft Update. Or the company wont, and the continuing functionality it refers to is the substantial IPS-like work that Windows Defender does.

I need to hear more from Microsoft on this, but from this and other information on the Microsoft site it looks to me like the company will be updating it for free. This perpetuates the false dichotomy between what Microsoft calls "spyware and potentially unwanted software" on the one hand and "viruses and malicious software" on the other. Ive always maintained that its a phony distinction, but I guess it works for Microsoft. Perhaps its just a matter of time before protection against all real malware comes with Windows.

Next page: Internet Explorer 7+.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel