LAS VEGAS Microsoft’s Windows 8 is not yet generally availablethe operating system officially lands on store shelves Oct. 26but that’s not stopping security researchers from trying to find flaws in the OS. However, hackers who have had an easy time with Windows might find some new security features hard to beat.
For years, Windows has come under frequent attacks, thanks to hackers exploiting the operating systems heap memory manager. However, in a new report released at the Black Hat conference here, engineers at Microsoft have done an admirable job of defending memory, making it more difficult than ever before for attackers to exploit.
The report is called “Windows 8 Heap Internals.”
Chris Valasek, a senior security researcher at Coverity and co-author of the research, explained the memory heap is a critical component of Windows. The memory manager is what tells applications that memory is or isn’t available for use.
As a security researcher, you want to look into how the memory is managed and see if there is the potential for a buffer overflow or some kind of exploit that could alter what the heap memory manager is supposed to do, said Valasek.
Heap memory exploitation attacks have been around for over a decade, and Valasek wanted to see what had changed in Windows 8. As it turns out, Valasek and his research partner Tarjei Mandt were not able to find as many deficiencies in Windows 8 memory. The two researchers believe that Microsoft has made a giant leap forward in heap memory security with Windows 8.
“While they have really stopped all the present exploitation techniques out there, they did have to introduce new code and data structures,” said Valasek. “That new code, under certain conditions is susceptible to attack, as previous versions of Windows were.”
Those conditions assume that an attacker has access to a software vulnerability that leads to some kind of writing outside of the bounds of the piece of memory that application is supposed to use.
“The deficiencies aren’t quite corner cases, but they rely on a lengthy set of preconditions to occur,” said Valasek. “That being said, things like this aren’t impossible; it just so happens that you need to have a certain few things in place for your overflow for an attack to work.”
In Windows 8, Microsoft engineers added a number of new prerequisites to the heap memory manager, making it more difficult to exploit.
“In previous versions of Windows you could say, allocate a bunch of memory, get a buffer overflow and the basic attack technique would work,” said Valasek.
In contrast with Windows 8, Valasek said you would have to allocate some memory, but not too much, and then ensure that a few certain things don’t occur and then run the overflow.
“Windows 8 definitely raises the bar and makes things harder to exploit,” said Valasek. “At the same time, it’s not entirely impossible.”
In previous versions of Windows, Microsoft attempted to mitigate memory overflows with Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). While those techniques are helpful, Windows 8 goes a step further.
“The nice thing about the Windows 8 heap mitigations is they don’t have to be enabled by the developer and they are on by default,” said Valasek. “With ASLR and DEP, you have to compile your code to make sure they are enabled for your application.”
Valasek and Mandt looked at preview versions of Windows 8 for their research. Valasek said it’s possible that additional mitigation could make Windows 8 heap memory even more secure.
“I’ve written a lot of heap exploits in my day and I wouldn’t want to be tasked with writing one for Windows 8 right now as there are a lot of hurdles you have to cross,” said Valasek. It will take people a lot of time with a lot of skill to exploit.”