0405119483 digby@dig-it.com.au

I mentioned in a previous blog , see Are MAC Computers more secure , some of the technologies used in the Windows Operating system to make it secure. I am going to talk about this as simply as I can as they will become a recurring them in discussing how secure a computer is.

In particular we mentioned the following and I am just going to add a description of what they do.

Data Execution Prevention (DEP)

Prevents code being run from areas in memory which should only have data eg the heap, stack or data sections of memory.
The stack is a data structure used to retain memory adresses and associated data which will be executed at a later time.
Manipulation of the stack is a common technique in breaking windows, mac and linux operating systems enabling executable code to be placed in the stack however the stack should only contain addreses and should never have executable code within it. DEP stops this by marking areas of memory as non excutable.
The heap is a memory area where dynamic variables (data) are located and is subject to similar exploitation techniques as mentioned above.

Address Space Layout Randomization (ASLR)

Before Windows Vista executable code ie programs were loaded into memory in a predictable manner which made it easier for attackers to write code which manipulated certain structures eg stack, head , programs and libraries.

If the code always loads to the same address it is far easier to manipulate ASLR randomises the location of these objects every time they are loaded into memory.

Structured Exception Handler Overwrite Protection (SEHOP)
Export Address Table Filtering (EAF)
In order to do something useful an exploit generally needs to call functions exposed by Windows. However, in order to call one of these functions, the exploit must first find where it is loaded. This mitigation blocks the most common approach used by exploits to look up the location of a function which involves scanning the export address table of loaded libraries.
Heap Spray Allocation (HSA)

Heap Spraying is a payload delivery technique which relies on a programs heap being located in a predictable memory location. If code can be injected into the heap before an exploit causes the program to fail. HSA preallocates these predictable memory adresses before a program eg Javascript can try to own them.

Null Page Allocation (NPA)
Bottom-Up Rand (BUR)
Kernel Patch Protection
The picture shows the structure of the Windows OS and Kernel mode are those functions which User programs eg Word rely on to execute.
We do not get to see code executing in kernel Mode.
;

 

KPP ensures the following Kernel structures cannot be manipulated.
Modifying system service tables
Modifying the interrupt descriptor table
Modifying the global descriptor table
Using kernel stacks not allocated by the kernel
Modifying or patching code contained within the kernel itself, or the HAL or NDIS kernel libraries

Share Button