Mar 8, 2011 13:35 GMT  ·  By

DEP/NX, ASLR, SafeSEH and Enhanced GS are some of the technologies that Microsoft is leveraging to bulletproof Internet Explorer 9. I said just some of the technologies, because these acronyms are designed to refer to IE9 memory protection mitigations, and do not represent anywhere near the entire efforts that went into securing the next generation of IE.

Eric Lawrence, Senior Program Manager, Internet Explorer offered insight into the work done to ensure that customers can browse safely even in the context of attacks involving exploits designed to take advantage of memory-related vulnerabilities in the browser.

DEP/NX, or Data Execution Prevention / No eXecute, is a feature already used by IE, and that only evolved from IE8 to IE9.

“DEP/NX works with your system’s processor to distinguish between code and data, helping to prevent execution of data placed into memory by an attacker.

“If the processor determines that it has been directed to execute a block of memory lacking the proper marking, it will securely terminate the process before executing the specified instructions,” Lawrence added.

Users that have been monitoring Microsoft’s progress in terms of security in its products for the past years already know that DEP goes hand in hand with ASLR.

Address Space Layout Randomization makes the memory space of a process, well, random. The feature is designed to make it extremely hard for an attacker to abuse a browser function by identifying where exactly in memory is the code for that function located, since its position is unpredictable.

Failed attempts to guess the location of code in memory despite ASLR usually result in crashes and unsuccessful exploits.

However, IE9 is only as safe as its weakest link. While ASLR is right at home with IE9, there are some browser add-ons for example that do not leverage the technology.

Users need to steer clear of “enhancing” their copies of IE9 with extensions that are both lacking in protection and acting like security liabilities for the browser.

“SafeSEH (Safe Structured Exception Handling) is a compiler option which helps prevent the injection of malicious structured exception handlers into an exception handling chain. All 64bit code and all of Internet Explorer’s code is compiled with the SafeSEH flag,” Lawrence explained.

SafeSEH suffers from the same limitation as ASLR, meaning that an unsafe add-on can represent a security risk.

Still, customers running IE9 on Windows 7 have less reasons to worry about, since in this cenario the browser will take advantage of SEHOP (Structured Exception Handler Overwrite Protection), a feature which offers protection at process-level even for add-ons that are not built with SafeSEH.

“Lastly, Internet Explorer 9 is compiled with the new C++ compiler provided with Visual Studio 2010. This compiler includes a feature known as Enhanced GS aka Stack Buffer Overrun Detection, which helps prevent stack buffer overruns by detecting stack corruption and avoiding execution if such corruption is encountered,” Lawrence added.

“In the latest compiler, the existing GS feature was enhanced to block a broader range of attacks, and it utilizes better heuristics to determine which functions need protection. This enhancement helps minimize the performance impact and maximize protection for Internet Explorer.”

I must underline that features like DEP and ASLR are not security barriers, but merely mitigations. Their purpose is not to make IE9 a silver bullet for all browser security attacks, but instead to make success almost impossible for any exploit.

While mitigations can be bypassed, at least in theory, the multiple layers of protection mechanisms and technologies built in IE9, help ensure that eventual attacks need to be sufficiently complex, quite expensive to build (in terms of time and money) and unreliable enough that users are kept safe.