ASLR and DEP

Feb 4, 2010 15:09 GMT  ·  By

White hackers has built reliable exploits of two of the core security mitigations included in the most recent releases of Windows, including Windows 7 and Windows Vista. Security researchers have put together attacks against Windows security measures and managed to circumvent the added protection delivered by Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). Both Vista and Windows 7 feature DEP and ASLR and so far the two security mitigations have held their own against attacks, making exploits targeting Vista and Windows 7 difficult enough to discourage attackers from even trying. Vista has a proven track record of delivering more protection to end users compared to Windows XP, being impacted by far less vulnerabilities. Windows 7, released for the general public barely three months ago, has yet to prove itself.

According to The Register, both the attacks that bypass DEP and ASLR use Adobe Flash as a vector of attack. Security researcher Dionysus Blazakis, leveraged the just-in-time compiler in Flash in order to put large portions of identical shell code in the memory of the attacked machine. The technique then allowed the white hacker to render ASLR virtually useless, and estimate the position of executable images of .EXE and .DLL files. Such an action would be extremely difficult to perform under normal conditions, since ASLR is designed to randomize the position of executable images in the computer’s memory.

"With this JIT-spray, it works fairly reliably, so at least nine out of 10 times you'll guess the right position," Blazakis explained. "The compilers do this optimizing, so it wasn't just a given that this was possible." Blazakis managed to exploit Flash in order to launch the Windows calculator from within Internet Explorer 8.

The second attack also relies on a JIT-spraying technique and uses Flash as a vector. Nicolas Pouvesle, senior security researcher at Immunity, developed an exploit against IE8 running on top of Windows 7, which was integrated into the company’s Immunity's Canvas penetration testing tool.

"ASLR and DEP in IE 8 on Windows 7 provides a really good protection against these kinds of exploits. It took us quite some time to put everything together,” Pouvesle stated. The attack uses a complex combination of techniques, including introducing large Flash files into memory, and the converting of Flash action script code into machine code masqueraded as shellcode.

Of course, users must understand two things. First off, at fault here is Adobe Flash, which is used as the main vector of attack. Disabling the Flash plug-in would render the exploits useless, provided that attackers are unable to find another vector of attack to take advantage of.

And second, both DEP and ASLR are additional security mitigations and not barriers. What this means is that the two features are designed to make it as hard as possible for an attacker to exploit a vulnerability by executing arbitrary code on a vulnerable machine, even if the security hole is “wide opened.” Still, nowhere did Microsoft say that either DEP or ASLR were unbreakable. And sadly, the lax focus on security from Adobe can render Microsoft’s hard work useless, in the two examples presented above.

“Data Execution Prevention (DEP) can help protect your computer by monitoring your programs to ensure that they use system memory safely. If DEP detects a program on your computer using memory incorrectly, it closes the program and notifies you. The 32-bit versions of Windows Server 2008 and Windows Vista include a software implementation of DEP that can prevent memory that is not marked for execution from running. The 64-bit versions of Windows Server 2008 and Windows Vista work with the 64-bit processor's built-in DEP capabilities to enforce this security at the hardware layer, where it would be very difficult for an attacker to circumvent. DEP is enabled by default in both 32-bit and 64-bit versions of Windows Server 2008 and Windows Vista,” Microsoft stated.

“Address Space Layout Randomization (ASLR) is designed to restrict malicious code in exploiting a system function. When a computer running Windows Server 2008 and Windows Vista is started, ASLR randomly assigns executable images (which are the .dll and .exe files) included as part of the operating system to one of 256 possible locations in memory. This makes it more difficult for exploit code to locate and take advantage of functionality inside the executable images,” the company added.