Od:protection for Heap in Windows

Source: Internet
Author: User

Microsoft has also added some security checks to the heap, making it difficult to heap overflow that was otherwise not easy:

* PEB Random: After Windows XP SP2, Microsoft no longer uses a fixed PEB base address 0x7ffdf000, but uses a somewhat random base address, which affects the DWORD SHOOT attacks on functions in PEB.

* Safe Unlink: Microsoft has rewritten the code that operates the doubly linked list and is more careful when unloading the heap blocks in the free list. SP2 Verify the integrity of the heap blocks in advance to prevent the DWORD SHOOT when the delete operation is performed:

1 intSafe_remove (ListNode *node)2 {3         if((Node->blink->flink==node) && (node->flink->blink==node))4         {5Node-blink-flink = node-Flink;6Node-flink-blink = node-Blink;7             return 1;8}Else {9             //Raise ExceptionTen             return 0; One         } A}

* Heap Cookie: Similar to the stack, a cookie is introduced in the heap to detect the occurrence of heap overflow. The location of the cookie in the segment table at the top of the heap, accounting for 1 bytes:

* Metadata Encryption : This measure is beginning to be used in Windows Vista and subsequent versions of the system. Some of the important data in the first block will be stored with a random number of 4 bytes to be different or encrypted, when used again or decrypted. This will not directly destroy the data.

One of the heap of researchers Matt Conover in the cansecwest 04 speech topic Windows Heap Exploitation (Win2K SP0 through WinXP SP2), for the PEB random mechanism, indicates the change Just between the 0x7ffdf000 ~ 0x7ffd4000, the random interval is small, in the multi-threaded state is easy to predict.

While the Heap Cookie accounts for only 1 bytes, there is still a possibility of cracking after studying its generation of random algorithms.

For Safe Unlink also someone found some cracked ideas.

But these breakthrough ideas to be successfully implemented and utilized after XP SP2, require very harsh conditions, heap overflow becomes too hard.

Overflow data in a heap

However, the heap protection is to protect the data structures of the heap, and the first idea of the attack is the key data structures stored in the overflow heap: Important variables, data, function pointers ...

Using chunk to reset the size of the attack heap

The Safe Unlink verifies the doubly linked list when the chunk is removed from the freelist[n], but does not validate when inserting a chunk into the freelist[n]! If you can forge a chunk and insert it into the freelist[n], you can cause some kind of attack. The insert operation occurs in the following two scenarios:

1  after the memory is freed, chunk is no longer in use.  2  when the chunk memory space is larger than the requested size, the remaining space is built into a new chunk chain into the linked list.

The second scenario above provides an opportunity to be exploited. Consider the process of applying for chunk first, and the process of applying for space from freelist[] is as follows:

1  Compare the last chunk on freelist[0] with the size of theapplication, if the size of the chunk ≥ the size of the application, then continue the allocation, otherwise the expansion space (if the large heap list cannot meet the allocation, the expansion heap)2  the first chunk from freelist[0] is detected sequentially until the first compliant chunk is found, and then unload 3  allocates a good space, if a chunk There is space left, the remaining space will be built into the new chunk and inserted into the linked list

In this process, the first situation does not have the opportunity, the second case has safe Unlink to protect. But safe Unlink has a problem: even if safe Unlink detects that the chunk structure is compromised, it will allow subsequent operations, such as resetting the chunk size.

Od:protection for Heap in Windows

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.