SAN FRANCISCO–Despite years of efforts by software security teams at major vendors to harden the operating systems and browsers that are the most common targets of attackers, exploitation of new as well as older vulnerabilities is still simpler than many people might think.

Microsoft, Mozilla, Adobe and even Apple, to some degree, have put in place technologies in their newer products that are designed to make it more difficult for attackers to exploit vulnerabilities, including unknown flaws. However, these technologies, which include DEP, ASLR and SafeSEH, are mitigations, not absolute defenses against exploitation, said Dino Dai Zovi, a researcher and chief scientist at Endgame Systems, in a talk at the RSA Conference here. As effective as some of these technologies can be, they’re not meant to eliminate the possibility of a system being compromised.

“Attack mitigation takes the universe of exploit techniques and narrows it down,” he said.”But preventing the introduction of malicious code isn’t enough to prevent malicious computations.”

Microsoft has been steadily adding memory-protection technologies such as ASLR and DEP to its products over the last few years, and they are now enabled by default in the latest versions of Windows and Internet Explorer. Address Space Layout Randomization (ASLR) is designed to make it more difficult for attackers to overwrite a specific portion of memory by randomizing the location of key areas in a process’s memory. With things in unpredictable locations, it’s much more dfficult for attackers to get their data into the right place for an attack.

However, even with ASLR and Data Execution Prevention (DEP) enabled, it’s still possible to exploit vulnerabilities in the most recent versions of IE and Windows. In his talk, Dai Zovi showed a live demonstration in which he exploited the so-called Aurora IE vulnerability on Windows 7 running IE8. This configuration was thought to be immune to such attacks, but Dai Zovi was able to bypass the memory protections by using a combination of several attack techniques chained together.The presence of DEP and ASLR made the attack more difficult, but not impossible.

Dai Zovi said that while his attack worked in this instance, that’s no guarantee that a similar technique would work in another situation.

“Exploitation in the wild that bypasses DEP is pretty rare,” he said. DEP is specifically designed to prevent attackers from forcing application to execute data from portions of the memory that are designated as non-executable.

In fact, Microsoft has acknowledged the limitations of DEP from the beginning, and says that it is simply one of several tools that can help prevent memory corruption attacks.

“DEP presents a hurdle to attackers as they attempt to successfully
exploit security  vulnerabilities. In some cases, it is possible for an
attacker to evade DEP by using an exploitation technique such as return-to-libc. DEP by itself
is generally not a robust mitigation. DEP is a critical part of the
broader set of exploit mitigation technologies that have been developed
by Microsoft such as ASLR, SeHOP, SafeSEH, and /GS.
These mitigation technologies complement one another; for example DEP’s
weaknesses tend to be offset by ASLR and vice versa. DEP and ASLR used
together are very difficult to bypass. The known bypasses that exist
have been tied to specific application contexts (such as the IE7 and earlier bypass from Mark Dowd and Alex Sotirov),” Microsoft’s Robert Hensing wrote last year.

But, as Dai Zovi and others have shown, even with these technologies enabled, exploitation is still possible. Attackers have begun using third-party applications to bypass ASLR and DEP on Windows recently. A researcher named Dionysus Blazakis showed in February how he could use a technique called JIT-spraying to exploit a vulnerability in Adobe Flash and bypass both ASLR and DEP. This scenario is not something that Microsoft security engineers would have contemplated or been able to prevent on their end; it’s a result of the complex interactions among applications in production environments, not test labs.

“Systems fail more because of implementation than theory. The real world is complicated,” Dai Zovi said.

Categories: Vulnerabilities