VANCOUVER–Software makers, led by Microsoft, have spent the last few years steadily adding new memory-protection and exploit-mitigation technologies such as ASLR, DEP and SafeSEH to their products. But the state of the art in exploitation has advanced just as steadily and, as researchers showed at CanSecWest this week, bypassing these protections is challenging, but increasingly feasible.
The addition of ASLR (Address Space Layout Randomization) DEP (Data Execution Prevention) and other memory protections has made the process of exploiting many vulnerabilities much more difficult. These mechanisms are designed to prevent attackers from finding predictable places in memory to put their attack code and preventing them from abusing memory that shouldn’t be executable. And they’ve succeeded to a large degree, researchers say, making the process of writing reliable exploits far more arduous.
However, as several talks at the CanSecWest conference and the results of the related Pwn2Own hacking contest here have shown, difficult is not the same as impossible. The clearest example of this is the Pwn2Own victory by Peter Vreugdenhil, a Dutch researcher who was able to exploit a previously unknown vulnerability in Internet Explorer 8 on 64-bit Windows 7 after bypassing both ASLR and DEP.
“I started with a bypass for ASLR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass,” he said after the contest.
The details of the vulnerability and the techniques that Vreugdenhil used to evade the memory protections are being kept private as part of the rules of the Pwn2Own contest. But he’s not alone in finding innovative ways around these hurdles.
Much of this wave of research on bypassing exploit mitigations was kicked off by work done by Alex Sotirov and Mark Dowd in “Bypassing Browser Memory Protections in Windows Vista” in 2008. The pair showed techniques for getting around ASLR and DEP to exploit browser flaws and other vulnerabilities.
In a talk Thursday morning at CanSecWest, Suichiro Suzuki, a researcher at Fourteenforty Research Institute, described a technique for bypassing the Structured Exception Handler Overwrite Protection mechanism in newer versions of Windows. SEHOP is designed to prevent attackers from performing SEH overwrites, which has become a common attack technique in recent years. Suzuki’s technique enabled him to exploit a vulnerability using an SEH overwrite with ASLR, DEP and other memory protections enabled on the machine.
“The attackers can recreate the SEH chain,” Suzuki said.
As mature as some of these exploit mitigations are, they’re also increasingly well-understood by the attacker and researcher communities, both of which have been studying them for several years now.