Geek Answers Handbook

Memory ranking how to increase application security?

I recently came up with a Microsoft article that advertised the new "security enhancements" of Windows 7. In particular:

  • Address Space Allocation Randomization (ASLR)
  • Heap randomization
  • Stack randomization

The article went on to say that "... some of these protections are in the main operating system, and the Microsoft Visual C ++ compiler offers others," but did not explain how these strategies will actually enhance security.

Does anyone know why memory randomization improves security, if at all? Do other platforms and compilers use similar strategies?

+6
c ++ security memory windows-7
source share
3 answers

This improves security by making it harder to predict where something will be in memory. Quite a few buffer overflow exploits work by pushing (for example) the address of a known routine on the stack, and then returning to it. This is much more difficult to do without knowing the address of the corresponding procedure.

As far as I know, OpenBSD was the first to do this, at least among fairly well-known PC operating systems.

+9
source share

It makes attacks such as returning to libc (or returning to a user-provided data buffer in the case of the last two) a lot more complicated. And yes, it is available on Linux, BSD, and Mac OS. As you would expect, the details are OS dependent. See Wikipedia for an introduction .

+2
source share

By randomizing the stack, you make vanilla buffer overflow attacks such as Aleph One Smashing the Stack for Fun Profit impossible. The reason is that the attack is based on placing a small amount of calld shellcode executable code in a predictable place in memory. The function stack frame is corrupted and its return address is overwritten with the value that the attacker chooses. When a damaged function returns, the execution thread moves to the attacker's shellcode. Traditionally, this memory address is so predictable that it will be identical on all machines running on the same software version.

Although the extended memory protection implemented when Windows 7 code runs successfully is still possible. Recently, on CanSecWest, a machine running Windows 7 and IE 8 was hacked in seconds. Here's a technical description of a modern memory corruption attack using a sagging pointer combined with heap overflow.

0
source share

More articles:


All Articles