Microsoft has recently released the latest version of Windows dubbed Windows 8. The operating system features, among other things, a new user interface called Metro, which has been fairly controversial. On top of the user interface Microsoft has taken serious efforts to improve security – Windows 8 includes a far stronger implementation of ASLR.
ASLR (Address Space Randomization)
Address Space Randomization, or ASLR for short, is an exploit mitigation technique invented by the PaX team. The idea is that attackers generally need to know where code is in a processes address space in order to carry out attacks. ASLR, as the name, randomizes the address space and makes it more difficult for attackers to exploit programs.
More Areas Randomized
One of the issues with ASLR is that if any area of address space isn’t randomized it can mean a full bypass for an attacker. Windows 8 now randomizes many new areas of the address space. Most significantly, all bottom up allocations (VirtualAlloc() VirtualAllocEx()) are now randomized, which closes up holes like this one. All bottom up and top down memory allocations being random makes the implementation of ASLR far better than in Windows 7.
One bypass of EMET 3.5 relied on a universal ASLR bypass using predictable pages and an information leak. Those (specific ones) are now gone.
ASLR randomizes allocations but if those randomized areas of memory are predictable an attacker can bruteforce their way to a useful area. Windows 8 has added significantly greater entropy to top down allocations and also added an opt-in feature titled High Entropy ASLR, which increases entropy across the board for all areas of address space. On a 64bit system it becomes unlikely that an attacker will bypass ASLR through bruteforcing as the address space is much larger – though this large address space is not necessarily enough.
Another very significant feature of Windows 8 is native support for Force ASLR. As I stated above a single area of address space being predictable is often enough for an attacker to bypass ASLR entirely and Force ASLR is built to ensure that no areas can be predictable. Often times when we run a program we add plugins or third party extensions – a web browser binary extension for example, or a program that adds a context menu to explorer.exe – and these third parties may not have enabled ASLR on their software. On Windows 7 and previous this would have meant an attacker could predict that area of address space and bypassed ASLR but not on Windows 8. With Force ASLR enabled all non-ASLR modules injected into a process are forced to use ASLR as wellm thus ensuring the entire process is randomized.
The improvements don’t end there but those three have the largest impact (as well as no more USER_SHARED_DATA bypasses). It’s clear that Microsoft has put effort into making Windows 8 their most secure operating system yet. When mainstream programs begin to make use of these mitigation techniques attackers are going to be forced to start finding other avenues of attack.