Windows Vista Exploitation Countermeasures.ppt

The majority of currently exploited vulnerabilities in Microsoft products are overflows into heap memory Heap exploitation relies on corrupting heap management data or attacking application data within the heap Class objects contain a list of function pointers for each virtual function in the class called a vtable class MyClass { public: MyClass(); virtual ~MyClass(); virtual MemberFunction(); int MemberVariable; }; Overwriting virtual function pointers is the simplest method of heap exploitation VTable Overwrites HEAP_ENTRY Overflow Scenario: Heap-based buffer overflow allows for writing into adjacent free heap block Attack: Overwrite FLINK and BLINK values and wait for HeapAlloc() Allows one or two 4-byte writes to controlled locations mov dword ptr [ecx],eaxmov dword ptr [eax+4],ecx EAX = Flink, EBX = Blink FREE HEAP BLOCK_HEAP_ENTRY +0x000 Size +0x002 PreviousSize +0x004 SmallTagIndex +0x005 Flags +0x006 UnusedBytes +0x007 SegmentIndex _LIST_ENTRY +0x000 Flink +0x004 Blink HEAP_ENTRY Overflow Mitigations in XP SP2 List integrity checked during heap allocation  8-bit Cookie Verified on allocation after removal from free list LIST_ENTRY-Flink-Blink == LIST_ENTRY-Blink-Flink == LIST_ENTRY HEAP_ENTRY Overflow Mitigations in XP SP2 Defeated by attacking the lookaside list First heap overwrite takes control of Flink value in a free chunk with a lookaside list entry Allocation of the corrupted chunk puts the corrupt Flink value into the lookaside list Next HeapAlloc() of the same sized chunk will return the corrupted pointer Heap segment randomization HEAP_ENTRY integrity checks Block entry randomization Linked-list validation and substitution Function pointer hardening Terminate on Error HEAP_ENTRY Checksum for Size and Flags Size, Flags, Checksum, and PreviousSize are XOR’d against random value Adds extra resilience against overflows into Flink and Blink values Memory corruption vulnerability exposure can be mitigat