Windows 8 Security Garners Praise at Black Hat

By CIOinsight  |  Posted 07-27-2012

LAS VEGAS -- Microsoft's Windows 8 is not yet generally available -- the operating system officially lands on store shelves Oct. 26 -- but that's not stopping security researchers from trying to find flaws in the OS. However, hackers who have had an easy time with Windows might find some new security features hard to beat.

For years, Windows has come under frequent attacks, thanks to hackers exploiting the operating system s heap memory manager. However, in a new report released at the Black Hat conference here, engineers at Microsoft have done an admirable job of defending memory, making it more difficult than ever before for attackers to exploit.

The report is called "Windows 8 Heap Internals."

Chris Valasek, a senior security researcher at Coverity and co-author of the research, explained the memory heap is a critical component of Windows. The memory manager is what tells applications that memory is or isn't available for use.

"As a security researcher, you want to look into how the memory is managed and see if there is the potential for a buffer overflow or some kind of exploit that could alter what the heap memory manager is supposed to do," said Valasek.

Heap memory exploitation attacks have been around for over a decade, and Valasek wanted to see what had changed in Windows 8. As it turns out, Valasek and his research partner Tarjei Mandt were not able to find as many deficiencies in Windows 8 memory. The two researchers believe that Microsoft has made a giant leap forward in heap memory security with Windows 8.

"While they have really stopped all the present exploitation techniques out there, they did have to introduce new code and data structures," said Valasek. "That new code, under certain conditions is susceptible to attack, as previous versions of Windows were."

Those conditions assume that an attacker has access to a software vulnerability that leads to some kind of writing outside of the bounds of the piece of memory that application is supposed to use.

"The deficiencies aren't quite corner cases, but they rely on a lengthy set of preconditions to occur," said Valasek. "That being said, things like this aren't impossible; it just so happens that you need to have a certain few things in place for your overflow for an attack to work."

In Windows 8, Microsoft engineers added a number of new prerequisites to the heap memory manager, making it more difficult to exploit.

"In previous versions of Windows you could say, allocate a bunch of memory, get a buffer overflow and the basic attack technique would work," said Valasek.

In contrast with Windows 8, Valasek said you would have to allocate some memory, but not too much, and then ensure that a few certain things don't occur and then run the overflow.

"Windows 8 definitely raises the bar and makes things harder to exploit," said Valasek. "At the same time, it's not entirely impossible."

In previous versions of Windows, Microsoft attempted to mitigate memory overflows with Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). While those techniques are helpful, Windows 8 goes a step further.


To read the original eWeek article, click here: Windows 8 Security Garners Praise at Black Hat