Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


March 2008

Vista and Server 2008 Malware Protection Gems

Use DEP and ASLR to protect yourself against buffer overrun-based attacks
From the March 2008 Edition
of Windows IT Pro
Jan De Clercq
Feature
InstantDoc #98005
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Windows OSs Articles Here | Reprints
Or get the Monthly Online Pass—only $5.95 a month!

Executive Summary:

Two malware protection defenses in Vista and Server 2008 can help you protect against buffer-overrun–based attacks. They are Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR). DEP and ASLR each use a slightly different proactive defense approach as a buffer-overrun defense. Where ASLR makes it more difficult for malware to find the right code, DEP makes it more difficult for malware to execute the code once the target code is found. You can leverage both techniques at the same time and they can also be leveraged in virtual computing environments such as Microsoft Virtual PC or VMware products.


Attacks based on buffer overruns (aka buffer overflows) have been a problem for a long time and are still considered one of the computer industry’s most important security problems. The first buffer-overrun–based attack distributed via the Internet, the Morris worm, did a lot of harm in 1988. The sad thing is that the creators of the Morris worm didn’t write the worm to cause harm but rather as an experiment for measuring the size of the Internet. The Morris worm exploited weak passwords and known vulnerabilities in UNIX programs such as sendmail and Finger. Two recent well-known attacks that involved exploiting buffer overruns, the Code Red and SQL Slammer worms, exposed many Internet-connected systems to attackers’ control. In 2001, the Code Red worm exploited a bufferoverrun vulnerability in Microsoft Internet Information Services (IIS) 5.0 (the IIS version that is bundled with Windows 2000), and in 2003, the SQL Slammer worm used a buffer-overrun vulnerability to compromise machines running Microsoft SQL Server 2000.

You can defend against buffer-overrun–based attacks by using defenses that Microsoft includes in Windows Vista and Windows Server 2008: Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). (At the time of this writing, Microsoft was about to release Vista SP1 and had released Windows Server 2008 RC0.) I’ll explain why these defenses are important and how you can configure them and observe their behavior.

Understanding Buffer Overruns
Before going into more detail on the Vista and Server 2008 buffer-overrun defenses, it might be worthwhile to look at how a buffer overrun works and how it can harm your systems and data.

A buffer overrun occurs when a malicious or badly engineered program stores data beyond the boundaries of a fixed-length buffer in computer memory. The result is that the extra “overflowing” data overwrites adjacent memory locations. The data that’s overwritten can include other buffers, variables, and program logic and may cause a process to crash or produce incorrect results. An even bigger threat is that the injected data often includes executable code that the program under attack is then lured to execute. This executable code often contains the real payload of a buffer-overrun–based attack. It’s used to steal or delete data, create Denial of Service (DoS)–based service outages, trigger privilege elevations, or spread malware to other systems.

Figure 1 gives a simple example of a buffer overrun. A program has defined two variables that are stored in adjacent memory locations. The first variable is an eightbyte- long string called X; the second, a two-byte integer called Y. Initially, X contains nothing but zero bytes, and Y contains the number 30. Imagine that a user (whether unintentionally or maliciously) inputs a character string OVERFLOW to this program. The program then attempts to store this character string in X’s memory location followed by a 0 value to mark the end of the string. The program logic doesn’t check the length of the string and partially overwrites the value of Y. The result is that, although the programmer didn’t intend to change the value of Y when variable X receives input, variable Y’s original value 30 is now replaced by the number that’s part of the character string that was injected into the variable X memory location.

Developers can prevent buffer overruns by including sufficient boundary checks in their program code and by leveraging compilers or runtime services that perform boundary checks. Boundary checks ensure that input data are of the right length. Although boundary checking and enforcement have become best practices for developers, plenty of legacy code doesn’t include boundary checks. Also, coding best practices are worthless if some programmers don’t follow them.

These reasons explain why many hardware, application, and OS software vendors including Microsoft have developed proactive defenses that attempt to stop bufferoverrun attacks in badly engineered code. Let’s look at Microsoft’s implementations of DEP and ASLR.

Data Execution Protection
As I mentioned above, buffer-overrun–based attacks often write executable malicious code to another program’s memory buffers and then trick the program into executing the malicious payload. You can tackle the execution of maliciously injected code by using DEP. DEP lets Windows mark memory locations that should only contain data as non-executable (NX). When an application attempts to execute code from NX-marked memory locations, Windows’ DEP logic will block the application from doing so.

A negative side effect of the buffer-overrun protection offered by DEP is that the blocked application will typically halt. In other words, even though DEP stops malware from executing its malicious payload, this situation creates a new opportunity for malware to launch DoS attacks.

Microsoft includes DEP support not only in Vista and Server 2008, but also in Windows XP SP2, Windows Server 2003 SP1, Windows 2003 R2. Microsoft DEP implementation comes in two flavors: hardware-enforced DEP and software-enforced DEP.

Hardware-enforced DEP. Hardwareenforced DEP leverages a processor feature that AMD refers to as the no-execute pageprotection (NX) feature and that Intel refers to as the Execute Disable Bit (XD) feature. At the time of writing, AMD supported NX only on its 64-bit processors, and Intel supported XD only on the Itanium and EM64T 64-bit processors and a small number of 32-bit Prescott processors. Microsoft is not the only OS vendor that leverages the NX and XD processor features for stopping buffer overruns: NX- and XD-enabled software is also available in other OSs such as Linux and UNIX BSD (see en.wikipedia.org/wiki/Nx-bit for more information).

Software-enforced DEP. Softwareenforced DEP lets Microsoft provide DEP on 32-bit processor systems not equipped with an NX- or XD-compatible processor. In this software workaround, the processor-level NX- or XD-bit functionality is provided by a set of special pointers that the Windows OS automatically adds to data objects stored in the system memory.

Continue on Page 2

   Previous  [1]  2  3  4  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path To Learn More About DEP and ASLR
"ASLR Makes Vista A Moving Target"

"What You Need to Know About Windows Vista x64 Versions' Unique Security Features"

"What You Need to Know About More Vista Security Technologies"
Top Viewed ArticlesView all articles
Windows Chief Leaving Microsoft

Kevin Johnson, the man most directly responsible for current and future versions of Windows, as well as Windows Live and Microsoft's online services, is leaving the company for a position at Juniper Networks. Johnson has been co-president or president ...

How can I limit Exchange mailbox size?

...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...
Related Articles What You Need to Know About How Windows Server 2008 Developed

Buffer-Overflow Attacks Explained

Burned by the CodeRed Worm

Buffer Overflows Leave You Vulnerable to Attacks
Windows OSs Whitepapers Replay for Exchange: Enterprise Protection and an Affordable Price

Are You Satisfied?

A Preliminary Look at Deployment Plans for Microsoft Windows Vista
Related Events Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.


ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Shortcut Guide to SQL Server Infrastructure Optimization
With right tools and techniques, you can have a top-performing SQL Server infrastructure without having to cram your data centers so that they're overflowing. Download this eBook to learn how.

WinConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Continuous Data Protection and Recovery for Exchange
Read this white paper to learn about Continuous Data Protection (CDP), Exchange 2007's local continuous replication and cluster continuous replication features.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Tips to Managing Messaging
Discover three fundamental mail and messaging management services - security, availability and control services - and how you can implement them in a Microsoft-centric mail and messaging environment.

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Solving PST Management Problems
In this white paper, read about the top PST issues and how to administer local/network PST files.

Bandwidth Monitoring Tool from SolarWinds
Identify largest bandwidth users in seconds. Get the free download now.

Transform Your Data Center at Brocade Conference 2008
Storage networking industry’s premier event at the MGM Grand, Las Vegas, September 22 - 24, 2008

Are You Litigation Ready?
Collecting and processing electronic data for e-discovery can be time-consuming and expose a business to significant legal risks. Get prepared with this free white paper

Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.

KVM over IP Solutions
Learn about a KVM over IP solution that is specifically designed to meet the needs of the distributed IT environment.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound
IT Library Technical Resources Directory Connected Home Windows Excavator SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing