ISV adoption of mitigation technologies

Hi, Michael here,

Over the last few weeks, Matt Miller, Matt Thomlinson, John
Lambert and I worked on a paper that
describes the various buffer overrun defenses we offer in Windows Vista and
later and Windows Server 2008 and later.

I’d like to introduce a guest SDL blogger, Matt Miller, a
member of our Security Research and Defense team, who has written a great
article that describes the rationale behind the paper.

 

Over to Matt…

 

On our Security
Research and Defense blog
we have previously described the security
benefits of mitigation technologies like Data Execution Prevention (DEP) and
Address Space Layout Randomization (ASLR)[1,2].  These technologies and others like them
(SEHOP, GS, etc) are designed to make it more difficult for attackers to
reliably exploit software vulnerabilities. 
The growing prevalence of these technologies has contributed to increased
interest from the security research community on the subject of developing new
bypass techniques[3].
We value the research community’s findings in this area and are continuing to
work on improving the effectiveness of our mitigation technologies.  In the meantime, there are important steps
that Independent Software Vendors (ISVs) must take to ensure that these mitigations are as effective as
possible.

 

In practice, the effectiveness of mitigations like DEP and
ASLR is heavily dependent on how completely each mitigation technology has been
enabled by an application.  Failing to
completely enable a mitigation technology leaves low-hanging fruit that an
attacker can use to their advantage when developing an exploit.  In June, 2010, Secunia released a study which
measured the usage of DEP and ASLR in products developed by various ISVs[4].  This report showed that the majority of the
surveyed applications do not completely enable these mitigations and therefore
expose footholds that attackers can use to more easily exploit vulnerabilities. 


This point was most recently illustrated in the form of an
exploit that was written for Adobe Reader (CVE-2010-2883) where the attackers
took advantage of a DLL that had not opted-in to ASLR.  Adobe has done a commendable job of enabling mitigations
like ASLR for the majority of their components, but the fact that at least one
DLL existed that had not opted-in to ASLR was enough to give attackers a leg
up.  This same rule applies to other
applications as well; for example, BHOs and ActiveX controls that have not
opted-in to ASLR can allow attackers to bypass ASLR in conjunction with any
browser-based vulnerability.  These
examples show the importance of fully enabling mitigations.

 

How to verify an application’s ASLR settings

There are two general approaches that can be used to verify
the ASLR settings of an application.  The
first approach involves verifying that the EXE and DLLs that are currently loaded
by the application all have ASLR enabled. 
Sysinternals Process
Explorer
provides easy access to this information by setting the lower pane
to view DLLs for a process and adding the “ASLR enabled” column to the
view.  The screenshot below provides an
example of using Process Explorer to observe a non-ASLR DLL (jp2ssv.dll) that
has been loaded into the context of Internet Explorer (denoted by an empty
value for the ASLR column).

While Process Explorer is a very useful tool for verifying the
ASLR settings of DLLs that have been loaded in a running process, it is not
able to provide you with information about DLLs that are not actively loaded by
the application.  This information can be
obtained through the use of Microsoft’s BinScope Binary Analyzer.  BinScope inspects the on-disk settings
embedded in EXEs and DLLs and verifies that the required flags (DYNAMICBASE) have
been set in order for ASLR to occur.  The
screenshot below provides a simple example of a report produced by BinScope
where one DLL does not opt-in to ASLR (nodynamicbase.dll) and one DLL does
opt-in (dynamicbase.dll):

Guidance for ISVs                                                                                                                         

In an effort to help ISVs fully take advantage of the
security features provided by Windows we have published updated guidance which
shows how mitigation technologies like DEP, ASLR, and GS can be enabled.  This guidance can be found in the report
linked below:

 

http://msdn.microsoft.com/en-us/library/bb430720.aspx

 

We encourage ISVs to follow this guidance and, more
generally, the guidance provided through the Security Development Lifecycle
(SDL).  We also encourage ISVs who have
questions regarding the adoption of mitigation technologies to contact us at switech@microsoft.com.

 

Matt Miller, MSEC Security Science

 

 

About the Author
Michael Howard

Principal Security Program Manager

Michael Howard is a principal security program manager on the Trustworthy Computing (TwC) Security team at Microsoft, where he is responsible for managing secure design, programming, and testing techniques across the company. Michael is an architect of the Security Development Read more »