Recent Posts

Tags

News

  • A blog about Microsoft Windows development, focused on kernel-mode driver development, the Windows DDK, WDK, and related tools.

    To elaborate on the copyright notice at the bottom: all content produced by me on this site is copyright and licensed as follows:

    <!-- Creative Commons License --> Creative Commons License
    This work is licensed under a Creative Commons License. <!-- /Creative Commons License --> <!-- <rdf:RDF xmlns="http://web.resource.org/cc/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <Work rdf:about=""> <dc:type rdf:resource="http://purl.org/dc/dcmitype/Text" /> <license rdf:resource="http://creativecommons.org/licenses/by-nc/2.0/" /> </Work> <License rdf:about="http://creativecommons.org/licenses/by-nc/2.0/"> <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> <permits rdf:resource="http://web.resource.org/cc/Distribution" /> <requires rdf:resource="http://web.resource.org/cc/Notice" /> <requires rdf:resource="http://web.resource.org/cc/Attribution" /> <prohibits rdf:resource="http://web.resource.org/cc/CommercialUse" /> <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> </License> </rdf:RDF> -->

    Although I work for Positive Networks, this work is my own and is not connected with my employer in any way.

    <!-- technorati again --> <script type="text/javascript" src="http://embed.technorati.com/embed/8xz8dihr.js"> </script>

Community

Email Notifications

Other Blogs

General

Technical Resources

About Me

Archives

Kernel Mustard

Reflections on Windows System Programming
Steve Dispensa, MVP - Windows DDK

Security: Bypassing Hardware-based Data Execution Prevention

Security is bafflingly hard. I am always impressed with how easy it is to bypass the bast-laid plans of software architects.

Matt Miller and Ken Johnson, two of my colleagues at Positive Networks, have just released a paper, available here, detailing a way to bypass Windows hardware-based data execution prevention (DEP). For those who don't know, hardware-based DEP makes use of features of the latest CPUs to mark memory pages as non-executable, thus preventing certain classes of attacks that make use of code injected into data buffers. It's a great idea in principle, and the implementation is a good one.

The fundamental problem is that, in the real world, any change as drastic as DEP will certainly cause application compatibility problems. As Raymond Chen has covered extensively (here, for instance), Microsoft can't just go around breaking old applications. So, they had to provide a way to disable DEP on a per-program basis. Actually, it's even worse than that: programs often load shared DLLs, and the presence of a known-incompatible DLL requires DEP to be disabled.

Matt and Ken sum it up nicely:

In closing, the authors would like to make a special point to indicate that Microsoft has done an excellent job in raising the bar with their security improvements in XP Serivce Pack 2. The technique outlined in this document should not be seen as a case of Microsoft failing to implement something securely, as the provisions are certainly there to deploy hardware-enforced DEP in a secure fashion, but instead might be better viewed as a concession that was made to ensure that application compatibility was retained for the general case. There is almost always a trade-off when it comes to providing new security features in the face of potential compatibility problems, and it can be said that perhaps no company other than Microsoft is more well known for retaining backward compatibility.

As is usual with these guys, the paper is well-written and easy to follow. I'd highly encourage reading it - it's an excellent object lesson in security design trade-offs. Matt will be presenting at the BlueHat Conference at Microsoft on October 13-14 on a slightly different topic; check him out if you get a chance.

Posted: Oct 05 2005, 09:45 PM by Steve Dispensa | with 1 comment(s)
Filed under:

Comments

TrackBack said:

# November 12, 2005 8:48 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)