In association with heise online

31 October 2011, 14:32

Worth Reading: ROP protection in Windows 8 bypassed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Windows Flag Windows 8 offers a range of new protection mechanisms that are designed to hamper the efforts of exploit authors. However, shortly after the release of the Windows 8 Developer Preview, a way to circumvent one of these new obstacles has already been found.

The standard technique to bypass the ever more widely used Data Execution Prevention (DEP) feature is to piece together small fragments of code which then use such memory management functions as VirtualProtect to disable memory protection. Each of these fragments ends in a return command that will jump to the address that is stored in the stack (hence, Return-Oriented Programming, or ROP). Consequently, the exploit authors need a specially crafted stack. As it tends to be difficult to manipulate the stack itself, it is necessary to ensure that the required byte sequence is in the heap and redirect the ESP stack pointer to the heap.

This is where Windows 8 steps in: when calling memory management functions, it will check whether the stack pointer is still pointing to the area described by the Thread Environment Block (TEB). If it isn't, the process will be terminated. The exploit writers' new trick is simple: they give Windows what it wants and reset ESP temporarily when the critical functions are called.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit