Defeating Aslr And Dep Protections On Windows Vista presented at SyScan 2008

by Alexander Sotirov,

Tags: Security Exploitation

Summary : Over the past several years, Microsoft has implemented a number of memory
protection mechanisms with the goal of preventing the reliable exploitation
of common software vulnerabilities on the Windows platform. Protection mechanisms
such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory
corruption vulnerabilities and at first sight present an insurmountable obstacle
for exploit developers.This talk aims to present exploitation methodologies against this increasingly
complex target. I will demonstrate how the inherent design limitations of the
protection mechanisms in Windows Vista make them ineffective for preventing the
exploitation of memory corruption vulnerabilities in browsers and other client
applications.Each of the aforementioned protections will be briefly introduced and its design
limitations will be discussed. I will present a variety of techniques that can be
used to bypass the protections and achieve reliable remote code execution in many
different circumstances. Finally, I will discuss what Microsoft can do to increase
the effectiveness of the memory protections at the expense of annoying Vista users even more.