In-Depth

Black Hat: Will Windows 8 Be a Hacking Killjoy?

During a presentation at this week's Black Hat security conference, security pros presented an argument on why Windows 8 may be the most secure OS Microsoft has ever released.

• By Stephen Swoyer
• 07/26/2012

Windows is about to get a lot less fun to hack.

That's one upshot of a talk given by security professionals Chris Valasek and Tarjei Mandt at this week's Black Hat USA Briefings in Las Vegas.

Valasek and Mandt are white-hat hackers -- security professionals who probe for vulnerabilities in Windows components, such as the Windows kernel or the Windows heap.

According to Valasek, a senior security researcher with Coverity, a firm that specializes in software development testing and hardening, his job is about to get a lot harder.

That's because Microsoft made several changes in its upcoming Windows 8 operating system that will effectively defang several known attack methods. "If you have heap exploits that work in Windows 7, most likely they are not going to work in Windows 8," Valasek told attendees.

Over the last few years, white-hat hackers developed a handful of new techniques for compromising either the Windows kernel or the Windows heap.

The latter, for the record, refers to the scheme by which Windows dynamically allocates memory. It's a favorite target of unscrupulous hackers -- or "crackers" -- who attempt to exploit heap vulnerabilities to trigger buffer overflow conditions that could result in either denial of service or (worst of all) execution of arbitrary code.

One upshot of this is that known or suspected vulnerabilities in either the kernel or the heap could notionally be targeted by malware deliverables. Back in 2008, for example, security researcher and white-hat hacker Ben Hawkes famously identified a scheme for exploiting the Windows Vista heap. Hawkes' created a proof-of-concept test application that was able to corrupt the Vista heap, exposing it (i.e., the heap) to an arbitrary code execution exploit.

At the time, Hawkes noted that common heap exploits were becoming increasingly hard to pull off, but that "complex" attacks -- which target the way in which the Windows heap is implemented -- still showed promise. His test application was a demonstration in kind.

Hawkes' hack worked in Windows 7, too. But with Windows 8, Valasek said, Microsoft is effectively slamming shut the door on the Hawkes exploit. "If you try this in Windows 8, it's not going to work. There may be a corner case" in which it could conceivably still succeed, he allowed, but -- for the most part -- "that's probably not going to happen."

Nor is that all. Valasek showed a slide comparing the potential exploitability of the heap in both Windows Vista and Windows 7 with that of Windows 8; suffice it to say, he identified a lot more "red Xs" -- i.e., potential vulnerabilities -- in Microsoft's legacy operating systems.

For one thing, Microsoft fundamentally changed the way in which Windows 8 dynamically allocates memory; instead of the using Windows 7's RtlAllocateHeap() back-end, Microsoft switched to a scheme that uses "dedicated bitmaps and counters ... [and] they've added ways for programmers to immediately terminate a process," among other mitigations, said Valasek.

Other improvements include using a random offset whenever memory is dynamically allocated -- making it much harder (if not completely impossible) for an attacker to anticipate where memory is to be written -- and also inserting buffer spaces between areas of memory once it's allocated. This last technique could mitigate the effects of buffer overflow exploits, which try to trick Windows into allocating less memory to a heap chunk or block than is actually needed.

The upshot, Valasek continued, is that "Microsoft has really made an effort to go through and look at what has been published and react in a different way by fixing it."

Windows 8 won't be impervious to hacking attempts, Valasek allowed.

"While not as plentiful as in years past, they still kind of exist," he said, outlining several hypothetical exploits -- at least one of which he's confirmed to work.

Valasek's colleague, Tarjei Mandt, a senior vulnerability researcher with information security consultancy Azimuth Security and a respected white-hat kernel cracker, spoke about hacking the Windows 8 kernel. Unlike Microsoft's approach with the Windows 8 heap, the new kernel is more of an evolutionary than a revolutionary design, said Mandt, who discovered at least one kernel exploit that affects both Windows Vista and Windows 7.

"The Windows 8 kernel is not fundamentally changing any of the algorithms" used in Windows 7, he said. "It's more of a hardened version of Windows 7 … [in that] you don't have any significant structur[al] changes, but you have a lot more checks."

Improvements in the Windows 8 kernel include the use of cookies to protect kernel pointers as well as support for a Non-executable (NX) NonPaged Pool. Interestingly, Cesar Cerrudo, CTO with security researcher IOActive Labs, presented a separate session on Windows kernel hacking techniques. Kernel improvements in Windows 8 should make it much harder -- and in most cases impossible -- to perpetrate the exploits discussed by Cerrudo.