Black Hat: Will Windows 8 Be a Hacking Killjoy?

During a presentation at this week's Black Hat security conference, security pros presented an argument on why Windows 8 may be the most secure OS Microsoft has ever released.

Windows is about to get a lot less fun to hack.

That's one upshot of a talk given by security professionals Chris Valasek and Tarjei Mandt at this week's Black Hat USA Briefings in Las Vegas.

Valasek and Mandt are white-hat hackers -- security professionals who probe for vulnerabilities in Windows components, such as the Windows kernel or the Windows heap.

According to Valasek, a senior security researcher with Coverity, a firm that specializes in software development testing and hardening, his job is about to get a lot harder.

That's because Microsoft made several changes in its upcoming Windows 8 operating system that will effectively defang several known attack methods. "If you have heap exploits that work in Windows 7, most likely they are not going to work in Windows 8," Valasek told attendees.

Over the last few years, white-hat hackers developed a handful of new techniques for compromising either the Windows kernel or the Windows heap.

The latter, for the record, refers to the scheme by which Windows dynamically allocates memory. It's a favorite target of unscrupulous hackers -- or "crackers" -- who attempt to exploit heap vulnerabilities to trigger buffer overflow conditions that could result in either denial of service or (worst of all) execution of arbitrary code.

One upshot of this is that known or suspected vulnerabilities in either the kernel or the heap could notionally be targeted by malware deliverables. Back in 2008, for example, security researcher and white-hat hacker Ben Hawkes famously identified a scheme for exploiting the Windows Vista heap. Hawkes' created a proof-of-concept test application that was able to corrupt the Vista heap, exposing it (i.e., the heap) to an arbitrary code execution exploit.

At the time, Hawkes noted that common heap exploits were becoming increasingly hard to pull off, but that "complex" attacks -- which target the way in which the Windows heap is implemented -- still showed promise. His test application was a demonstration in kind.

Hawkes' hack worked in Windows 7, too. But with Windows 8, Valasek said, Microsoft is effectively slamming shut the door on the Hawkes exploit. "If you try this in Windows 8, it's not going to work. There may be a corner case" in which it could conceivably still succeed, he allowed, but -- for the most part -- "that's probably not going to happen."

Nor is that all. Valasek showed a slide comparing the potential exploitability of the heap in both Windows Vista and Windows 7 with that of Windows 8; suffice it to say, he identified a lot more "red Xs" -- i.e., potential vulnerabilities -- in Microsoft's legacy operating systems.

For one thing, Microsoft fundamentally changed the way in which Windows 8 dynamically allocates memory; instead of the using Windows 7's RtlAllocateHeap() back-end, Microsoft switched to a scheme that uses "dedicated bitmaps and counters ... [and] they've added ways for programmers to immediately terminate a process," among other mitigations, said Valasek.

Other improvements include using a random offset whenever memory is dynamically allocated -- making it much harder (if not completely impossible) for an attacker to anticipate where memory is to be written -- and also inserting buffer spaces between areas of memory once it's allocated. This last technique could mitigate the effects of buffer overflow exploits, which try to trick Windows into allocating less memory to a heap chunk or block than is actually needed.

The upshot, Valasek continued, is that "Microsoft has really made an effort to go through and look at what has been published and react in a different way by fixing it."

Windows 8 won't be impervious to hacking attempts, Valasek allowed.

"While not as plentiful as in years past, they still kind of exist," he said, outlining several hypothetical exploits -- at least one of which he's confirmed to work.

Valasek's colleague, Tarjei Mandt, a senior vulnerability researcher with information security consultancy Azimuth Security and a respected white-hat kernel cracker, spoke about hacking the Windows 8 kernel. Unlike Microsoft's approach with the Windows 8 heap, the new kernel is more of an evolutionary than a revolutionary design, said Mandt, who discovered at least one kernel exploit that affects both Windows Vista and Windows 7.

"The Windows 8 kernel is not fundamentally changing any of the algorithms" used in Windows 7, he said. "It's more of a hardened version of Windows 7 … [in that] you don't have any significant structur[al] changes, but you have a lot more checks."

Improvements in the Windows 8 kernel include the use of cookies to protect kernel pointers as well as support for a Non-executable (NX) NonPaged Pool. Interestingly, Cesar Cerrudo, CTO with security researcher IOActive Labs, presented a separate session on Windows kernel hacking techniques. Kernel improvements in Windows 8 should make it much harder -- and in most cases impossible -- to perpetrate the exploits discussed by Cerrudo.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

comments powered by Disqus

Reader Comments:

Fri, Nov 2, 2012 Pirate

Kernel Exploits aren't very common anymore if you look at modern day attacks and exploits, hackers are now more then ever relying on the Windows user's "People using the OS on their computer's" to leave hole's in their security and really it is getting worse. While Kernel builds are being hardened there are limited safe guards that prevent attackers from penetrating a system that isn't being scrutinized and monitored by someone that knows what their doing and what to watch out for. The only thing that has been standing between Hacker's and Potential Victims "The Public" is the Anti-virus solutions that have been deployed by those users. And most of the time people are more then content to go with cheap outdated software then to see the importance of investing in a more updated product that get's regular update's. While Microsoft has been doing better with their security updates they are still for the most part unpredictable and don't come fast enough and on and as needed basis. Over-all I would say Microsoft has come a long way over the years but still have years ahead of them before they can call Windows "Secure" -ThePirate

Tue, Oct 23, 2012 Anonymous

Well not so true Microsoft Windows 8 is easier is Hacker Dream Paradise. Windows 8 is not for your typical user. Microsoft should never have invented Windows 8 like this one they made a huge mistake & it will be costly. Too many Malware and spyware built in Windows 8. Many security block by Microsoft however easily taking out. Windows 8 does not function properly I been testing it for 1 year and believe me. Windows 8 will not last 2 years in the market if Microsoft does not change many things. Yes the boot up is Faster than ever before however copying and pasting documents is much slower. Firewall and security Center Apps are too weak. Visit us on Facebook for more information on Windows 8.

Tue, Jul 31, 2012 Clay

I think that's the most times I've ever seen the word "upshot" used in an article.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.