Memory exploit mitigation techniques

MEM uses multiple types of mitigation techniques to handle the exploit, depending on which technique is most appropriate for the type of application. For example, both the StackPvt and RopHeap techniques block the exploits that attack Internet Explorer.

MEM uses the following types of mitigation techniques:

Force Data Execution Prevention (DEP)

DEP is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run code from the system memory locations that are reserved for Windows and other authorized programs. To mitigate, Windows OS (since XPSP2) introduced DEP, a system-level protection that marks these memory locations as non-executable.

Force Address Space Layout Randomization (ASLR)

ASLR is a memory-protection process for the operating systems that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.

Structured Exception Handling Overwrite Protection (SEHOP)

SEHOP is a protection feature which guards against the most common technique for exploiting stack overflows on Windows for applications such as the RealPlayer media player. An exploit attack can control the execution flow of software toward the attacker’s shellcode by using an overwrite exception handler function. The exception handler function address is stored in stack memory and can easily be overwritten when a stack buffer overflow exists. Windows operating systems include SEHOP, but some Windows Vista operating systems disable SEHOP by default. Memory Exploit Mitigation provides protection even if SEHOP in Windows is turned off. SEHOP attacks occur on 32-bit clients only.

Heap Spray

A heap spray attack occurs when the attacker tries to place its attack code to a predetermined memory location. Memory Exploit Mitigation reserves the commonly used memory locations to prevent an attacker from using them. Heap spray attacks are a type of buffer attack that is seen in older web browsers and applications.

Enhance Address Space Layout Randomization (ASLR)

ASLR is a computer security technique which involves randomly positioning the base address of an executable and the position of libraries, heap, and stack, in a process’s address space. The random mixing of memory addresses that are performed by ASLR means that an attack no longer knows at what address the required code (such as functions or ROP gadgets) is located. That way, rather than removing vulnerabilities from the system, ASLR attempts to make it more challenging to exploit existing vulnerabilities.

Null Page Protection

NULL (0x00000000) is a valid memory address that an exploit may potentially take advantage as well. The goal is to pre-allocate this memory location to avoid its potential use.

DllLoad

The goal of this technique is to prevent the process to load DLL over SMB/shared folder. Some exploits uses this vector to execute DLL directly from their malicious server, for example: “\malicious.com\malware.dll”. Note that remote loading of DLLs over local networks such as local host, link local, and private IP addresses are not prevented. One known issue with the current implementation is that between the time of checking the load path and the actual loading, the result of querying the DNS server for a remote path with a host name might be different.

Return-Oriented-Programming (ROP)

ROP is a technique used by exploits to be able to execute code already available in memory (such as code from loaded DLLs) for performing operations it requires. This technique was designed to circumvent DEP by using existing code that is in memory and marked as executable ROP uses the stack to control the execution of combination of codes (so called gadgets) from different DLLs. Typically each gadget ends with the RET instruction, which further transfers the execution to the next gadget or the payload itself. For example, attacker wants to execute URLDownloadToFile API and there is a certain DLL that has a code that calls this API, the attacker can use that code instead to perform the call. The API will invoke RET instruction when it ends, so from stack, the attacker can chain the execution to the next gadget (example, CreateProcess API). The goal is to detect execution of system critical APIs by this technique. This feature employs the following methods to detect such execution:

• StackNX: Prevents call to memory protection APIs (e.g. VirtualProtect) to mark memory address belonging to Stack as executable.
• StackPivot: Detects if the stack address was changed. Exploit usually modifies ESP register to point to its fake or the crafted stack memory that contains its ROP chains.
• RopCall: Ensures that system critical APIs are called from CALL instructions and not JMP or RET.
• RopFlow: Performs simulation of execution of return addresses in the stack when a system critical API is called. It checks if RET address points to another critical API or if it points to a memory not properly marked as executable. If either of the case is true, then it is ROP attack. It simulates to a maximum allowed number of instructions to avoid performance effect.
• RopHeap: Denies call to memory protection APIs to heap that is executed afterwards using ROP invocation (RET).