There are a number of ways by which an attacker can execute arbitrary code on a target machine, such as a personal computer, in order to gain control of that target machine. However, a given attack vector must provide an attacker with the ability to either directly or indirectly alter the execution path of a software program or a process in a controllable and desired fashion such that the process can be altered to run software code supplied by the attacker in order to gain control of the target machine.
As such, the attacker must have some sort of knowledge about the address space layout of the process being attacked. Knowledge of the address space layout for a particular process allows an attacker to redirect execution to the attacker's controllable location in memory, thereby allowing an attacker to execute arbitrary code in a Windows operating system and gain control of the target machine.
An address space layout may include multiple segments such as stacks, heaps, memory mapped files, arbitrary memory allocations, executable image mapping, DLL image mappings, TEB(s) and a PEB. Stacks, heaps, memory mapped files, arbitrary memory allocations and executable image mappings are found in most common operating systems, while the PEB (“Process Environment Block”) and the TEB (“Thread Environment Block”) are memory region types unique to the Windows operating system.
To date, there have been a number of implementations that have tried to either partially or universally stop exploitation of software vulnerabilities, such as Address Space Layout Randomization (“ASLR”). ASLR is a term that is used to describe the action of making the address space layout for a particular process' virtual address space unpredictable, either wholly or in part. Although the means of implementing ASLR varies greatly depending on the particular platform, it usually involves randomizing certain types of memory allocations across the span of a process' execution.
The major benefit of ASLR over other approaches is that the impact on performance of the process incurred by randomization of the address space is negligible. ASLR also has the benefit of not breaking legacy applications that rely on writable memory regions remaining executable. In addition, ASLR is the only method that, when done in whole, can prevent every known method of exploitation that relies on knowing something about the address space of a target process.
However, there is a need in the art for an ASLR system for a Windows operating system in order to protect such an operating system from attack as well as mitigate a large class of vulnerabilities inherent in the Windows operating system. In addition, there is a need for an SEH overwrite protection for a Window operating system.