Linked by Amjith Ramanujam on Fri 8th Aug 2008 13:14 UTC
Windows This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."
Permalink for comment 326511
To read all comments associated with this story, please click here.
RE[4]: Summary of "exploit"
by vaette on Mon 11th Aug 2008 15:46 UTC in reply to "RE[3]: Summary of "exploit""
vaette
Member since:
2008-08-09

This aspect of it does appear to be a bug. Sure VM's will need to write to pages and then execute for the sake of JIT code generation. However, what they should do, and .NET normally does is at the very least have heap pages non-executable (that is, any page which is not a target of the JIT). Additionally the JIT should not leave its pages writable once done with a round of compilation (which would only mean that there exists readable/executable pages during the instants when the JIT is actively running, and only for touched pages at that time).

It is the first case that .NET can be fooled into failing on (and Java always fails on), getting non-code pages with exectuable permissions. I am not sure whether or not it handles the latter case well or not, which is an interesting question in itself, but not something that is exploited in this paper either way.

Overall this seems to be rather neglected by VM's, which is kind of frightening as the whole point of most VM's is to be a core part of sandboxing and other such security measures.

Reply Parent Score: 1