Web browser security is a notorious problem, as the recent pwn2own event has once again demonstrated. Windows Vista and Windows 7 have much greater systematic protections against security flaws than Windows XP does. The Address Space Layout Randomization feature makes existing flaws harder to exploit by making systems less predictable to attackers. This protection is not perfect, and there are indeed techniques that allow its circumvention, but every obstacle makes would-be hackers' jobs harder. The protection ASLR offers is also boosted by the use of a 64-bit operating system, another area where XP falls behind (64-bit XP is a bastard hybrid of Windows XP and Windows Server 2003, with the result that much 64-bit software that works properly on Vista and 7 fails to work properly or at all on XP 64).
More substantial protection is provided by the Mandatory Integrity Control feature of the two modern OSes. By marking a process as "Low Integrity," Windows prevents that process from being able to write to the majority of the hard disk and registry. The result is that even if the Web browser is compromised, the attacker is greatly restricted. Though an attacker can read most data (though this too can be restricted), he can't install rootkits, trojans, spyware, or anything else, because he cannot write to the parts of the file system required to do this.
Importantly, this protection has no real means of circumvention. Features like ASLR (and DEP, which is found in XP) are designed to make hackers' jobs harder, but do not erect any hard, kernel-enforced barriers, which is why, with skill, they can be bypassed. MIC erects a much harder barrier; to bypass MIC a hacker would have to find and use an exploit that allowed a process to elevate its privileges to strip itself of the "Low Integrity" label. If the attacker cannot do this, then he is forever trapped in the Low Integrity sandbox, unable to install his malicious software.
Privilege escalation vulnerabilities—software flaws that trick the kernel into giving a process more rights than it should have—do exist, so even MIC is no panacea. But they're substantially rarer than common browser flaws, and they are more likely to be fixed more quickly, because of their scope. Most important is that they can be fixed—they're a result of bugs in the kernel. DEP and ASLR can't be fixed as such; the circumvention mechanisms are to an extent inevitable.
No comments:
Post a Comment