Windows Vista堆管理加強 – 安全,可靠性,性能

1、Windows Vista Heap Management EnhancementsAdrian MarinescuDevelopment LeadadrmarinWindows NT Heap Management basics and evolutionWindows Vista heap major milestoneDevelopment principles and guidelinesSecurity featuresPerformance featuresAgendaQ & ASecurity industry-wide concernTwCdriving multipl

2、e security initiativesThe NT HeapStrategic point in defenseImproved to respond to industry trends in usageIntroductionPart I BasicsBlock Entry in prior Windows NT VersionsF-LinkB-Link0:018> dc 04392f80000200010442da60segmentSizeunused bytesflagstag9Early Heap MitigationsSafe List RemovalEntry->

3、;FwdLink->BkLink= Entry->BkLink->FwdLink= Entry8-bit cookie tested on freeLFH block entry encodingF (random number,Blockaddress, heap)Change in LandscapeNew exploiting methods surfacedChange in usage outlookMemory usageIncrease availability of SMPIncrease relevance of 64 bit computingCode q

4、uality higher demand in industryWindows Vista Heap ManagerKey Development DirectionsPerformance and reliabilitySecurityCode qualityWindows NT Heap RequirementsSecurityCorrectness like:Guarantees requested sizesLifetime of allocationsClearing content when requested etc.Defense line in heap based expl

5、oits:Attempts to mitigate the effect of an attackMakes difficult hiding heap-based exploitsPerformanceScale from small devices to large serversOptimized for varied usage patternsFollow the industry trendMemory usageIncrease in SMP availabilityH/W architecture advancesCompatibilityApplications may re

6、ly on things like:Reallocreturning same pointerRead/write after releasing a blockDouble freeOverruns over unused structures etc.Heap changes may have unintended effects, such as:Crashes, leaks or broken functionality in poorly written applicationsSevere performance regressionsPart II -Windows Vista

7、HeapWindows Vista Heap Security FeaturesBlock metadata randomizationIntegrity check on block entryAlgorithm variation in response to usage patternRandom rebasingFunction pointer randomizationAbrupt application termination on error22Block Metadata RandomizationA part of the header is XORdwith a rando

8、m valueLow performance impactShould make guessing the right value impracticalFlexible and containedalgorithm and implementationAgile in updatesEntry Integrity CheckPrevious 8-bit cookie has been repurposed to validate a larger part of the headerValue may be randomized along with the other fieldsVali

9、dated during internal operations tooDemo Heap Header LayoutRuntime Algorithm VariationAutomatic tuningShift to LFH allocations at arbitrary points on runtimeTriggers on various patternsInvolves also de-commit / commit policiesMore Heap RandomizationsHeap base randomization things to consider:Fragmen

10、tation of the application address space affecting large server applicationsPossible performance issues if higher randomization is usedHeap function pointer randomizationTakes away a known place to facilitate the code execution along with rebasingDemoAbrupt Termination on ErrorAny data inconsistency

11、or invalid heap function usage detected may trigger itThe scope is process-wide (any heap in the process has the same behavior)The process is terminated via Windows Error ReportingDetailed info is available in the dump fileNo function provided to disable itOn by default for 64 bit platforms &29a

12、ppsTermination on Errors (cont.)Programmatic opt-In method(new HeapEnableTerminationOnCorruptionclass defined)BOOLHeapSetInformation(HANDLE,HEAP_INFORMATION_CLASS,PVOID,SIZE_T);Large number of components with Windows Vista are opted inThe information is available in a debugger extension30DemoNT Heap

13、 Manager ImprovesCode QualityBenefits to app developers Early error detectionImproved debugging aid to reduce cost of investigating corruptionsReduced tolerance to misusageWindows Vista apps will be more resilient to future heap changesKnown Attack Vectors & Windows VistaRemoved lookasidelist an

14、d array of lists targeted by previous exploits Integrity check on block metadata significant obstacle to brute force attacksMost Windows processes terminate on memory errorsDynamic (runtime) change in heap algorithms obstacle to consistent exploitsHeap structures and memory mgmt33changes limit porta

15、bility of exploitsSecurity enhancements are a journeyMitigations are not substitute for good development practicesWindows Vista is just a milestone in continual heap improvementsWindows Vista Heap Perf&ReliabilityImproved scenarios by default for:SMP scalabilityExternal fragmentationLarge heapsI

16、mproved reference locality on 64 bit platformsReduced Virtual Address exhaustionIncreased resilience to patterns involving long-term allocationsKey Performance EnhancementsAutomatic tuning Lower granularity of control policies to switch to the Low Fragmentation HeapUse of lazy initializationRedesign

17、ed segment managementImproved internal lookup algorithmsAddressed fragmentation in problematic scenariosLower overhead on 64 bit36SummaryAttacks get more sophisticated But so does the heap management and not only for securityWe laid the foundation for increased agility in heap improvements with reduced compatibility risks Improved scenarios for SMP and large memory usageDesigned to enhance the code quality for applicationsWe are not yet done