Vulnerabilities that corrupt memory typically result in the execution of arbitrary code by redirecting the program flow to a writable memory area containing instructions defined by an attacker.
DEP (Data Execution Prevention) is a generic defensive measure that prevents the execution of writable memory, first added to Windows in XP Service Pack 2 in August 2004. In a default configuration, Windows applications have to inform the operating system that they want DEP enabled in their context. The most popular method of enabling DEP on pre-Vista systems is a call to the "SetProcessDEPPolicy()" function. On Windows Vista and newer systems, an executable can communicate its DEP choice by simply setting the NX_COMPAT (0x100) flag in the "DllCharacteristics" field of a PE (Portable Executable).
While DEP renders the exploit development process more complex and time consuming, code execution can still be achieved by constructing a chain of function calls to fixed executable addresses inside the address space of the target process (technique known as "return-into-libc"). In order to encumber such techniques, ASLR (Address Space Layout Randomization) was introduced with the release of Windows Vista in early 2007. If a PE file has the DYNAMIC_BASE (0x40) flag set in its "DllCharacteristics" field, the address at which the PE is loaded is randomized on each system boot. This significantly lowers the chances for a return-into-libc attack to succeed. However, note that a single module for which ASLR is not applied can at times be enough for code execution to succeed. If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly, code execution being sometimes impossible to achieve in one attempt.
This paper intends to depict the evolution and current state of DEP and ASLR support in popular third-party Windows applications.
Windows XP SP3 and Windows 7, both running on a 32-bit platform, were used as testing environments. Sixteen of the most popular* third-party Windows applications were tested. Only applications, which had at least one memory corruption vulnerability publicly disclosed within the last two years, were chosen.
While performing ASLR compatibility tests, if DEP was found to be disabled in a tested application, code execution was considered achievable regardless of ASLR support. ASLR is, therefore, irrelevant in such cases and was not tested in detail.