Buffer Underruns and Stack Protection
Starting with Windows 2003 Server, Microsoft introduced a number of Exploitation Prevention Mechanisms (XPMs) into their software. Over time these XPMs were refined as weaknesses were discovered [1][2] and more XPMs were introduced. Today the XPMs have been added to Windows XP Service Pack 2 and Windows 2003 Service Pack1 and include protection of the base pointer and saved return addresses by use of a security cookie or canary on the stack, variable re-ordering, parameter saving, NX/DEP, software DEP and Safe SEH. XPMs are realized with a combination of architectural changes to the OS, hardware capabilities and modifications to the Microsoft compilers by inserting procedure prologues and epilogues to potentially dangerous functions, the latter commonly known as “GS”, named after the flags used to turn on “stack protection”. Whilst there are recognized improvements that can be made to XPMs relating to the heap, in most cases where code still contains a stack based overflow, the current incarnations of the stack related XPMs make it extremely difficult, if not impossible to exploit. This is true of buffer overrun vulnerabilities; however, this is not true of buffer underrun vulnerabilities.
Author: David Litchfield