|Home » Learning Curve » Can't Take a Punch
Microsoft's Remedies: SEH
Protecting that glass jaw.
To understand what SafeSEH ('safe structured exception handling') is one must first understand what structured exception handling (SEH) is.
Structured exception handling is - very simply - the ability to deal with the unforeseen - 'exceptional' behaviour. Blocks of code can effectively be wrapped in so-called exception handlers so that if something does go south the exception handler code can kick in. Nontrivial processes can have a number of nested exception handlers waiting to take over if anything should go wrong.
But exception handler information will also be written on the process stack. And so if the hackers can overwrite the stack by feeding the process bad data they can in effect install their own exception handler.
SafeSEH is a code enhancement Microsoft are using to attempt to prevent this. The introductory 'header' information in a program using SafeSEH will contain a table of all valid exception handlers. Should an exception be raised, the system will first check the table to see whether the handler is in fact valid.
As intimated above, programs have nested exception handlers: these are in effect linked together. This is also a weakness hackers can exploit. Microsoft have now come upon a method of detecting whether the list itself has been corrupted.
The attack vector is easier to understand if one first understands that exception handlers can opt to return an exception back to the system in what is commonly called a 'stack unwind': the handler effectively tells the system 'I don't want to handle this - so why don't you see if someone else does?' It's this type behaviour hackers can take advantage of.
So is that enough? This is safe now? And how about heap protection?