Windows 7 Kernel Feature Improves Security – Safe Unlinking

The Windows 7 kernel has a new feature called “Safe Unlinking”, to help increase security and prevent vulnerabilities known as pool overrun attacks. This will make the experience of using Windows 7 faster, more reliable and above all, safer by making it harder for people to launch these attacks.

It sits in the memory allocation section of the kernel and performs a series of checks to detect memory corruption, and potential pool overrun attacks. This is the latest in a succession of new security features that MS have been adding over the last few years including:

  • Stack protection (/GS)
  • Data Execution Prevention (DEP)
  • Heap Protection
  • Address Space Layout Randomization (ASLR)
  • Structured Exception Handler Overwrite Protection (SEHOP)

Peter Beck, from Microsoft’s Security Research & Defense team says:

“This simple check blocks the most common exploit technique for pool overruns. It doesn’t mean pool overruns are impossible to exploit, but it significantly increases the work for an attacker”.

What is an overrun attack?

Wikipedia explains it as:

“Memory (on the heap) is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers.”

Safe Unlinking will also help improve the reliability of Windows 7 by performing a Bug Check as soon as an overrun is detected, which will prevent further memory corruption, crashes and errors.

More detailed technical information can be found on the MS Security Research & Defense blog here.

5 Replies to “Windows 7 Kernel Feature Improves Security – Safe Unlinking”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: