Having explored the application, identity, and password security features of Windows 11 in the first part of our journey, we now venture into the realm of hardware and memory protections. Core Isolation, a key player in this space, enhances our defense against malware and attacks by isolating computer processes from the underlying operating system and device. Similarly, Memory Integrity, a component of Core Isolation, serves as a safeguard for critical system processes, leveraging Virtualization Based Security (VBS) to maintain a secure environment. As we delve deeper, we'll uncover how Windows 11 employs exploit protection mechanisms to fortify code, applications, and memory, mitigating the risk of exploitation and ensuring a safer computing experience for users.
Core Isolation
Core Isolation, a hardware-based security feature, bolsters defenses against malware and attacks by isolating computer processes from the underlying operating system and device, leveraging hardware virtualization.
Memory Integrity which is a component of Core Isolation safeguards critical system processes, preventing unauthorized access, by separating them from the operating system. This prevents malware from accessing system processes during an attack.
Memory integrity leverages Virtualization Based Security (VBS) which uses windows hypervisor to create an isolated virtual environment that becomes the roof of trust of the operating system which assumes the kernel can be compromised. Memory integrity analyses kernel mode code integrity within isolated environment and determines whether the code is safe or not. It is safe, the code is returned to Windows to run. It as well restricts kernel memory allocations that could be used to compromise the system.
Memory integrity can also be managed via GPO or MEM providing multiple administration options for IT administrators. Please note that some programs and drivers might not be compatible with memory integrity which can cause blue screens.
Exploit Protection
Windows 11 offers a suite of features to fortify code, applications, and memory at the execution level, mitigating the risk of exploitation.
Control Flow Guard
When applications are loaded into the memory, they are associated a specific size of memory based on multiple factors such as size of code, requested memory, etc. The associated memory might not be in a row but can contain different memory chucks with different addresses. When the application starts to execute code, it calls code located at different memory addresses.
In the past threat actors could exploit this behavior by changing the call functions, pointing to a different destination to accomplish their needs.
This possibility is mitigated in Windows 11 for applications that are compiled to used CFG. When such application calls the code, CFG verifies that the code location is trusted for execution. If location is not trusted, the application is terminated.
Because the application must be developed with CFG support, administrators cannot configure CFG, but application developers must consider compiling applications with CFG enabled. Support for CFG is especially important for applications which are a high risk target such as internet browsers.
Data Execution Prevention
Data Execution Prevention (DEP) is a system-level memory protection feature that allows the operating system to mark one or more pages of memory as non-executable which means that code cannot run for those areas.
This helps prevent malware executions as malware usually depends on its ability to insert a malicious payload into memory with the hope to be executed later. If this payload is inserted into no-execute part of memory that payload cannot be executed, DEP will stop and kill the application. By default, DEP protects essential Windows programs and services only.
Some applications might have issues with DEP. If that is the case, individual application can be excluded from DEP protection either locally on computer in the System -> Advanced System settings -> Advance (Performance) -> Data Execution Prevention or system admins can as well leverage GPO for DEP exclusions. The exclusions can be made under Administrative Templates\System\Mitigation Options\Process Mitigation Options setting.
More on GPO exclusions can be read in the following Microsoft article - https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/override-mitigation-options-for-app-related-security-policies
Address Space Layout Randomization
ASLR prevents the exploitation of memory-corruption vulnerabilities by randomizing the base address of a program each time the program is executed, which prevents one exploit to be effective on all machines. The weakness of ASLR is that the entire program is moved as one unit. An example of ASLR can be seen in the photo bellow.
Force randomization for images
This is a subsection of ASLR where Windows forces a rebase of all DLLs within the process and all DLLs and EXEs when mapping image into the process. This rebasing has no entropy, and locations could be predicted.
Force randomization can have an impact on older applications that were built using compilers that made assumptions about the base address of a binary file or have stripped out base relocation information. This can lead to unpredictable errors.
Randomize memory allocations
Randomize memory allocations (Bottom-up ASLR) adds entropy to relocations, so their location is randomized and therefore less predictable. This mitigation requires Mandatory ASLR to take effect.
High-entropy ASLR
High-entropy ASLR, which adds 24 bits of entropy into the bottom-up allocation for 64-bit applications making address prediction even harder.
Structured Exception Handling Overwrite Protection
An exception is an event in a program that interrupts its normal flow, requiring code execution outside the standard path. There are two types: hardware exceptions, initiated by the CPU due to issues like division by zero or invalid memory access, and software exceptions, triggered by applications or the operating system, often due to invalid parameters. Structured exception handling is a method to manage both types of exceptions. It allows uniform handling of hardware and software exceptions, offering full control over exception management, supports debugging, and is compatible across various programming languages and machines.
Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the Structured Exception Handling (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately.
If applications have issues with SEHOP, exclusions can be configured in GPO under Administrative Templates\System\Mitigation Options\Process Mitigation Options setting.
Validate Heap Integrity
The heap is a location in memory that Windows uses to store dynamic application data.
The validate heap integrity mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected.
The mitigations include:
Preventing a HEAP handle from being freed
Performing another validation on extended block headers for heap allocations
Verifying that heap allocations aren't already flagged as in-use
Adding guard pages to large allocations, heap segments, and subsegments above a minimum size.
Heap Integrity Validation is already applied by default to 64-bit and 32-bit applications after Windows Vista. Therefore not a lot of compatibilites issues are expected. Only compatibility issues can arise from Windows XP or earlier applications.
In wrapping up our exploration of Windows 11's security features, we've delved into two crucial aspects: application, identity, and password security, as well as hardware and memory protections. The first part of our journey provided insights into how Windows 11 safeguards against cyber threats at the software level, ensuring robust protection for users' digital identities and sensitive information. Transitioning to the second part, we've uncovered the hardware-based security measures embedded within Windows 11, such as Core Isolation and exploit protection mechanisms, which fortify our defense against malware and attacks by isolating processes and strengthening code execution security. Together, these comprehensive security features create a robust defense posture for Windows 11, safeguarding users' digital experiences across all fronts. As we navigate the digital landscape, it's reassuring to know that Windows 11 prioritizes both software and hardware security to ensure a safer computing environment for all users.
Comments