Windows 8 also includes improvements to Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). ASLR ensures that the address space of a process is randomized, thereby making it more difficult to predict the location of code within memory, while DEP prevents data from being executed. The improvements to ASLR and DEP are combined with the new Windows 8 application sandboxing capability that effectively limits the access of a compromised application. This feature means the bad guys will be fighting an uphill battle to deliver effective exploits for Windows 8.
It is also worth noting that there are other new mitigations in the kernel that go well beyond just improvements to ASLR and DEP. New integrity checks in the kernel and improvements with randomization using a similar approach are also new mitigations in Windows 8.
One of the issues of ASLR and DEP, of course, is that you have to rely on the programmer writing an application to actually turn them on. In Windows 8, the capability to literally mark data in memory as “non-executable” is a great step forward. However, it limits the ability to run Windows 8 only on a CPU that can handle this requirement via this “NX” capability to mark data in memory as non-executable.
Another interesting new security feature built into Windows 8 is support for “Supervisor Mode Execution Protection” (SMEP). It is supported on today’s Intel Ivy Bridge CPUs, and because user pages are only for data, it can effectively stop an Ivy Bridge CPU using Windows 8 from running any memory pages that are marked as ‘user’ rather than ‘kernel.’ This is another security feature that will likely complicate the development of reliable and repeatable malware.
While not an all-encompassing review of the security features available in Windows 8, in this slideshow, Paul Henry, security and forensic analyst at Lumension, takes a quick look at some of the more noteworthy capabilities in this latest iteration from Microsoft.