A small company named Wehnus run by Matt Miller has put together a comprehensive Windows Based host-based intrusion prevention system (HIPS) system called WehnTrust (http://www.wehnus.com) that uses Address Space Layout Randomization (ASLR) among other techniques (see below) to provide added security to Windows. If you’re familiar with grsecurity/PaX on Linux, then you’ll be familiar with WehnTrust.
ASLR is probably the coolest feature of WehnTrust, but falling not too far behind is detection and prevention of SEH overwrites, format string bugs, and stack-based buffer overflows. One of my colleagues has been running it for about a year now and has not had any major issues. It’s cool technology!
ASLR helps to compliment NX-style protection by helping defend against ret2libc style attacks. Windows XP SP2 with hardware enforced DEP (for example on an AMD 64FX) + WehnTrust is a pretty solid defensive solution in my book.
- Detailed Balloon notification tooltips rise from taskbar when exploit has been prevented (see screenshots below)
- Randomized image file loading (DLL’s, EXE’s with reloc’s)
- Randomized Memory Allocations (Stack, Heap, etc..)
- Randomized PEB/TEB
- Application and Image File Randomization Exemptions
- SEH overwrite protection (commercial version only)
- Native Windows Event Logging
WehnTrust supports Windows 2000, Windows XP and Windows Server 2003; it’s free for personal use.
– http://www.hick.org/~mmiller/wehnus/format.png ( Format String detection )
– http://www.hick.org/~mmiller/wehnus/sehprot.png ( SEH Overflow detection )
– http://www.hick.org/~mmiller/wehnus/stack.png ( Stack overflow detection )
– http://www.hick.org/~mmiller/wehnus/tooltip.png ( Taskbar tooltip notification )
– http://www.wehnus.com/images/WehnTrust.jpg ( Status Dialog. Click on Taskbar icon)
Also, make sure you read this http://www.wehnus.com/technology.pl#expla it’s a list of things the tools does NOT protect against.
Anyway, over the next few days I will write some vulnerable code and exploits to see how WehnTrust fairs, but it looks very promising.