Microsoft: Here's how we're killing a class of memory security bugs in Windows 10

Microsoft details a new Windows 10 security feature that crashed PCs running games that use anti-cheat software.

Microsoft's March security update is the largest in history
1:00

Microsoft has detailed how it's changed Windows 10 to wipe out a class of memory bugs called uninitialized memory vulnerabilities using a new security feature that has plagued users of games that employ anti-cheat software.    

Microsoft has been experimenting with Rust for certain Windows components written in C and C++ to weed out memory-related bugs, which make up about 70% of all patches Microsoft has shipped over the past decade.

One type of memory bug is uninitialized memory vulnerabilities, which according to Microsoft, have been trending upwards in recent years and made up about 5% to 10% of all the Windows flaws it fixed between 2017 and 2018. 

The Heartbleed vulnerability in the OpenSSL software library for HTTPS web servers was one example of this type of bug, which caused private encryption keys to be stored in uninitialized memory and therefore made it possible for an attacker to retrieve them. 

To address uninitialized memory vulnerabilities in Windows, Microsoft has kicked off a project called InitAll, which is now enabled for all kernel-mode code, Hyper-V code, and networking related user-mode services. InitAll first shipped with Windows 10 version 1903 from Spring 2019. 

The type of memory bug poses a challenge for products with large code bases, in part because of the design of C and C++.  

Joe Bialek, a security engineer in the Microsoft Security Response Center (MSRC), noted in a recent talk it is "extremely difficult" to rule out an uninitialized memory bug doesn't have a security impact.

This type of memory bug can be found using commonly-used processes, however Bialek argues that static analysis can't find everything, fuzzing can't identity all bugs of this type, and manual code review doesn't scale and is prone to error.   

Microsoft's InitAll automatically initializes stack variables to zero to address issues caused by C and C++.

As Bialek explains in a new blogpost, the design of C and C++ doesn't prevent developers from incorrectly using uninitialized variables, which can introduce uninitialized memory disclosure vulnerabilities and uninitialized memory use.

"The C and C++ programming language were designed with performance and developer control top of mind. As part of this, the language has no enforcement around variable initialization. Using uninitialized variables is undefined behavior. Developers must initialize variables before they are used and it's up to them to get this right," he explains. 

Microsoft targeted InitAll at kernel-mode first because of the large number of uninitialized kernel memory vulnerabilities affecting it, while Hyper-V code was prioritized due to recent stack information disclosure bugs.

It hasn't rolled the feature out to all Windows code yet due the risk of causing performance issues in Windows 10 but it is starting apply it more broadly now. 

"The reason we did not immediately roll InitAll out for all code was to ensure we could succeed in doing something rather than fail at trying to do everything," he noted. 

"Now that we've successfully rolled the technology out to the highest priority targets, we can shift our focus to the rest of our code."

Interestingly, the long running issues that the latest versions of Windows 10 have had with anti-cheat software stems from InitAll. 

"Shortly after enabling InitAll in Windows, we received complaints that certain anti-cheat software was causing kernel crashes," says Bialek. 

"Investigations revealed that these anti-cheat solutions included kernel-mode drivers. These drivers were scanning the NT kernel image in memory and looking for byte patterns to locate undocumented functions. The way these pattern matchers work is by searching for specific byte patterns indicating the beginning of the function.

"When InitAll was enabled, some extra initializations (that could not be proven away) were added to the beginning of these functions which effectively changed their signature. We reached out of these anti-cheat companies and they updated their drivers to stop causing kernel crashes."