Application Hardening
Definition
Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.
Synonyms: Process Hardening .Technique Overview
Exploits may, for example, rely on knowledge of addresses in a process's memory, they may alter memory contents, and they may cause a program to use instructions in a way that they were not intended. By, for example, including code that dynamically changes the memory address of data or code on each run, introducing logic to validating the memory contents before certain potentially dangerous flows are executed, or monitoring a program for unusual sequence of instructions, this makes it harder for an attacker to craft a working exploit.
Technique Subclasses
There are 8 techniques in this category, Application Hardening.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| Application Hardening | D3-AH | Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary. | Process Hardening |
| - Application Configuration Hardening | D3-ACH | Modifying an application's configuration to reduce its attack surface. | |
| - Dead Code Elimination | D3-DCE | Removing unreachable or "dead code" from compiled source code. | |
| - Exception Handler Pointer Validation | D3-EHPV | Validates that a referenced exception handler pointer is a valid exception handler. | Exception Handler Validation |
| - Pointer Authentication | D3-PAN | Comparing the cryptographic hash or derivative of a pointer's value to an expected value. | |
| - Process Segment Execution Prevention | D3-PSEP | Preventing execution of any address in a memory region other than the code segment. | Execute Disable , and No Execute |
| - Segment Address Offset Randomization | D3-SAOR | Randomizing the base (start) address of one or more segments of memory during the initialization of a process. | Address Space Layout Randomization , and ASLR |
| - Stack Frame Canary Validation | D3-SFCV | Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite. |