Exception Handler Pointer Validation
Validates that a referenced exception handler pointer is a valid exception handler.Synonyms: Exception Handler Validation .
How It Works
When a process encounters an exception, it calls an exception handler to deal with the exception. The method by which this exception handler is determined varies by the operating system. The exception handler is called, even if it is the default exception handler to terminate the program and display a message that the program stopped working. In the case that no valid exception handler is found, the program would fail to proceed as normal and could be programmed to terminate.
In Windows, the address of the exception registration record is stored at the very start of the the Thread Information Block; the GS register points to this structure.
The exception registration record contains two pointers: a pointer to the next exception registration record should this handler fail to handle the exception, and a pointer to the handler.
A buffer overflow can overwrite the saved return pointer with an invalid location to execute memory; this often triggers the exception handler chain, which could also be corrupted by the buffer overflow. Although Process Exception Handler Validation does not make sure that the exception handler pointer or the code at the exception handler was unaltered, or that the exception handler code is secure, this technique does ensure that the pointer is at least an exception handler that could be called by the program.
With Process Exception Handler Validation, before the handler is called, it checks the exception handler against a source of valid exception handlers. If the requested handler is not in this list, other techniques such as those in Process Eviction might be invoked, such as Process Termination to end the current process, or Executable Blacklisting to blacklist the potentially vulnerable or malfunctioning executable.
Runtime valid exception handler source generation
The source of valid exception handlers could be generated at runtime, with the risk of the information that is used to determine the validity of exception handlers being compromised.
The source of valid exception handlers could also be generated at compile time or as a binary patch. Given the source code, it would be rather straightforward to find the exceptions, as they are pointed in the catch statement of a try-catch clause and the compiler must already generate the code to call exceptions from this.
If the program file can be altered by the attacker, then the security could be bypassed by replacing it with any desired program, without even bypassing SEH.
If the attacker was already able to overwrite the code for a valid exception handler via other functionality in the program, this defense would not prevent arbitrary code execution. If an exception handler recognized as valid is vulnerable, it would be executed anyway.
SafeSEH might be applied only to some executable files or modules, allowing an attacker to call any piece of code as an exception handler in the unprotected modules.
The following references were used to develop the Exception Handler Pointer Validation knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)