Comments

# Think Security - Jeff Jones Security Blog said on May 26, 2006 4:55 PM:

UPDATE:  Mike Howard has posted to his blog, confirming David and providing details on the Vista...

# Lionel Fourquaux said on May 26, 2006 6:46 PM:

In the part, system DLLs were carefully based to avoid relocations and bound to speed up loading. What happens to these optimizations now that address space layout randomization exists?

# The Insider said on May 26, 2006 6:58 PM:

Mike Howard talks about a new piece of technology coming with Windows Vista designed to help fight malware...

# Neal said on May 26, 2006 7:17 PM:

So, when the OS detects an attempt to execute data and shuts the app down does it clearly say so and log it?  Too many times on WinXP apps just disappear, or disappear and Windows gives some (too) nondescript error.  I don't expect windows to analyze every app crash, or be able to give me messages that my grammy can understand, but I've been a developer for 15 years and frequently I have nothing to go on.

# Ricus said on May 27, 2006 5:42 AM:

So you have pretty much taken a very BSD like approach to memory access for programs.

As BSD has supported memory randomization for the increase of Security for quite awhile.

And just to note BSD hasn't Really suffered major speed reductions due to it.

# Josh's Windows Weblog said on May 27, 2006 9:09 AM:

Windows Vista Beta 2 Includes a new feature called Address Space Layout Randomization or ASLR. ...

# Anonymous said on May 27, 2006 9:58 AM:

It's nice to see Microsoft implementing security technologies that have been available in other operating systems, like OpenBSD, for a few years now...

# PaX Team said on May 27, 2006 12:36 PM:

the origins of ASLR are here: http://pax.grsecurity.net/docs/aslr.txt

for Lionel: i think Vista randomizes the DLL base addresses once per boot, not per process like PaX and others do, therefore it's quite likely that the imports are rebound at the same time, so there's no net loss of performance later (except for some delay at boot). question is how they will evolve it before release, there's certainly room for improvement (stack/heap/exe randomization for one).

# JC said on May 27, 2006 2:34 PM:

MS is inventing the wheel again.  Adress randomization existed before vista was in the drawing boards.  Linux had it implemented in kernel 2.6. The name of this technology is PAX. RISE is another technology in the world of open source.  

# Myria said on May 27, 2006 4:08 PM:

How about fixing the bugs rather than simply mitigating the risk?

Also, address space randomization doesn't help with local privilege escalation, or when the exploit is in a .exe file (almost all of which can't be relocated).

NX does little good when it's trivial to return-to-libc to ntdll.dll's NtSetInformationProcess to disable NX.

Melissa

# johnny knoxville said on May 27, 2006 4:45 PM:

Wow! didn't Red Hat Enterprise Linux add this feature about a year and a half ago??????

# Tales from a Trading Desk » Blog Archive » Vista Build 5384, Office Beta 2 said on May 27, 2006 5:12 PM:

PingBack from http://mdavey.wordpress.com/2006/05/27/vista-build-5384-office-beta-2/

# michael_HOWARD said on May 27, 2006 5:57 PM:

Myria,

As I note, ASLR is a *DEFENSE* it does not fix insecure code. Also, if you read the article, you would also see it applies to DLLs and EXEs, I will write a follow-up article about this in more depth this coming week.

# Jerry said on May 27, 2006 6:02 PM:

Very nice. Could mean the end of many types of remote exploits. To the folks complaining about the feature and saying "fix the bugs instead" or some such foolishness: So now MS is supposed to fix the remote exploits in Symantec and other's products too? This change can help to be sure that when someone finds a remote vulnerability in an MS OR 3rd party product that actually using it will be difficult if not impossible (except as a random denial of service). To the others saying, *nix had this before: guess what? There was one car that had seat belts before the rest. Nobody complained when other manufacturers added them BECAUSE IT WAS A GOOD IDEA.

# Wampiryczny blog said on May 27, 2006 7:16 PM:

No i w końcu stało się. Windows Vista będzie posiadał magiczną technologię określaną jako ASLR. W końcu. Tak na prawdę, to ja nie wiem, czy Windows Vista w końcu taką funkcję posiadać będzie, czy też nie. Ale według informacji zawartych

# Matthew Murphy said on May 27, 2006 7:48 PM:

Mike,

A few questions I have after reading this post:

1. Does Vista's ASLR rebase modules at different addresses in each process or at a single base address for each system boot?

2. Is ASLR limited to DLL base addresses or does it also randomize memory mappings done anonymously?

3. Does ASLR in Vista randomize all DLL bases or just those of certain DLLs?  If the latter, which ones?

# carbonBased said on May 27, 2006 7:58 PM:

What good is address randomization if the author of this column was able to determine the location of various dll's anyway (as show below, taken from the above article)?

Surely malicious code could do the same!?

For example, earlier today my laptop reported the following:
  wsock32.dll  (0x73ad0000)
  winhttp.dll  (0x74020000)
  user32.dll   (0x779b0000)
  kernel32.dll (0x77c10000)
  gdi32.dll    (0x77a50000)
I then rebooted the machine, and my laptop reported the following:
  wsock32.dll  (0x73200000)
  winhttp.dll  (0x73760000)
  user32.dll   (0x770f0000)
  kernel32.dll (0x77350000)
  gdi32.dll    (0x77190000)

# dispensa said on May 27, 2006 8:50 PM:

What ever happeed to this: http://blogs.msdn.com/michael_howard/archive/2005/09/30/475763.aspx

# Justin Blanton | Address space layout randomization in Windows Vista said on May 27, 2006 9:04 PM:

PingBack from http://justinblanton.com/2006/05/address-space-layout-randomization-in-windows-vista

# Escamillo said on May 27, 2006 9:11 PM:

To the Microsoft bashers:

Are you guys saying that because Red Hat added this 1.5 years ago and Open BSD had it before that, then Microsoft is wrong to add it to Vista?

If they don't add it, you'd bash them, and yet when the do add it, you still bash them.  Grow up.

(Assuming that you guys are correct in the first place that Vista is doing nothing that Red Hat and Open BSD aren't doing.  I put little faith in your "analyses".  I know from reading slashdot that many of your ilk haven't the first clue to what Microsoft's products are really doing, even outright refusing to learn, and merely assume that Microsoft is doing nothing that others haven't done before.)

# none said on May 28, 2006 5:37 AM:

>MS is inventing the wheel again.  Adress randomization existed before vista was in the drawing boards.

WTF?! they implemented it, not invented it! DOH!

# SomeoneElse said on May 28, 2006 6:42 AM:

We've had address space randomization in Linux for quite a while. Good for you that you are finally catching up.

# Erik Wikström said on May 28, 2006 8:46 AM:

To Myria:
"How about fixing the bugs rather than simply mitigating the risk?"

Kind of hard when the bugs are not in your own code. Security in OSes consists of two things, first is to secure the OS itself, the other thing is to mitigate or prevetn security-breaches in applications running on the OS.

# Random Reader said on May 28, 2006 10:05 AM:

Despite the various people above who miss the point, I am quite happy to see this.  Please keep going with these defenses!

# Mike Hearn said on May 28, 2006 1:39 PM:

Awesome!

To those who are saying well Linux/BSD had this earlier -> yes, yes they did. But so what? This is wonderful news and along with the other improvements could help turn the tide.

It's also worth bearing in mind that ASLR on Windows is a lot harder to do than on Linux, partly because of PE/ELF differences but mostly because Linux vendors such as Red Hat have a rather cavalier approach to backwards compatibility (a LOT of apps break in the face of ASLR).

I'd be interested to hear more about the compatibility issues surrounding this. I work on the Wine project and a few years ago we got bit hard by execshield being rolled out on Fedora. The problems were partly that it was randomizing DLL loads into regions we needed protecting (eg for loading the exe file into) and partly because apps which rely on particular VM layouts are unfortunately quite common.

World of Warcraft in particular springs to mind (just discussing this one on IRC now actually).

# Anuncie Aqui! said on May 29, 2006 10:31 AM:

# Passion is like genius; a miracle. » Address Space Layout Randomization in Windows Vista said on May 29, 2006 11:53 PM:

PingBack from http://mkseo.pe.kr/blog/?p=1470

# Toma Bussarov said on May 30, 2006 9:59 AM:

Good job for all of you, Michael!

All of this is result of SDL. You have thought about security from so many different angles and considered many situations to make Vista more secure and reliable.

Gongratulations!

# Christopher Feyrer said on May 30, 2006 10:02 AM:

OK. According to bink.nu this reduces odds of finding the appropriate memory address to 1/256. If I was a malware coder, I'd then code the malware to check 256 times, in all locations.  Tell me why this wouldn't work. :)

CF

# HD said on May 30, 2006 3:53 PM:

A free (for personal use) software package called Wehntrust provides this functionality on current Windows operating systems:
http://www.wehnus.com/

# jasonhnz said on May 30, 2006 7:36 PM:

Is there any way to disable this. The reason I ask is since the 5XXX builds of Vista (including Beta 2) My computer crashses on the boot screen. If I have one 512 module in it works fine. If I place another 512 module ( And i have tried different slots and different modules) it will boot but some where randomly during the booto screen process the screen will freeze and sometimes pixalate as well.

Windows XP on the same machine boots with both RAM modules with no problems. Could this technology be causing this problem? Is there a way to disable this so I can see if this is the problem?

# VM said on May 31, 2006 7:32 AM:

ASLR is *not* present in any free linux distributions.

# michael_HOWARD said on May 31, 2006 12:43 PM:

To Christopher Feyrer

>>I was a malware coder, I'd then code the >>malware to check 256 times, in all >>locations.  Tell me why this wouldn't work. :)

When you get it wrong you'll crash the app, after a few crashes any admin worth his salt would realize there is an attack going on.

# InfoSec Blog » Blog Archive » Windows Vista Beta 2 gets ASLR said on May 31, 2006 1:26 PM:

PingBack from http://www.infosecblog.net/?p=97

# Zorba the Geek said on May 31, 2006 1:46 PM:

<quote>
Surely malicious code could do the same!?
</quote>

CarbonBased, there are two parts to making a buffer overflow (and its cousins) exploitable.
a)  Loading malicious executable code into a process space.  This doesn't necessarily have to be within the overflowed buffer itself, but can be into any buffer or object in that processes memory.

b) Getting the processor to jump to an instruction in the malicious code.

The point of ASLR is to make (b) difficult.  It is really a backup for the /GS flag that protects the return pointer on the stack from being overwritten.  A known way of bypassing the need to overwrite the return pointer is to jump into DLL functions loaded into the process in known places.  ASLR makes the location of these functions a little less known, and therefore makes it more difficult to write shellcode that works on every machine running the same version of Windows.

It isn't undefeatable.  Look up apache-scalp.c to see an exploit that used a bug in OpenBSD's memory protection scheme.

# captain BS said on May 31, 2006 3:40 PM:

bullshit

# Kevin Lam's Blog said on June 1, 2006 3:53 PM:

Michael Howard's blog entry on randomization of address space layout:&amp;nbsp; http://blogs.msdn.com/michael_howard/archive/2006/05/26/608315.aspx...

# UNX said on June 1, 2006 4:49 PM:

"ASLR is *not* present in any free linux distributions."

http://www.adamantix.org/
http://www.gentoo.org/proj/en/hardened/

# Guillermo Izarn??tegui Lay : » Windows Vista implementar?? ASLR (Address Space Layout Randomization) activado de serie said on June 1, 2006 4:58 PM:

PingBack from http://izarnotegui.com/gmo/2006/06/01/windows-vista-implementara-aslr-address-space-layout-randomization-activado-de-serie/

# Windows Vista Weblog » Vista vs Hackers said on June 1, 2006 6:14 PM:

PingBack from http://www.windowsvistaweblog.com/2006/06/01/vista-vs-hackers/

# Rosyna said on June 2, 2006 12:37 AM:

AFAIK, when the NX/XD bit is on and a buffer overflow is triggered, the processor throws an exception. Windows can catch this exception which allows it to determine why the process crashed.

Also, am I correct in assuming that ASLR only affects the entry points of DLLs and not the offsets of the functions?  In which case if a "sensitive" function exists within the same DLL as the function being exploited, ASLR wouldn't prevent this? Granted, Michael explicitly says that ASLR isn't a pancea.


(Why it would affect the offsets, I'm not sure, it would be some evil kind of hack though... a fun kind of evil).

Personally, I love the idea of piling on security features while writing secure code in the first place. As a "just in case" someone else hasn't taken the same care in writing secure code.

# inc said on June 3, 2006 2:15 AM:

These are features that have been apart of OpenBSD and even Fedora for quite some time. Why has it taken so long for Microsoft to implament these obvous secuirty features?  Do you think Microsoft will be ripping off more memory protection features form these secure operating systems?   When will microsoft add a new security technologies to the arena instaed of just taking from everyone else?

# checksum.org blog » Blog Archive » Windows Vista Beta 2 defends buffer overflow attacks said on June 3, 2006 6:09 AM:

PingBack from http://blog.checksum.org/2006/06/03/windows-vista-beta-2-defends-buffer-overflow-attacks/

# illusia said on June 3, 2006 6:07 PM:

That`s good,but when you start contribute to BSD Operating Systems?Never?Why?
You took to windows a lot of things.
It`s not fair and after this i can`t LOVE microsoft.

# rotty said on June 4, 2006 1:34 AM:

As carbonBased said, that you could just retrieve the memory points inwhich these files are loaded.  If this is not possible, jeese 1 in 256, i like those odds, you could easily write a brute-force style program, that trys all the address and authenticates the information retrieved by the information that is wanted.  This is an extremely short sited and incredibly silly idea.

Assuming that the code needed can't be verified by some sort of "Matching" with the code needed, simply retrieve every 256 entries, run under a VM, and test the output.  I may, be hard at first, yes may take someone 2 months to write the first exploit, but considering we will be using Vista for 3 to 7 years, they have plenty of time.

The platform and style of attacks may change in this case, but attackers, will not rest.

cheers, rotty

# 洒水车 said on June 4, 2006 9:34 PM:

肯定会有新的技术来对抗这种技术的，呵呵

# Nicolas Pouvesle said on June 5, 2006 4:55 AM:

ASLR + NX is a great step in Vista to protect against remote exploit.
However the current implementation does not offer protection if :

- the process is some kind of CGI
- the overflow only affects a thread (and does not crash the main process)
- the process is automatically restarted (service for example)

In those cases the process address space will always be the same and in the worst case you just have to try 256 addresses to find the good one.
The bruteforcer can take more steps if you need to use addresses in different dlls or if some patch change the address of the dll.

I hope we will see a randomization of the process address space each time a process is started (maybe in SP1 ;-) but at the same time I understand that there is an impact on the performance in opposite to the current approach.

# Weblog de Mauricio (W.O.L.F.) R. Arreola González said on June 5, 2006 12:19 PM:

1.- Revelaci&#243;n de informaci&#243;n en Mozilla Firefox2.- Actualizaciones para vulnerabilidad de Symantec3.-...

# ringtones free said on June 6, 2006 6:05 PM:

Hi! http://www.ringtones-dir.com/get/ ringtones site. ringtones site, Free nokia ringtones here, Download ringtones FREE. From website .

# Stewed Prunes... said on June 7, 2006 11:41 AM:

&amp;hellip;..well&amp;hellip;sort of.
Go check out Michael Howard&amp;rsquo;s post about Address Space Layout...

# Andrew said on June 7, 2006 12:17 PM:

Hi Michael, I remember having this argument for the inclusion of this 2 1/2 years ago...it's great that you have FINALLY come around to include it.  

Another advantage of this technology is detecting malicious code. With ASLR it will allow better signature detection / behavioural checking of malicious code from doing all the combinations to find the correct entry point, which given current rootkits not using the Win32Api, makes this more important.

Well done!

# Jeff Hotchkiss said on June 8, 2006 4:07 AM:

"simply retrieve every 256 entries, run under a VM, and test the output.":rotty

You appear to have missed the point. Programs like a Trojan cannot be defended against at all by this kind of security, because a Trojan is a program and programs have to run. That's what sandboxing and privileges are for.

Of course a program already running can spot what the current addresses are!

What ASLR does defend against is remote code execution which is modification of existing code in memory. You can't just try in an VM 256 times and hope. Typically you'll have crashed the app on the first try.

Remember, the exploits being defended against are the type where you DON'T have any malicious program running yet. If you can download a program to find out the DLL addresses onto a remote target, you have already gained sufficient access that you don't care about them.

# tuxedo-es.org » Microsoft Windows Vista: Measuring the security enhancements. said on June 11, 2006 9:25 AM:

PingBack from http://www.tuxedo-es.org/blog/2006/06/11/microsoft-windows-vista-measuring-the-security-enhancements-so-to-speak/

# Michael Howard's Web Log said on June 12, 2006 10:44 AM:

A couple of people have asked about the relationship between /GS, SAL and ASLR in Windows Vista. Here’s...

# Hasain Alshakarti [Net/Sec/Pen/Pki] said on June 14, 2006 4:50 PM:

ASLR&amp;nbsp;g&#246;r att adresser och pekare blir dynamiska i Vista, systemet slumpar nya Stack och Heap Adresser...

# criação said on June 19, 2006 6:27 PM:

nice blog, congratulations from brazil

# Matasano Chargen » Matasano Interviews IE Lead PM Christopher Vaughan said on June 20, 2006 12:17 PM:

PingBack from http://www.matasano.com/log/332/matasano-interviews-ie-lead-pm-christopher-vaughan/

# Cl??rigo » Blog Archive » (In)Seguridad en Vista said on July 12, 2006 12:27 PM:

PingBack from http://clerigo.alucardx.net/index.php/2006/07/12/inseguridad-en-vista/

# Windows Vista Security said on July 24, 2006 2:22 PM:

Thousands of people from around the world have been hard at work to ensure that Windows Vista is the...

# Windows Vista Team Blog said on July 24, 2006 10:54 PM:

One of Windows Vista's central tenets is to enhance Windows&amp;nbsp;security to such a degree that both...

# Robert McLaws: FunWithCoding.NET - Windows Vista Edition said on July 25, 2006 4:13 AM:

Symantec is so pissed at Microsoft for competing against it with OneCare, and for reducing the need for...

# Robert McLaws: FunWithCoding.NET - Windows Vista Edition said on July 25, 2006 9:16 PM:

Two articles got me thinking about this today. One was the ASLR article by Michael Howard that I linked...

# Windows Vista Download - » Blog Archive » Symantec: Crying Wolf on Windows Vista said on August 3, 2006 8:35 AM:

PingBack from http://www.windowsvistadownload.co.uk/?p=38

# Blog su Windows Vista » Archivio del Blog » Articoli tecnici su nuovi sistemi di autodifesa di Vista said on August 22, 2006 12:07 PM:

PingBack from http://puntodivista.wordpress.com/2006/08/22/articoli-tecnici-su-nuovi-sistemi-di-autodifesa-di-vista/

# Michael Howard's Web Log said on September 26, 2006 7:39 PM:

Today the Visual Studio 2005 team released Service Pack 1 Beta. Included in the beta is the new linker...

# Michael Howard's Web Log said on November 17, 2006 4:15 PM:

Today the Visual Studio 2005 team released Service Pack 1 Beta . Included in the beta is the new linker

# Michael Howard's Web Log said on December 6, 2006 1:20 AM:

As I mentioned in a previous series of posts , we recently had all the major OEMs on campus to discuss

# BB0.de said on March 15, 2007 6:08 PM:

Viele PCs werden für aufgerüstet oder durch neuere Modelle ersetzt, heute erworbene Prozessoren sind in der Regel 64-bit fähig, doch lohnt sich der Einsatz der 64-bit-Editionen von Windows Vista?Argumente für den Einsatz der 64-bit-Editionen von Window

# Michael Howard's Web Log said on April 4, 2007 6:49 PM:

From the Helping to Secure the Ecosystem Dept. Here’s some good news for people using CodeGear’s Delphi

# des r�gles poker said on January 30, 2008 4:31 AM:

Over credit card debt management uk jouer � la roulette online

# All Your Base Are Belong To Us said on March 16, 2008 5:01 PM:

Did you ever get a chance to blankly stare at a screen similar to the above, trying to recollect what

# IEBlog said on April 8, 2008 2:00 PM:

Hi, I’m Eric Lawrence from the Internet Explorer Security Team. With the RSA security conference kicking

New Comments to this post are disabled