Welcome to MSDN Blogs Sign in | Join | Help

Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!
Windows Vista Address Space Layout Randomization – What is Randomized?

A couple of people asked what “on by default” means with regards to ASLR in Windows Vista. The ‘default’ for ASLR in Windows Vista is:

 

• Stacks and Heap are randomized (stack-randomization is on post-Beta 2)

 

• EXEs and DLLs shipping as part of the operating system are randomized

 

• All other EXEs and DLLs will need to explicitly opt-in via a new PE header flag; by default they will not be randomized. 'Note that DLLs marked for randomization, such as system DLLs, will be randomized in every process (regardless of whether other binaries in that process have opted-in or not.

 

I’ll outline the last point in more detail in the next few days.

Posted: Tuesday, June 06, 2006 9:30 AM by michael_HOWARD
Filed under: ,

Comments

Gabe said:

Are you saying that every DLL has to take the rebase perf hit?
# June 6, 2006 12:48 PM

The Insider said:

Michael Howard outlines just what exactly Windows Vista's Address Space Layout Randomization actually...
# June 6, 2006 2:39 PM

Hugo said:

I'm confused.

There's a been a big hype about Vista's all-new "superfetch", which, as far as I understand, is able to cache/preload entire images of executables and DLL's.

However, how does this work with ASLR? I mean, if the DLL base is always different, the fixups (all over the code sections) are always different, and the image *cannot* be superfetched, can it?

Any thoughts?

Thanks :-)
Hugo
# June 7, 2006 11:26 AM

AC said:

I hope "randomized in every process" doesn't mean that it's different for each process, since then memory wouldn't be shareable?
# June 7, 2006 11:54 AM

Hugo said:

I'm confused.

There's a been a big hype about Vista's all-new "superfetch", which, as far as I understand, is able to cache/preload entire images of executables and DLL's.

However, how does this work with ASLR? I mean, if the DLL base is always different, the fixups (all over the code sections) are always different, and the image *cannot* be superfetched, can it?

Any thoughts?

Thanks :-)
Hugo
# June 7, 2006 4:43 PM

tuxedo-es.org » Microsoft Windows Vista: Measuring the security enhancements. said:

PingBack from http://www.tuxedo-es.org/blog/2006/06/11/microsoft-windows-vista-measuring-the-security-enhancements-so-to-speak/
# June 11, 2006 9:23 AM

michael_HOWARD said:

DLLs are relocated on reboot, so a DLL will be at a random location, and that location is fixed for all process unless the machine is rebooted.
# June 12, 2006 1:00 PM
New Comments to this post are disabled
Page view tracker