Alleged Bugs in Windows Vista’s ASLR Implementation

re: Alleged Bugs in Windows Vista’s ASLR Implementation

Dean Harding — Thu, 05 Oct 2006 03:18:09 GMT

> if you navigate to a Website and your browser crashes, will you go back to that site > another 255 times Actually, I was going to reply back saying that while *I* wouldn't go, you'd only have to convince another 255 people to go there instead. But then I did some calculations... Botnets today of 10,000 computers are not uncommon (even 100,000 computers). With only a 1:256 chance of infecting a computer, that reduces my botnet to only 40 (or 400) computers. And given that most botnets grow using the infected computers as a launching point, with only 40 computers in my botnet, growing it to just 400 will be quite difficult. So yeah, I agree that 1:256 is probably enough - at least in the initial version! I imagine there plenty more up your sleeves for version 2.0 :)

re: Alleged Bugs in Windows Vista’s ASLR Implementation

michael_HOWARD — Thu, 05 Oct 2006 07:54:38 GMT

Dean, don't forget that ASLR is just *one* defense in Windows Vista. There are a ton of other defenses in IE7 and the OS as a whole, and they are all enabled by default :)

re: Alleged Bugs in Windows Vista’s ASLR Implementation

Ali Rahbar — Thu, 05 Oct 2006 18:59:03 GMT

Hi, I am the author of the paper on Vista's ASLR. I just want everyone to know that after further analysis with the help of Microsoft's security engineers I have find out why the entropy of the stack (EBP) was so low on my machine. There is two phase of randomization on Vista. In my analysis I was using the stack range (from the TEB) to measure the entropy. The second phase is done after that the stack range is initialized(EBP is randomized). So my analysis doesn’t reflect the second phase of randomization which is quite important. So dont worry Vista's stack randomization is OK.

re: Alleged Bugs in Windows Vista’s ASLR Implementation

Deonna — Fri, 06 Oct 2006 13:07:54 GMT

Michael, are you the same old friend who wrote the book on the head of a pin? just curious if you're the same michael howard. I'm enjoying your blog :) Hugs, Deonna dpogo@aol.com

re: Alleged Bugs in Windows Vista’s ASLR Implementation

Darren — Wed, 11 Oct 2006 18:42:40 GMT

Michael, is there a way to disable ASLR? The randomization makes it difficult to track down certain types of bugs when developing native applications.

re: Alleged Bugs in Windows Vista’s ASLR Implementation

mn19522 — Sun, 15 Oct 2006 18:13:34 GMT

I wrote to experts-exchange about this paper and they referred me to your blog, which I joined. I am glad that the research was incomplete and that Microsoft had not ignored, but actually improved upon what the reseacher reported.

I realize that the following is only tangentially related to security, but your blog gives me the opening. Perhaps you can redirect me to the correct person to answer this innane question regarding naming conventions, if there are any relating to this particular file.

I have a question about how Microsoft comes up with names. In this case there is no indication that the MountPoint name is a Microsoft product. This name caused my security scanning software and me unnecessary problems. I spent the last three days and nights researching a potential problem that was flagged by the AVG Anti-Malware 7.5 software. It is a folder known as: C:\System Information Folder\MountPointManagerRemoteDatabase. AVG provided a warning flag, but no capability to remove or quarantine it. I used Google to try to find out what this was and most identified it as a Root Kit. Worrisome to say the least because this is the first time that anything got through my defenses. In desperation, I finally called Microsoft security. They told me that this folder and MountPoint were part of the operating system relating to disk management. A big sigh and a refreshing sleep.

I immediatly wrote to AVG and asked them to remove this from their potential bad things file. False positives can cause agony!

Can you 'splain to me how this name was selected and are there any other names which one would never think to be part of a that one should be concerned about triggering a response from one of my many scanners? Kidding about the other names curious on how these non Microsoft names are created. Sincerely, Michael

re: Alleged Bugs in Windows Vista’s ASLR Implementation

Julien — Tue, 17 Oct 2006 18:44:45 GMT

You can also use slipfest to detect ASLR in Vista. Slipfest will launch several processes and threads for you, record some addresses (stack, TEB, PEB...) and run a basic statistical analysis.

Feel free to add better statistical analysis though :)

re: Alleged Bugs in Windows Vista’s ASLR Implementation

michael_HOWARD — Thu, 19 Oct 2006 06:57:54 GMT

Names: based on my experience, there is no one person or group in charge of names like directory names. That being said, which OS are you using?

re: Alleged Bugs in Windows Vista’s ASLR Implementation

Steve — Wed, 01 Nov 2006 17:13:36 GMT

void main? The guys in comp.lang.c go nuts about this. Per ANSI/ISO, main must return int.

re: Alleged Bugs in Windows Vista’s ASLR Implementation (exception misdirection)

Arron Alexander — Fri, 03 Nov 2006 21:36:37 GMT

When I first heard of this particular implimentation, I was strucken with a few ways to potentially overcome this security implimentation. One way around this could simply be as easy as subtle misdirection of exception handling (ELF for example).

Consider your 1/256 chance (1 byte of Rand()), combine it with random string mechanisms that are checked against stack return events (why not just use crc md5/sha1 checks [proc time maybe?]), and we find there to be many similar potential points of "failure" for any possable outcome anyway.

All it takes is one way, and it's only a matter of time and talent.

A step in the right direction.

re: Alleged Bugs in Windows Vista’s ASLR Implementation

Maxim Masiutin — Fri, 29 Dec 2006 21:09:35 GMT

I use Delphi compiler and cannot run Microsoft’s link.exe to set a new flag in the PE header. Is therer any application that patches the PE header of the compiled EXE file to set the new flag to my application?

re: Alleged Bugs in Windows Vista’s ASLR Implementation

michael_HOWARD — Sat, 30 Dec 2006 00:38:27 GMT

Maxim - lemme see what we can do :)

fwiw, you *can* use the MS linker with Delphi, at least that's what I'm told!

Editing Delphi executables

Maxim Masiutin — Mon, 01 Jan 2007 05:36:21 GMT

Do you mean editing the compiled Delphi executables by MS linker using link /edit /dynamicbase (or editbin /dynamicbase )?