Windows Vista  includes a new defense against buffer overrun exploits called address space layout randomization. ASLR. is just a way to hide insecure code, and make harder automated attacks on millions of machine except if....but I will come on that later

Address space layout randomization (ASLR) is a computer security technique which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space.[WIKIPEDIA]

In Vista, a DLL or EXE could be loaded into any of 256 locations, which means an attacker has a 1/256 chance of getting the address right. In short, this reduce the number of successful exploits. Vitsa address-space layouts are randomized only at boot time. Ae You safer with Vista? YES! and NO!

On a 32 bits machine, this protection is not working, simply because some smart people, have already worked on a way to circumvent ASLR, so a Linux PC  will be more or less 216 seconds longer safe!
Google when typing ASLR give a second link (sic) this handy white paper: On the Effectiveness of AddressSpace Randomization
we demonstrate a derandomization attack that will convert any standard buffer-overow exploit into an exploit that works against systems protected by address-space randomization. The resulting exploit is as effective as the original exploit, although it takes a little longer to compromise a target machine: on average 216 seconds to compromise Apache running on a Linux PaX ASLR system.
http://www.stanford.edu/~blp/papers/asrandom.pdf

Why it take so much time? because they have decide to translate the buffer overflow issue in the translated address space.. and brute forcing till success. In Apache, the famous opensource webserver,  that mean 2^16 = 65; 536 probes at worst and 32,768 probes on the average....Vista has only 256 slots for a dll or exe...so how much time would it take?  For all reader which like to play with pointer, the white paper is worth reading...

Vista has also long pointer obfuscation, long living address being encrypted and decrypted at runtime when needed...this long pointer values will have particularities like a high  entropy values so easily reperable in memory even if they move then periodically or randomly from place to place (Like PGP caching keys in memory).

Implementation which randomizes the base address of the stack, heap, and code segments and adds random padding to stack frame and malloc() function calls. Since for sure the obfuscation algorithm is secret, it will break quite fast, as security by obscurity has always be known to failed.

What would I like to say? first that this technology is nothing special, it is one technique among others, and will be broken quite fast depending on how informations the Operating system leak or how it was implemented Moreover, it is existing since a long time.
  • In OpenBSD since year (BSD 4.0),
  • In Linux since Kernel 2.6.12  (17 Jun 2005) or as an addon http://pax.grsecurity.net
  • Third party company are selling addons for windows here are some: BufferShield (since 1998 for XP, 2000, 2003, NT4),  WehnTrust (XP, 2000, 2003), StackGuard (compiler Canary and ASLR)
Canaries are not implemented in Vista but are also worth mentionning:

StackGuard is a modified compiler which places canaries (the term canary can be used interchangeable with our use of the term cookie) around the return pointer in function. A buffer overflow will modify the canary on its way to overwriting the adjacent return pointer. If the function epilog detects a dirty canary, it rightly infers that an exploit has occurred, it logs the exploit and it aborts the program.

Nothing will replace a well written code, that mean architecturally reviewed,  with an open code, open to see, open to critics. Open Source IS the future. 
comments powered by Disqus

You might like also

Thief acting on forums
  I was contacted 2 days ago by a thief. This technique is quite old (at least 3 years) but always worth mentioning. Your bank will credit the amount in a few days but. . . the certified check is a stolen one that will take 3 to 4 week to be rejected by your bank. Enough time for robber to get the item and some money from you (they will pick up the item and ask for the shipping …
3352 Days ago
Joomla 1.5.13 Security Release Available
The Joomla Project announces the immediate availability of Joomla 1.5.13 [Wojmamni ama baji]. This is a security release and users are strongly encouraged to upgrade immediately. This release contains 26 bug fixes, two moderate-level security fixes and one low-level security fix. It has been 3 weeks since Joomla 1.5.12 was released on July 1, 2009. The Development Working Group's goal is to continue to provide regular, frequent updates to the Joomla community. Statistics Statistics for the 1.5.13 release period: Joomla …
3468 Days ago
Acunetix free edition now available
I will use it on my host very soon, if you have your own root server, this tool must be part of your administrator toolbox. Joomla! team use it to test the core framework, so we should be on the safe side, unfortunately we are are all using too many plug-ins that may be unsecure.. Here is how a report generated using Acunetix WVS look like (PDF - 1.5MB). Acunetix Web Vulnerability Scanner automatically scans your web applications / website …
3537 Days ago
Secure, Safe, Fast Linux Hosting v1.4.0
This list is an ongoing work and since the version 1.0 (01 March 2008), a lot of nodes/ideas and now links have been added. The tree is also now a  lot more structured... Secure, Safe, Fast Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source …
3734 Days ago
No Thumbnail was found
This list is an ongoing work and since the version 1.0 (01 March 2008), a lot of nodes/ideas have been added. Secure, Safe, Fast Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and Linux. By clicking read more, …
3782 Days ago
No Thumbnail was found
First let's refresh some definitions...set user ID (SUID) The SUID permission causes a script to run as the user who is the owner of the script, rather than the user who started it. It is normally considered extremely bad practice to run a program in this way as it can pose many security problems. set group ID (SGID) The SGID permission causes a script to run with its group set to the group of the script, rather than the group …
3790 Days ago
No Thumbnail was found
IBM Alphaworks have release a library for supporting the IETF SSH-2 protocol aka SSH (WikiPedia)IBM Secure Shell Library for Java is a lightweight implementation of the IETF SSH-2 protocol. The library currently implements only the basic SSH features such as password log-in and command execution. Advanced features such as tunning and X-forwarding are currently not supported. …
4750 Days ago
No Thumbnail was found
The National Security Agency (NSA)NSA/ Central Security Service (NSA/CSS) is a United States government agency responsible for both the collection and analysis of message communications, and for the security of government communications against similar agencies elsewhere. It is a part of the Department of Defense. ... ) [WikiPedia]has developed and distributed configuration guidance for Microsoft Windows NT and Windows 2000 in the form of configuration guides. These guides are currently being used throughout the government and by numerous entities as …
4833 Days ago
No Thumbnail was found
Some examples of what is going on in online eBanking applications securities...Lloyds TSB is going from a 2 stage login system to a securid (2 stage login definition at WikiPedia)in order to reduce online fraud...First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called "keyloggers", …
4837 Days ago
No Thumbnail was found
After Microsoft Warns of New Security Threat System monitoring programs, called rootkits, may pose a serious danger to your PC. it is time to see what offering is available to protect our PCs...A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Root kits exist for a variety of operating systems such as …
4837 Days ago