Windows Vista includes a new defense against buffer overrun exploits called address space layout randomization. ASLR. is just a way to hide insecure code, and make harder automated attacks on millions of machine except if....but I will come on that later
|Address space layout randomization (ASLR) is a computer security technique which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space.[WIKIPEDIA]|
In Vista, a DLL or EXE could be loaded into any of 256 locations, which means an attacker has a 1/256 chance of getting the address right. In short, this reduce the number of successful exploits. Vitsa address-space layouts are randomized only at boot time. Ae You safer with Vista? YES! and NO!
On a 32 bits machine, this protection is not working, simply because some smart people, have already worked on a way to circumvent ASLR, so a Linux PC will be more or less 216 seconds longer safe!
Google when typing ASLR give a second link (sic) this handy white paper: On the Effectiveness of AddressSpace Randomization
|we demonstrate a derandomization attack that will convert any standard buffer-overow exploit into an exploit that works against systems protected by address-space randomization. The resulting exploit is as effective as the original exploit, although it takes a little longer to compromise a target machine: on average 216 seconds to compromise Apache running on a Linux PaX ASLR system.|
Why it take so much time? because they have decide to translate the buffer overflow issue in the translated address space.. and brute forcing till success. In Apache, the famous opensource webserver, that mean 2^16 = 65; 536 probes at worst and 32,768 probes on the average....Vista has only 256 slots for a dll or exe...so how much time would it take? For all reader which like to play with pointer, the white paper is worth reading...
Vista has also long pointer obfuscation, long living address being encrypted and decrypted at runtime when needed...this long pointer values will have particularities like a high entropy values so easily reperable in memory even if they move then periodically or randomly from place to place (Like PGP caching keys in memory).
Implementation which randomizes the base address of the stack, heap, and code segments and adds random padding to stack frame and malloc() function calls. Since for sure the obfuscation algorithm is secret, it will break quite fast, as security by obscurity
has always be known to failed.
What would I like to say? first that this technology is nothing special, it is one technique among others, and will be broken quite fast depending on how informations the Operating system leak or how it was implemented Moreover, it is existing since a long time.
- In OpenBSD since year (BSD 4.0),
- In Linux since Kernel 2.6.12 (17 Jun 2005) or as an addon http://pax.grsecurity.net
- Third party company are selling addons for windows here are some: BufferShield (since 1998 for XP, 2000, 2003, NT4), WehnTrust (XP, 2000, 2003), StackGuard (compiler Canary and ASLR)
Canaries are not implemented in Vista but are also worth mentionning:
| StackGuard is a modified compiler which places canaries (the term canary can be used interchangeable with our use of the term cookie) around the return pointer in function. A buffer overflow will modify the canary on its way to overwriting the adjacent return pointer. If the function epilog detects a dirty canary, it rightly infers that an exploit has occurred, it logs the exploit and it aborts the program.|
Nothing will replace a well written code, that mean architecturally reviewed, with an open code, open to see, open to critics. Open Source IS the future.
You might like also
I was contacted 2 days ago by a thief. This technique is quite old (at least 3 years) but always worth mentioning. Your bank will credit the amount in a few days but. . . the certified check is a stolen one that will take 3 to 4 week to be rejected by your bank. Enough time for robber to get the item and some money from you (they will pick up the item and ask for the shipping …
3713 Days ago
The #Joomla Project announces the immediate availability of #Joomla 1.5.13 [Wojmamni ama baji]. This is a security release and users are strongly encouraged to upgrade immediately. This release contains 26 bug fixes, two moderate-level security fixes and one low-level security fix. It has been 3 weeks since Joomla 1.5.12 was released on July 1, 2009. The Development Working Group's goal is to continue to provide regular, frequent updates to the #Joomla community. Statistics Statistics for the 1.5.13 release period: Joomla …
3829 Days ago
I will use it on my host very soon, if you have your own root server, this tool must be part of your administrator toolbox. #Joomla! team use it to test the core framework, so we should be on the safe side, unfortunately we are are all using too many plug-ins that may be unsecure.. Here is how a report generated using Acunetix WVS look like (PDF - 1.5MB). Acunetix Web Vulnerability Scanner automatically scans your web applications / website …
3898 Days ago
This list is an ongoing work and since the version 1.0 (01 March 2008), a lot of nodes/ideas and now links have been added. The tree is also now a lot more structured... Secure, Safe, Fast #Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source …
4095 Days ago
This list is an ongoing work and since the version 1.0 (01 March 2008), a lot of nodes/ideas have been added. Secure, Safe, Fast #Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and #Linux. By clicking read more, …
4143 Days ago
First let's refresh some definitions...set user ID (SUID) The SUID permission causes a script to run as the user who is the owner of the script, rather than the user who started it. It is normally considered extremely bad practice to run a program in this way as it can pose many security problems. set group ID (SGID) The SGID permission causes a script to run with its group set to the group of the script, rather than the group …
4151 Days ago
IBM Alphaworks have release a library for supporting the IETF SSH-2 protocol aka SSH (WikiPedia)IBM Secure Shell Library for #Java is a lightweight implementation of the IETF SSH-2 protocol. The library currently implements only the basic SSH features such as password log-in and command execution. Advanced features such as tunning and X-forwarding are currently not supported. …
5111 Days ago
The National Security Agency (NSA)NSA/ Central Security Service (NSA/CSS) is a United States government agency responsible for both the collection and analysis of message communications, and for the security of government communications against similar agencies elsewhere. It is a part of the Department of Defense. ... ) [WikiPedia]has developed and distributed configuration guidance for Microsoft Windows NT and Windows 2000 in the form of configuration guides. These guides are currently being used throughout the government and by numerous entities as …
5194 Days ago
Some examples of what is going on in online eBanking applications securities...Lloyds TSB is going from a 2 stage login system to a securid (2 stage login definition at WikiPedia)in order to reduce online fraud...First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called "keyloggers", …
5198 Days ago
After Microsoft Warns of New Security Threat System monitoring programs, called rootkits, may pose a serious danger to your PC. it is time to see what offering is available to protect our PCs...A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Root kits exist for a variety of operating systems such as …
5198 Days ago