Profile

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Unixronin

December 2012

S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

Most Popular Tags

Expand Cut Tags

No cut tags

June 2nd, 2006

unixronin: A somewhat Borg-ish high-tech avatar (Techno/geekdom)
Friday, June 2nd, 2006 05:27 pm

Microsoft has added a feature called Address Space Layout Randomization, or ASLR, to Windows Vista beta 2.  They tout this as an important security feature.

Certain attacks attempt to call Windows system functions, such as the "socket()" function in "wsock32.dll," to open a network socket.  The new security feature moves these system files around so they're in unpredictable locations.  In Windows Vista Beta 2, a DLL or EXE file could be loaded into any of 256 locations, [Michael Howard, a senior security program manager at Microsoft] wrote.

"An attacker has a 1/256 chance of getting the address right," Howard wrote.

The article also mentions,

ASLR is not a Microsoft invention.  Several open-source security systems use it already, including OpenBSD, and the PaX and Exec Shield patches for Linux.

Now, maybe I'm missing something here, but ....... OK, so you randomize where things are loaded in your address space.  But, your code and applications still have to be able to make library calls to a lot of that code.  So what do you do?  Does the OS handle "de-virtualizing" the calls automatically?  Do you have a public table where programs can look up the location of whatever they need to call?

The precise mechanism doesn't really matter.  The point is this:  If there is a mechanism to allow authorized code to still be able to call code in your load-address-randomized libraries, what's to stop malicious code from utilizing that exact mechanism?

Somebody using the alias "c0ntex" wrote in a reply to [David Litchfield, a researcher at Next Generation Security Software] that ASLR has been "trivially circumvented in Linux for years now."

Unless there's more to this than meets the eye, I don't see what's to stop it from being trivially circumvented on any OS.  ASLR seems to be to be something akin to trying to stop telemarketers from calling my phone by moving the phone somewhere else in the house and not telling them where I moved it.  Doing so may comfort me, but it doesn't matter to the telemarketers -- if they dial my number, my phone still rings.

Tags: