Microsoft has added a feature called Address Space Layout Randomization, or ASLR, to Windows Vista beta 2. They tout this as an important security feature.
Certain attacks attempt to call Windows system functions, such as the "socket()" function in "wsock32.dll," to open a network socket. The new security feature moves these system files around so they're in unpredictable locations. In Windows Vista Beta 2, a DLL or EXE file could be loaded into any of 256 locations, [Michael Howard, a senior security program manager at Microsoft] wrote.
"An attacker has a 1/256 chance of getting the address right," Howard wrote.
The article also mentions,
ASLR is not a Microsoft invention. Several open-source security systems use it already, including OpenBSD, and the PaX and Exec Shield patches for Linux.
Now, maybe I'm missing something here, but ....... OK, so you randomize where things are loaded in your address space. But, your code and applications still have to be able to make library calls to a lot of that code. So what do you do? Does the OS handle "de-virtualizing" the calls automatically? Do you have a public table where programs can look up the location of whatever they need to call?
The precise mechanism doesn't really matter. The point is this: If there is a mechanism to allow authorized code to still be able to call code in your load-address-randomized libraries, what's to stop malicious code from utilizing that exact mechanism?
Somebody using the alias "c0ntex" wrote in a reply to [David Litchfield, a researcher at Next Generation Security Software] that ASLR has been "trivially circumvented in Linux for years now."
Unless there's more to this than meets the eye, I don't see what's to stop it from being trivially circumvented on any OS. ASLR seems to be to be something akin to trying to stop telemarketers from calling my phone by moving the phone somewhere else in the house and not telling them where I moved it. Doing so may comfort me, but it doesn't matter to the telemarketers -- if they dial my number, my phone still rings.
no subject
Heh. Damn straight.
-Ogre
no subject
no subject
Though, again, trivial to get around. Oooh! I have to search 256 rooms of your house to find which one has the phone ... on a 2 GHz machine.... yeah, that 256 item search is going to take SO long. And, if I find a copy in all 256 locations, I just don't know which one is real, then, hey, how long would it take for me to infect all 256 copies?
no subject
actually, it's not a bad idea...
http://blogs.msdn.com/michael_howard/archive/2006/05/26/608315.aspx
Then again, linux has had it for some time. Here's an interesting set of commentary on it:
http://www.stanford.edu/~blp/papers/asrandom.pdf
It ends up being another method to help fortify a system against certain classes of security attacks with a very small penalty imposed at runtime.
Re: actually, it's not a bad idea...
Re: actually, it's not a bad idea...