Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

ALSR in Vista Gets OEM Push

Posted by Zonk on Fri Dec 15, 2006 01:35 PM
from the at-leas-they're-trying dept.
Security Microsoft Operating Systems Software Windows Hardware
gr00ve writes "Eweek is reporting that all the major OEMs will enable DEP/NX in their BIOSes by default to allow Address Space Layout Randomization (ASLR), a new security feature in Windows Vista, to work as advertised. ASLR, which is used to randomly arrange the positions of key data areas to block hackers from predicting target addresses, is meant to make Windows Vista more resilient to virus and worm attacks." From the article: "Because most CPUs that ship today support DEP/NX, Howard explained that Vista users on older hardware can use the control panel to manually verify that PCs have DEP enabled. With full support from OEMs, Microsoft is effectively using ASLR to create software diversity within a single operating system, a move that is widely seen as Redmond's attempt to address the monoculture risk. The memory-space randomization technique will block the majority of buffer overflow tricks used in about two-thirds of all worm and virus attacks."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

ALSR in Vista Gets OEM Push 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • grsec (Score:2, Interesting)

    by Jon Howard (247978)
    Didn't grsec implement something like this ages ago?

    • Re:grsec (Score:5, Informative)

      by oojah (113006) on Friday December 15 2006, @01:52PM (#17259102) Homepage
      It's PaX actually, but yes. You can randomise the kernel stack base, the user stack base and the mmap() base.

      Security Options->PaX->Address Space Layout Randomisation in your kernel config, assuming you have the appropriate patches installed.

      Cheers,

      Roger

      • Re:grsec (Score:5, Insightful)

        by defile (1059) on Friday December 15 2006, @02:51PM (#17260056) Homepage Journal

        This probably isn't such a big deal for open source.

        With Windows, whole swaths of the user community are running nearly identical binaries so malware authors have a large attractive market for their worms.

        With Linux, you have virtually thousands of possible binary configurations due to the high prevalence of custom compiled from source and the sheer number of competing distributions with frequent releases. Reduces the attraction.

        DISCLAIMER: Yes, I know, there are players who target niches, this rationale isn't bullet proof.

        DISCLAIMER2: Yes, address space virtualization can't stop all buffer overflow exploits either.

        • Re: (Score:3, Insightful)

          by oojah (113006)
          Randomizing the stack sounds like a great idea, to cure the symptom; Not the problem.

          Right, but that doesn't mean we shouldn't do it.

          Cheers,

          Roger

  • I feel dumb. (Score:5, Funny)

    by bigdavex (155746) on Friday December 15 2006, @01:40PM (#17258896)
    ALSR?

    34/en/m/c

  • Linux virtual address randomization (Score:2, Interesting)

    by Anonymous Coward
    Isn't this the same as Linux virtual address randomization [techtarget.com] that works without BIOS?

    • Re:Linux virtual address randomization (Score:5, Informative)

      by Rosyna (80334) on Friday December 15 2006, @01:50PM (#17259086) Homepage
      Isn't this the same as Linux virtual address randomization that works without BIOS?

      Yes, but the NX bit enforcement is part of a larger security push. It just happens that most articles confuse ASLR with NX (or are fuzzy on the details of each) when talking about them both. Part of the confusion is the fact in order for ASLR to be effective, then the NX bit should be enforced [msdn.com]. AFAICT, ASLR doesn't actually require NX at all and it's a mistake these "technical journalists" are making.

      Basically, Vista adds a bunch of walls to increase security. the NX bit and ASLR are just two separate instances of those walls.

      The big news is that even though some OEMs have previously disabled the NX bit in the BIOS (due to software compatibility issues), they've said they'll enable it by default in the future.

  • Nice to see them taking steps like this.

    Alas, it's going to cause me some personal heartache. Presently, I know by heart the memory address ranges of the various core Windows components.

    • I know by heart the memory address ranges of the various core Windows components

      You win. You are officially the biggest geek here -- and that's saying something!

      Seriously, if you have this kind of shit memorized, you really need to get laid.
      • Someone here has a sig which seems massively relevant just now:

        Three kinds of knowledge:
        1. Need to know
        2. Nice to know
        3. Get a life
        Someone is definitely in category 3.

      • Re:Mixed news (Score:4, Funny)

        by gsn (989808) on Friday December 15 2006, @01:59PM (#17259204)
        You must be new here. this is Slashdot. Hes never gotten a PEEK at anything before let alone got to POKE it.

        Even the nerd chicks don't think memorizing memory address ranges is cool.
        • ...but the power-on self-test for the Commodore PET 3032 was at location 65520, as I recall. What always seemed odd to me was that a machine that had an OS entirely in ROM and a software reboot would actually crash more than a third of the time when running the reboot.

  • This is good news (Score:5, Funny)

    by ENOENT (25325) on Friday December 15 2006, @01:48PM (#17259046) Homepage Journal
    Now if only Microsoft could develop a system for delivering electric shocks to users who run untrusted executables they receive in email, that would be something.
  • On the flipside, this "diversity" will increase the incidence of intermittent bugs. But hey, with Windows, who'll notice the difference anyway?

  • NX (Score:5, Funny)

    by ThurstonMoore (605470) on Friday December 15 2006, @01:52PM (#17259110)
    I have noticed if DEP is turned on in XP when I look at the folder with all my porn and thumbnails are turned on it causes Explorer to crash. I hope they fix this.
  • What exactly can the BIOS do with the hardware that the OS or boot loader can't? Err , nothing as far as I'm aware so whats the deal here?

    • Re: (Score:3, Informative)

      by julesh (229690)
      What exactly can the BIOS do with the hardware that the OS or boot loader can't? Err , nothing as far as I'm aware so whats the deal here?

      As I understand it, there's a method that can be used to disable NX protection on some processors. Some BIOSs/motherboards do this. Once it is done, there's no way for the OS to undo it.

      What all this has to do with ASLR is beyond me.
  • "Windows Vista also introduces ..., kernel patch protection, mandatory driver signing..."

    So they make it more difficult for new hardware to be developed, and more difficult for hardware hacking in general. Unless you just click "allow this driver to run". That's going to make lots of people who develop non-mass marketed hardware very unhappy.

    The kernel patch protection sounds like a good security feature. Unless the server they serve patches from gets compromised, or unless someone finds a way to disable/

    • There is no "allow this driver to run". Under normal operation on Vista x64, drivers must be signed by a "trusted" authority (making your own root cert doesn't work), or they won't load. Period. The only way to get past it is to hit F8 when the computer boots, which only turns off mandatory signing for that session.

    • "Windows Vista also introduces ..., kernel patch protection, mandatory driver signing..."

      So they make it more difficult for new hardware to be developed, and more difficult for hardware hacking in general. Unless you just click "allow this driver to run". That's going to make lots of people who develop non-mass marketed hardware very unhappy.
       ... or make them port thier non-mass market stuff to Linux.

  • so how will this affect installing Linux? (Score:4, Interesting)

    by advocate_one (662832) on Friday December 15 2006, @02:09PM (#17259374)
    if this thing is done in the BIOS? will it make it extra hard to do duel boot?

  • band-aid (Score:3, Insightful)

    by bcrowell (177657) on Friday December 15 2006, @02:09PM (#17259382) Homepage

    If there are buffer overflows, isn't the solution to fix the buffer overflows?

    I keep hearing about stuff people do on Windows to avoid viruses, and it all seems predicated on the assumption that every Windows machine is going to get infected, so then you have to mitigate the damage. For instance, I've heard people say that even if you have a Windows box sitting on your desk at home, you should make a habit of logging off when you're not using it, because that way if yout box gets owned and starts sending out penis enlargement spam, the amount of spam being sent out will be reduced.

    Shouldn't the idea be to keep your machine from having hostile code run on it at all?? All this kind of stuff seems like telling people to go ahead having unsafe sex, but then take vitamin C afterward to help boost their immune system and reduce the harm done by the HIV virus.

    Heck, if I found out my Linux box had been owned, my reaction would probably be to wipe the hard disk, reinstall Ubuntu, and restore all my user files from backup. I don't have the expertise that would be needed to do forensics on the machine once it's been compromised.

    Antivirus software seems like the same kind of deal. Why do I want a resource-hogging process running all the time on my machine to scan the disk and memory for viruses? By then it's too late. At my school, I have some web stuff I want my students to be able to use, but it requires modern CSS support, so I requested that the Windows machines in the student labs be upgraded to IE7. The response that came back was that they weren't ready to support IE7 yet, because it didn't work with their AV software. WTF?? IE7 is a high-priority security update that is supposed to happen by default. Where is the logic of refusing to do security updates that would keep your machine from being infected, so that you can run the software that would detect the infection?

    • If there are buffer overflows, isn't the solution to fix the buffer overflows?
      Well, sure, but defense in depth is a good thing.

    • Re:band-aid (Score:5, Insightful)

      by Aadain2001 (684036) on Friday December 15 2006, @02:42PM (#17259912) Journal
      If there are buffer overflows, isn't the solution to fix the buffer overflows?

      Well sure it is! But MS doesn't control all the source code of the software the OS runs (but they're working on that ;)). Even if the OS is free of buffer overruns (which is should be after 5+ years of development), if a poorly implemented yet popular program (such as an IM client) still has buffer overruns, there is only so much that the OS can do/not do.

    • Re: (Score:3, Insightful)

      by pkulak (815640)
      What you're saying is correct, but it's often a good idea to do both at the same time. You could say the same thing about firewalls. I'm nearly 100% sure that I've got my Linux box locked up tight, but I still appreciate knowing that it's behind a router with only 2 ports open.

      Of course, my router doesn't slow down my machine, introduce its own bugs, annoy me for updates, waste space and resources, etc...
  • ...what then?

    Oh, wait, I forgot, this is the new millennium. There is no such thing as property. We own almost nothing. We rent almost everything as a service.

    The very few things we own are only there for the purpose of supporting things we rent (playing music we've rented, watching videos we've rented, running an OS we're rented) and are only expected to last a couple of years.

  • What a pathetic approach to security (Score:3, Insightful)

    by Animats (122034) on Friday December 15 2006, @02:25PM (#17259654) Homepage

    This is pathetic. The OS vendor is so inept that they can't keep hostile code from changing kernel data space, and their answer to this is to randomly move kernel code around? This will make many kernel bugs nonrepeatable, and improve Microsoft's defect deniability. That's its main advantage to Microsoft.

    Meanwhile, hostile code can just take over the interrupt locations, which can't move. Attacks will have to do more of the operating systems's work, like that attack which installs a virtual machine under the operating system. There are other approaches, such as simply taking over the whole machine and running something else, like a mini-OS equipped with a spam engine. Eventually someone may notice and power cycle the machine, but night attacks could get whole zombie farms going. While the attacker has control of the machine, they can make changes to the disk, too, so that after the reboot some of their stuff remains for next time. There's also a potential attack on the network controller which could leave the machine wide open for future takeover.

    Note the effect. This doesn't make attacks harder. It makes attacks which leave Windows running harder.

    Earth to Microsoft: if an attack can get into kernel mode, it's succeeded.

    • Re:What a pathetic approach to security (Score:4, Informative)

      by salimma (115327) on Friday December 15 2006, @02:52PM (#17260064) Homepage Journal
      This is pathetic. The OS vendor is so inept that they can't keep hostile code from changing kernel data space, and their answer to this is to randomly move kernel code around?

      No - this targets userspace security. If everytime a DLL is loaded it starts at a different base address, then you cannot write a worm that has the addresses hardcoded, so buffer overflow attacks will be much less effective. OpenBSD started doing this several years ago, and Linux has also had it for some time.

      Microsoft is also introducing "kernel patch protection" that, I'd guess, would probably block unsigned kernel modules from being loaded. Even in the Unix world, if you're a superuser you can load kernel modules at runtime. The security risk in Windows currently is that everyone is an Administrator by default.

  • Are DLLs no longer shared in memory? (Score:3, Informative)

    by Myria (562655) on Friday December 15 2006, @11:56PM (#17265690)
    In previous versions of NT, if a DLL doesn't have to be relocated, the kernel will make the read-only portions of the mapped file shared among all processes using that DLL. With address randomization, it's as if *every* DLL is relocated. Won't this eat a lot of memory having a bunch of copies of the same DLL taking up RAM?

    Melissa

    • Re: (Score:3, Informative)

      by interiot (50685)
      This article [softpedia.com] seems to imply that ASLR (or ALSR or whatever it is) can either be disabled by the user system-wide, or that certain systems won't have the features required to enable ASLR. So it probably won't stop determined users.

    • Not quite! (Score:5, Insightful)

      by Anonymous Coward on Friday December 15 2006, @01:47PM (#17259042)
      This is a legitimate technique already used by some other high-security OSes (e.g. Open BSD). So it's a legitimately good security measure.

      That said, I don't doubt that wanting to better secure their DRM is high on their list of reasons to improve security. That is, they probably want more to secure the machine *from* you than *for* you... While I've certainly had users that the system needed protection from, I still don't like what they're doing with DRM.

      Soon, at this rate, you'll either have an unencumbered OS, or what you have won't be fit to call a computer. It'll probably look something more like a high definition TV with popup ads.

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Theory:

      Maybe they (Gasp, shock, swoon) have two different motivations at the same time, or there are at least two people working on it that both have either one or the other motivation

      Shocking and mind-exploding, I know

    • BS on your BS (Score:5, Informative)

      by Mr 44 (180750) on Friday December 15 2006, @02:10PM (#17259386)
      In what way does this prevent FairUse4WM?

      This is a good thing to prevent viruses, without affecting anything else. Buffer overflow attacks need to rely on a known location in memory to jump to, typically kernel32!LoadLibrary/GetProcAddress, which will allow them to dynamically access the rest of the functions they need. Read more here: http://www.windowsecurity.com/articles/Analysis_of _Buffer_Overflow_Attacks.html [windowsecurity.com]

      This is 100% completely unrelated to DRM bypass programs, which can actually link to the correct functions. Anyone who mods the parent up has no idea about how windows security or programming works.

      It sounds like the parent might (just trying to be generous here) be confusing FairUse4WM with the Apple Fairplay hack tool, which does rely on known offsets within the fairplay module's memory layout. However, even that wouldn't be affacted by this, since an actual properly linked program can still determine the base address it needs.
      • I'm no programmer, but I had figured that FairUse4WM worked by cracking the blackbox file into plaintext by finding the encryption key securing it in memory when Media Player was running. I was going on the discussions I read over at Doom9 when MS released their lightning-quick response patch which merely changed the address used. It sounded like the FairUse author countered this by just adjusting to the new address.

        • Re:BS on your BS (Score:4, Informative)

          by Mr 44 (180750) on Friday December 15 2006, @02:43PM (#17259930)
          as far as I know, FairUse4WM doesn't rely on known offsets as a key aspect of how it works. Even so, what you are referring to would be a combination of the module's base address and an offset. ASLR would just mean the module base address changes every boot. A program running on the machine would still be able to call kernel32!GetModuleHandle to determine the current base address, and obviously ASLR wouldn't have anything to do with the offset from that base.

          However, it still prevents buffer overflows, since any shellcode wouldn't have gotten "fixed up" by the loader, and so wouldn't even be able to access any kernel32 functions, since the buffer overflow data would need to hard-code an absolute address.
    • It's pretty obvious what it's talking about. It talks about security countermeasures in you inbox. That's obviously viruses and trojans. Thus the squatting Sume Wrestler is taking a crap directly into your inbox if you use MS. The imagery is a little over the top, but it presents the facts quite well.

    • Re:can it be disabled during development? (Score:4, Informative)

      by Anonymous Coward on Friday December 15 2006, @01:50PM (#17259074)
      The technique is simply a scrambling of address of DLLs and eventually of procedures of those DLLs. The symbols will be remapped accordingly and you should be able to use your debugger as always. It just makes more difficult to make "jump to libc" attacks which defy DEP [mastropaolo.com] [mastropaolo.com] entirely.
    • You can't just loop through it like that. Every failure crashes the app. It will be obvious that something is wrong.
    • Everything the previous replies said, plus you missed 2 of the random spots ;)

      Randomly jamming things into memory locations is almost sure to crash the app. It wouldn't be too much harder to simply locate the thing you want, instead of doing it like you did, I'm sure. I believe the hardware bit is designed to stop you from locating the address as well, though...

      I haven't bothered to research the tech because I think it will probably be mostly useless, take up additional processor/memory speed, be disabled
      • See, you always probe a default position first, and the last one is what remains and must be true because all of the rest of the smacks didn't work.

        Yet there are any number of ways to compromise things. But I'm super-paranoid and only a bit of a hack, with origins in 8086/i386 machine code. Nothing is fool proof, because fools are so ingenious.

    • Surely it's at least partially useful... Wikipedia mentions [wikipedia.org] that it's enabled by default on OpenBSD, and that there are a number of add-ons available for Linux that lets you enable it there.

    • Re:Ok, class: let's determine the effectivity of t (Score:4, Informative)

      by PsychicX (866028) on Friday December 15 2006, @05:03PM (#17262098)
      Nope, not so easy.

      The problem lies in the subtlety of "not successful()" in your psuedo-code. It can't be implemented, to be exact. What you're generally trying to do in a buffer overflow attack is to replace the return address for the current function with the address for the code you actually want to run. If you get your addresses wrong, you crash and you're done. And when you're playing games with this sort of thing, exceptions are pretty much out the window. You can't rely on using SEH (structured exception handling, look it up if you're not familiar) to save your ass, because guess what -- you destroyed the application stack to get here! If you take an exception, you're completely gone.

      So basically there's no reliable way to actually execute the desired code. All of the solutions you'd normally apply, thinking from an apps programmer's point of view, no longer work. Remember, the virus is a parasite which will destroy the process beyond repair. The goal is to jump ship and set up somewhere core to the system. And none of the usual mechanisms are functional because you've gone and mucked them up. You need to talk (in)directly to the operating system, and ASLR makes that impossible to do reliably.

      That's the theory, anyway. Hackers have proven to be rather clever and innovative.

    • Re:Ok, class: let's determine the effectivity of t (Score:4, Informative)

      by bluefoxlucid (723572) on Friday December 15 2006, @06:11PM (#17262936) Journal

      Works well when you can try this over and over; but sometimes you'll need to break a lot. On vanilla Linux you have 524288 states of memory (stack and mmap() base) relevant to your attack (you probably only care about {stack OR heap} and {mmap() OR program base}); in PaX you have 2^(24+16). Now if Internet Explorer crashes on the first newbie you try to exploit, you have to wait until he surfs to your site AGAIN to attack; if you have high-end randomization (2^48 is doable on x86, since the stack/heap/mmap()/program bases are all independently randomized; about double is possible on x86_64), it could be eternity before you actually break something (2^32 is 4 billion, earth's population is 6 billion).

      A miss from ASLR attack will change the instruction pointer and crash the program on failure, almost guaranteed. You'll either hit data; misalign with the instruction stream; align with the instruction stream in some way that makes no sense (in the middle of a function with another function's call stack); or hit unmapped memory. Any of these will get you program termination. You think someone won't notice if his Web server decides to crash and restart 300,000 times a minute? A simple host IDS can figure out that's wrong.

      • are an oxymoron.

        Sorry, it's kind of a troll remark, but remember that modules are checked at load time; corrupt them in memory and make them do things is both an onerous and non-casual corruption. I won't say which modules are the leakiest, but look to the ones with lots of calls to hardware (hint) to do the job. It's not funny how easily this can be done-- especially if you then change a few key registry signature (next hint).

    • Re: (Score:3, Interesting)

      by DrSkwid (118965)
      You do know that the people in Microsoft work in parallel not serial.

      They don't work on one thing at a time, so quit yer bitching.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.