ALSR in Vista Gets OEM Push 170
gr00ve writes "Eweek is reporting that all the major OEMs will enable DEP/NX in their BIOSes by default to allow Address Space Layout Randomization (ASLR), a new security feature in Windows Vista, to work as advertised. ASLR, which is used to randomly arrange the positions of key data areas to block hackers from predicting target addresses, is meant to make Windows Vista more resilient to virus and worm attacks." From the article: "Because most CPUs that ship today support DEP/NX, Howard explained that Vista users on older hardware can use the control panel to manually verify that PCs have DEP enabled. With full support from OEMs, Microsoft is effectively using ASLR to create software diversity within a single operating system, a move that is widely seen as Redmond's attempt to address the monoculture risk. The memory-space randomization technique will block the majority of buffer overflow tricks used in about two-thirds of all worm and virus attacks."
Ok, class: let's determine the effectivity of this (Score:1, Insightful)
Old code:
poke (scriptylittlecode) to this address (usual kernel location, but we might check other modules with probes)
New code:
while not successful()
for i=1 to 254
spank (module old code with randomized address prediction)
next i;
This is goofy at best, and tragically hilarious and useless at worst.
Not quite! (Score:5, Insightful)
That said, I don't doubt that wanting to better secure their DRM is high on their list of reasons to improve security. That is, they probably want more to secure the machine *from* you than *for* you... While I've certainly had users that the system needed protection from, I still don't like what they're doing with DRM.
Soon, at this rate, you'll either have an unencumbered OS, or what you have won't be fit to call a computer. It'll probably look something more like a high definition TV with popup ads.
Re:Ok, class: let's determine the effectivity of t (Score:3, Insightful)
Re:I call BS (Score:2, Insightful)
Maybe they (Gasp, shock, swoon) have two different motivations at the same time, or there are at least two people working on it that both have either one or the other motivation
Shocking and mind-exploding, I know
Re:Ok, class: let's determine the effectivity of t (Score:3, Insightful)
Randomly jamming things into memory locations is almost sure to crash the app. It wouldn't be too much harder to simply locate the thing you want, instead of doing it like you did, I'm sure. I believe the hardware bit is designed to stop you from locating the address as well, though...
I haven't bothered to research the tech because I think it will probably be mostly useless, take up additional processor/memory speed, be disabled on all old system, and users will likely disable it on new systems because it causes errors with some game they play.
band-aid (Score:3, Insightful)
If there are buffer overflows, isn't the solution to fix the buffer overflows?
I keep hearing about stuff people do on Windows to avoid viruses, and it all seems predicated on the assumption that every Windows machine is going to get infected, so then you have to mitigate the damage. For instance, I've heard people say that even if you have a Windows box sitting on your desk at home, you should make a habit of logging off when you're not using it, because that way if yout box gets owned and starts sending out penis enlargement spam, the amount of spam being sent out will be reduced.
Shouldn't the idea be to keep your machine from having hostile code run on it at all?? All this kind of stuff seems like telling people to go ahead having unsafe sex, but then take vitamin C afterward to help boost their immune system and reduce the harm done by the HIV virus.
Heck, if I found out my Linux box had been owned, my reaction would probably be to wipe the hard disk, reinstall Ubuntu, and restore all my user files from backup. I don't have the expertise that would be needed to do forensics on the machine once it's been compromised.
Antivirus software seems like the same kind of deal. Why do I want a resource-hogging process running all the time on my machine to scan the disk and memory for viruses? By then it's too late. At my school, I have some web stuff I want my students to be able to use, but it requires modern CSS support, so I requested that the Windows machines in the student labs be upgraded to IE7. The response that came back was that they weren't ready to support IE7 yet, because it didn't work with their AV software. WTF?? IE7 is a high-priority security update that is supposed to happen by default. Where is the logic of refusing to do security updates that would keep your machine from being infected, so that you can run the software that would detect the infection?
What a pathetic approach to security (Score:3, Insightful)
This is pathetic. The OS vendor is so inept that they can't keep hostile code from changing kernel data space, and their answer to this is to randomly move kernel code around? This will make many kernel bugs nonrepeatable, and improve Microsoft's defect deniability. That's its main advantage to Microsoft.
Meanwhile, hostile code can just take over the interrupt locations, which can't move. Attacks will have to do more of the operating systems's work, like that attack which installs a virtual machine under the operating system. There are other approaches, such as simply taking over the whole machine and running something else, like a mini-OS equipped with a spam engine. Eventually someone may notice and power cycle the machine, but night attacks could get whole zombie farms going. While the attacker has control of the machine, they can make changes to the disk, too, so that after the reboot some of their stuff remains for next time. There's also a potential attack on the network controller which could leave the machine wide open for future takeover.
Note the effect. This doesn't make attacks harder. It makes attacks which leave Windows running harder.
Earth to Microsoft: if an attack can get into kernel mode, it's succeeded.
Re:band-aid (Score:5, Insightful)
Well sure it is! But MS doesn't control all the source code of the software the OS runs (but they're working on that ;)). Even if the OS is free of buffer overruns (which is should be after 5+ years of development), if a poorly implemented yet popular program (such as an IM client) still has buffer overruns, there is only so much that the OS can do/not do.
Re:grsec (Score:5, Insightful)
This probably isn't such a big deal for open source.
With Windows, whole swaths of the user community are running nearly identical binaries so malware authors have a large attractive market for their worms.
With Linux, you have virtually thousands of possible binary configurations due to the high prevalence of custom compiled from source and the sheer number of competing distributions with frequent releases. Reduces the attraction.
DISCLAIMER: Yes, I know, there are players who target niches, this rationale isn't bullet proof.
DISCLAIMER2: Yes, address space virtualization can't stop all buffer overflow exploits either.
Re:band-aid (Score:3, Insightful)
Of course, my router doesn't slow down my machine, introduce its own bugs, annoy me for updates, waste space and resources, etc...
Re:grsec (Score:3, Insightful)
Right, but that doesn't mean we shouldn't do it.
Cheers,
Roger