On 26/05/06, David Litchfield <davidl (at) ngssoftware (dot) com [email concealed]> wrote:
> Address Space Layout Randomization is now part of Vista as of beta 2 [1] . I
> wrote about ASLR on the Windows platform back in September last year [2] and
> noted that unless you rebase the image exe then little (not none!) is added.
> ASLR in Vista solves this so remote exploitation of overflows has just got a
> lot harder. I've not done a thorough analysis yet but, all going well, this
> is a fantastic way for Microsoft to go and builds on the work done with
> NX/DEP and stack cookies/canaries.
Since ASLR has been in and has been trivially circumvented in Linux
for years now (see my papers on return-to-libc & return-to-got) I
don't see it being a particularly hard issue to defeat :-) Maybe
though, if they also randomise some other key areas like heap
locations and do some fancy relocation to non writable/executable
pages plus the drop-in of some ascii armour, we might then be on par
with a hardened Linux or *BSD..
> Address Space Layout Randomization is now part of Vista as of beta 2 [1] . I
> wrote about ASLR on the Windows platform back in September last year [2] and
> noted that unless you rebase the image exe then little (not none!) is added.
> ASLR in Vista solves this so remote exploitation of overflows has just got a
> lot harder. I've not done a thorough analysis yet but, all going well, this
> is a fantastic way for Microsoft to go and builds on the work done with
> NX/DEP and stack cookies/canaries.
Since ASLR has been in and has been trivially circumvented in Linux
for years now (see my papers on return-to-libc & return-to-got) I
don't see it being a particularly hard issue to defeat :-) Maybe
though, if they also randomise some other key areas like heap
locations and do some fancy relocation to non writable/executable
pages plus the drop-in of some ascii armour, we might then be on par
with a hardened Linux or *BSD..
Granted, I haven't looked at Vista yet :)
--
regards
c0ntex
[ reply ]