Sunday, June 11, 2006

Microsoft Windows Vista: Measuring the security enhancements.

A few days ago, Michael Howard, a member of the Microsoft Security Engineering group, made available a short description of what's supposed to be Address Space Layout Randomization (ASLR) in Vista.

• Stacks and Heap are randomized (stack-randomization is on post-Beta 2)

• EXEs and DLLs shipping as part of the operating system are randomized

• All other EXEs and DLLs will need to explicitly opt-in via a new PE header flag; by default they will not be randomized. 'Note that DLLs marked for randomization, such as system DLLs, will be randomized in every process (regardless of whether other binaries in that process have opted-in or not.

As an experiment, the enhancements were tested by using a modified version of the paxtest tool, originally developed by Peter Buser and used for testing the capabilities of PaX and other projects, as a regression test suite capable of guessing how many bits are currently being randomized in a concrete section of memory, for example one allocated in the heap; among other tests (ie. return-to-function, etc). While the tests are pretty simple, they provide unbiased proof of the strength or weakness of the implementation being examinated. The information disclosed by Michael, days before the above quoted article, commented on the "probability" of guessing the right address on exploitation time:

In the case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of 256 locations, which means an attacker has a 1/256 chance of getting the address right. In short, this makes it harder for exploits to work correctly.

It's worth noting that no snake-oil is present. He points out that, actually, ASLR makes successful exploitation of memory corruption-related issues harder. And that's completely true. Although, we are missing something here. The point is how difficult exploitation will be. And definitely, the current approach implemented for Vista is, with no offense meant to anyone (and again, no bias here), useless.

For an application that suddenly dies as of an attack or repeated attempts of exploitation, ASLR is a good option. Although, if we look over applications that actually re-spawn child processes and the like, the lower the randomization is, the higher the probability of successful exploitation in less time. What applications behave in such a suicide way? Apache is a good example :)

A GUI, user-friendly regression test suite is in development, which will also properly test the "Security Enhancements in the CRT " introduced in Visual Studio 2005. It could be, to make an analogy, the IBM Stack Smashing Protector (aka ProPolice) for Windows-based systems.

Some references for further information:

  1. Security Enhancements in the CRT
  2. Saying Goodbye to an Old Friend
  3. Security-Enhanced Versions of CRT Functions
  4. Michael Howard's Web Log
  5. Address Space Layout Randomization
  6. Windows Vista Address Space Layout Randomization – What is Randomized?
  7. Address Space Layout Randomization in Windows Vista

No comments: