[Dailydave] The sky's downward trajectory
Jonathan Wilkins
jwilkins at gmail.com
Mon Feb 19 19:57:45 EST 2007
Ok, I dug a little more and here's what I found:
http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx
"This helps defeat a well-understood attack called "return-to-libc",
where exploit code attempts to call a system function [...] In the
case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of
256 locations, which means an attacker has a 1/256 chance of getting
the address right.
Confirmed by skape here:
http://blog.metasploit.com/2006/06/few-quick-updates.html
"Microsoft's implementation is limited to 8 bits of entropy in the 3rd octet"
Those posts are both pre-final Vista, as was ToorCon, so I'm not
certain how things might
have changed.
On 2/19/07, jf <jf at danglingpointers.net> wrote:
> As I understood it, they are only randomized once at boot time with 4 bits
> of entropy, and it's currently opt-in for most applications (including
> IE), but opt-out for system DLLs. I tend to agree that only randomizing
> once may be an issue, but no one seems to agree with me.
>
> On Mon, 19 Feb 2007, endrazine wrote:
>
> > Date: Mon, 19 Feb 2007 19:27:33 +0100
> > From: endrazine <endrazine at gmail.com>
> > To: Rhys Kidd <rhyskidd at gmail.com>
> > Cc: dailydave at lists.immunitysec.com
> > Subject: Re: [Dailydave] The sky's downward trajectory
> >
> > Hi dear readers,
> >
> > Rhys Kidd a écrit :
> > >
> > > So what does Microsoft provide to make this more secure?
> > >
> > > Firstly the push by Michael Howard et al to get ASLR implemented in
> > > Vista beta 2 and above means the addresses within ntdll.dll are going
> > > to be somewhat random, thereby making reliable use of this technique
> > > difficult. NX bit based defenses really should be implemented
> > > hand-in-hand with some form of memory randomisation, as was documented
> > > by the PaX project.
> > >
> > Put me in my place if I'm wrong, but adresses are only randomized once
> > at boot up, making the Vista randomization far less effective than a run
> > time randomization a la PaX. Well, at least, thats what I understood
> > from the Microsoft TechDays in Paris 2 weeks ago.
> > > Secondly, as Dave mentioned setting "AlwaysOn" in boot.ini should
> > > prevent DEP from being disabled on a per-process basis.
> > >
> > > HTH.
> > > Rhys
> > >
> >
> > Regards,
> >
> > endrazine-
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
More information about the Dailydave
mailing list