[Dailydave] The sky's downward trajectory
jf
jf at danglingpointers.net
Tue Feb 20 04:00:00 EST 2007
excuse me, I meant 8 bits of entropy, not 4, im slow and stupid today. I'm
not sure if rjohnson dug into it in his slides or not, but he described in
the toorcon presentation why they only used 8 bits, and basically it broke down to
'thats what we have left to play with'. There was also a fairly long
winded conversation later on about why the DLLs are only randomized once
per boot, and to make a long post short it came down to
performance/mapping across executables.
On Mon, 19 Feb 2007, Jonathan Wilkins wrote:
> Date: Mon, 19 Feb 2007 16:57:45 -0800
> From: Jonathan Wilkins <jwilkins at gmail.com>
> To: jf <jf at danglingpointers.net>
> Cc: endrazine <endrazine at gmail.com>, dailydave at lists.immunitysec.com
> Subject: Re: [Dailydave] The sky's downward trajectory
>
> Ok, I dug a little more and here's what I found:
> http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx
> "This helps defeat a well-understood attack called "return-to-libc",
> where exploit code attempts to call a system function [...] In the
> case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of
> 256 locations, which means an attacker has a 1/256 chance of getting
> the address right.
>
> Confirmed by skape here:
> http://blog.metasploit.com/2006/06/few-quick-updates.html
> "Microsoft's implementation is limited to 8 bits of entropy in the 3rd octet"
>
> Those posts are both pre-final Vista, as was ToorCon, so I'm not
> certain how things might
> have changed.
>
> On 2/19/07, jf <jf at danglingpointers.net> wrote:
> > As I understood it, they are only randomized once at boot time with 4 bits
> > of entropy, and it's currently opt-in for most applications (including
> > IE), but opt-out for system DLLs. I tend to agree that only randomizing
> > once may be an issue, but no one seems to agree with me.
> >
> > On Mon, 19 Feb 2007, endrazine wrote:
> >
> > > Date: Mon, 19 Feb 2007 19:27:33 +0100
> > > From: endrazine <endrazine at gmail.com>
> > > To: Rhys Kidd <rhyskidd at gmail.com>
> > > Cc: dailydave at lists.immunitysec.com
> > > Subject: Re: [Dailydave] The sky's downward trajectory
> > >
> > > Hi dear readers,
> > >
> > > Rhys Kidd a écrit :
> > > >
> > > > So what does Microsoft provide to make this more secure?
> > > >
> > > > Firstly the push by Michael Howard et al to get ASLR implemented in
> > > > Vista beta 2 and above means the addresses within ntdll.dll are going
> > > > to be somewhat random, thereby making reliable use of this technique
> > > > difficult. NX bit based defenses really should be implemented
> > > > hand-in-hand with some form of memory randomisation, as was documented
> > > > by the PaX project.
> > > >
> > > Put me in my place if I'm wrong, but adresses are only randomized once
> > > at boot up, making the Vista randomization far less effective than a run
> > > time randomization a la PaX. Well, at least, thats what I understood
> > > from the Microsoft TechDays in Paris 2 weeks ago.
> > > > Secondly, as Dave mentioned setting "AlwaysOn" in boot.ini should
> > > > prevent DEP from being disabled on a per-process basis.
> > > >
> > > > HTH.
> > > > Rhys
> > > >
> > >
> > > Regards,
> > >
> > > endrazine-
> > > _______________________________________________
> > > Dailydave mailing list
> > > Dailydave at lists.immunitysec.com
> > > http://lists.immunitysec.com/mailman/listinfo/dailydave
> > >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
>
More information about the Dailydave
mailing list