[Dailydave] The sky's downward trajectory
ol
ol at uncon.org
Sat Mar 3 10:25:11 EST 2007
The paper can found here:
http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf
Cheers
Ollie
----- Original Message -----
From: <ol at uncon.org>
To: <dailydave at lists.immunitysec.com>
Sent: Tuesday, February 20, 2007 1:05 PM
Subject: Re: [Dailydave] The sky's downward trajectory
Thanks for pimpage, the final figures are:
Stack - 14 bits
Heap - 5+ bits
Image (code) - 8 bits
PEB - 4 bits
Yes image randomization out of the box only occurs upon a reboot. However
their is a dirty method I came up with to force a reseed for binaries, but
this massivley skews the results. All is contained in the paper which we
will be releasing next week and presenting at Blackhat DC (Thursday) and
EuSecWest (Friday).
Cheers
Ollie
----- Original Message -----
From: "Dominique Brezinski" <dominique.brezinski at gmail.com>
To: <dailydave at lists.immunitysec.com>
Sent: Tuesday, February 20, 2007 7:15 AM
Subject: Re: [Dailydave] The sky's downward trajectory
Vista's stack gets 14 bits, heap and image 8 bits and PEB 4 bits.
Ollie Whitehouse did a complete analysis of Vista's ALSR
implementation in the final release that he will be presenting at
Black Hat DC in a week. For those of you that can't make it, we should
have his presentation up online shortly after the conference. I
believe Symantec will also be publishing the white paper then. His
analysis looks at the statistical distributions within the various
process-space segments that are randomized with some interesting
results. I think the material will be good reading for this list.
Cheers,
Dominique
On 2/19/07, Jonathan Wilkins <jwilkins at gmail.com> wrote:
> Ok, I dug a little more and here's what I found:
>
http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx
> "This helps defeat a well-understood attack called "return-to-libc",
> where exploit code attempts to call a system function [...] In the
> case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of
> 256 locations, which means an attacker has a 1/256 chance of getting
> the address right.
>
> Confirmed by skape here:
> http://blog.metasploit.com/2006/06/few-quick-updates.html
> "Microsoft's implementation is limited to 8 bits of entropy in the 3rd
octet"
>
> Those posts are both pre-final Vista, as was ToorCon, so I'm not
> certain how things might
> have changed.
>
> On 2/19/07, jf <jf at danglingpointers.net> wrote:
> > As I understood it, they are only randomized once at boot time with 4
bits
> > of entropy, and it's currently opt-in for most applications (including
> > IE), but opt-out for system DLLs. I tend to agree that only randomizing
> > once may be an issue, but no one seems to agree with me.
> >
> > On Mon, 19 Feb 2007, endrazine wrote:
> >
> > > Date: Mon, 19 Feb 2007 19:27:33 +0100
> > > From: endrazine <endrazine at gmail.com>
> > > To: Rhys Kidd <rhyskidd at gmail.com>
> > > Cc: dailydave at lists.immunitysec.com
> > > Subject: Re: [Dailydave] The sky's downward trajectory
> > >
> > > Hi dear readers,
> > >
> > > Rhys Kidd a écrit :
> > > >
> > > > So what does Microsoft provide to make this more secure?
> > > >
> > > > Firstly the push by Michael Howard et al to get ASLR implemented in
> > > > Vista beta 2 and above means the addresses within ntdll.dll are
going
> > > > to be somewhat random, thereby making reliable use of this technique
> > > > difficult. NX bit based defenses really should be implemented
> > > > hand-in-hand with some form of memory randomisation, as was
documented
> > > > by the PaX project.
> > > >
> > > Put me in my place if I'm wrong, but adresses are only randomized once
> > > at boot up, making the Vista randomization far less effective than a
run
> > > time randomization a la PaX. Well, at least, thats what I understood
> > > from the Microsoft TechDays in Paris 2 weeks ago.
> > > > Secondly, as Dave mentioned setting "AlwaysOn" in boot.ini should
> > > > prevent DEP from being disabled on a per-process basis.
> > > >
> > > > HTH.
> > > > Rhys
> > > >
> > >
> > > Regards,
> > >
> > > endrazine-
> > > _______________________________________________
> > > Dailydave mailing list
> > > Dailydave at lists.immunitysec.com
> > > http://lists.immunitysec.com/mailman/listinfo/dailydave
> > >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
More information about the Dailydave
mailing list