PC Makers Agree To Enable ‘DEP’ To Support ‘ASLR’
To improve security in Windows Vista, Microsoft has arrived at an agreement with PC manufacturers to allow another feature at the BIOS level. The feature called ASLR (Address Space Layout Randomization) could make programmed large-scale attacks truly hard.
For its complete function the feature rests on another new Vista security feature called DEP (Data Executive Prevention), also known as NX (No Execute). However, computer makers can disable DEP at the BIOS level for instance to make application compatibility.
But Michael Howard, Microsoft's security program manager said in a MSDN blog posting that from now on all the major PC manufacturers would be enabling DEP by default. Although Howard did not name specific companies but asserted that they include all the major OEMs, which implies a large number of companies.
The function of ASLR is to arrange the positions of certain data fields such as those of libraries, the heap and stack in a process's address space, which appear without prior plan. This means that when ASLR is in place, security attacks would have low probability of success being dependent on these components. Hackers will find it difficult to predict the target addresses and that means that the data is more secure.
ASLR was previously included in the OpenBSD UNIX variant and the PaX and Exec Shield security patches for Linux. Most of the recent PC processors enable DEP. But that is currently switched off in Internet Explorer for there could be plug-ins failure.
On December 12, 2006, Howard said that some positive beginnings have been made to incorporate DEP in more applications. For e.g. Adobe has recently upgraded its Acrobat/ Reader and Flash Player plug-ins to integrate DEP.
According to Howard, ASLR can conquer attacks such as return-to-libc, where the exploit code tries to use a system function to open a socket. But due to the random nature of the memory address, such attacks are difficult to execute. With Windows Vista Beta 2, EXE or DLL could be installed into any of 256 locations, implying an attacker has only 1/256 chance of obtaining the address perfectly. In other words the exploit finds it difficult to work correctly.
Howard cautioned that ASLR is no substitute for secure code. Nevertheless, it is a useful defense.
» SPAMfighter News - 18-12-2006