ASLR (Address Space Layout Randomization) is one of the cornerstones of Windows Vista and its enhanced security posture. ASLR workson the basis that it will move an application and its associated memoryaround, either each time it’s executed or when the host is rebooted,depending on the element concerned. The purpose of this is to hinder aclass of vulnerabilities commonly referred to as memory manipulation vulnerabilitiesby making it difficult for an attacker to know where an application isin memory. This would impede successful exploitation, which relies onfixed memory addresses.
Back in December, I decided to take a brief look at theimplementation of ASLR on Vista. I had seen some findings emerge duringits development, but these really didn’t show if the implementation wasgood, bad, or indifferent. Since my work load was winding down, as Ihad December off, and a tool I had written indicated there might besome problems, I decided to look at this in more detail. My wife jokesthat when I’m on vacation it means I’m less stressed, it doesn’t mean Idon’t work.
So, during the first week of December I set up my test rig, whichwas basically two AMD 3200’s, one running Windows Vista 32bit nativeand the other running it virtualized. I then left the machinesrebooting for twelve days. Fast forward about fifteen days and, well,it became clear that the ASLR implementation is Windows Vista isn’tperfect. Here is a quick summary of what I found:
• Non-uniform distribution of address usage for heap randomization
• HeapAlloc has less entropy than malloc
• Image randomization bug
• PEB randomization bug
Are these problems the end of the world? No, not really. After all,some ASLR is better than no ASLR. However, these issues do potentiallyincrease the likelihood of successful exploitation when compared towhat could have been a perfect implementation.
My paper "Analysis of Address Space Layout Randomization on Windows Vista" goes into more detail. The abstract is as follows:
Address Space Layout Randomization (ASLR) is aprophylactic security technology aimed at reducing the effectiveness ofexploit attempts. With the advent of Microsoft Windows Vista, ASLR hasbeen integrated into the default configuration of a Microsoft Windowsoperating system for the first time. We measure the behavior of theASLR implementation in the Vista RTM release. Our analysis of theresults uncovers predictability in the implementation that reduces itseffectiveness.
I’ve had positive feedback from those who have read this paper.However, if you don’t feel like reading, I will be presenting it, alongwith my GS research, at BlackHat DC, EuSecWest, and BlackHat Europe.