Saying goodbay to age 2x + welcome Vista B2

Busy as always trying to improve and integrate the newest software development technologies and frameworks for users happiness, between the code lines I realize that,

Time is going, and the world is moving faster and faster, so we can not realize quite fast

that we all get older. So what we can say , that’s the Life, the only thing on this universe that we must enjoy from each millisecond.

Yeah, that’s what it happened to me last week, I get older as everybody else, nothing
unusual till here. The important point is that I am now 30 , hmm, for older people they can said – “nice age if had it once again”, for the younger ones – “hmm is so far for me ”.

That’s a bit from the last personal issues.

Last week was an important release day at Microsoft , an new version of Vista Beta,

Office 2007 beta that we will give me an new overview about communication and messaging security on Microsoft platforms, for example an interesting issue about Address space randomization on vista :

Windows Vista Beta 2 includes a new defense against buffer overrun exploits called address space layout randomization. Not only is it in Beta 2, it’s on by default too. Level set ASLR it is not a replacement for insecure code, but when used in conjunction

with other technologies, which I will explain shortly, it is a useful defense because it makes Windows systems look “different” to malware, making automated attacks harder.

So what is ASLR? In short, when you boot a Windows Vista Beta 2 computer, we load system code into different locations in memory. This helps defeat a well-understood attack called “return-to-libc”, where exploit code attempts to call a system function, such as the socket() function in wsock32.dll to open a socket, or LoadLibrary in kernel32.dll to load wsock32.dll in the first place.

The job of ASLR is to move these function entry points around in memory so they are in unpredictable locations.

In the case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of 256 locations, which means an attacker has a 1/256 chance of getting the address right. In short, this makes it harder for exploits to work correctly.

For example, before on my installation was reported the following:

  • wsock32.dll (0x73ad0000)
  • winhttp.dll (0x74020000)
  • user32.dll (0x779b0000)
  • kernel32.dll (0x77c10000)
  • gdi32.dll (0x77a50000)

After rebooted the machine, the following:

  • wsock32.dll (0x73200000)
  • winhttp.dll (0x73760000)
  • user32.dll (0x770f0000)
  • kernel32.dll (0x77350000)
  • gdi32.dll (0x77190000)

As you can see, various DLLs are loaded at different addresses and this makes it harder for exploit code to locate and therefore take advantage of functionality inside these DLLs. Not impossible, just harder.

But will take a while till this feature will help real life usage of windows platforms.

see ya,

cosmin

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s