Re: The sky's downward trajectory

["Dominique Brezinski" <dominique.brezinski () gmail com>]

Vista's stack gets 14 bits, heap and image 8 bits and PEB 4 bits.

Ollie Whitehouse did a complete analysis of Vista's ALSR
implementation in the final release that he will be presenting at
Black Hat DC in a week. For those of you that can't make it, we should
have his presentation up online shortly after the conference. I
believe Symantec will also be publishing the white paper then. His
analysis looks at the statistical distributions within the various
process-space segments that are randomized with some interesting
results. I think the material will be good reading for this list.

Cheers,
Dominique

On 2/19/07, Jonathan Wilkins <jwilkins () gmail com> wrote:
> Ok, I dug a little more and here's what I found:
> http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx
> "This helps defeat a well-understood attack called "return-to-libc",
> where exploit code attempts to call a system function [...] In the
> case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of
> 256 locations, which means an attacker has a 1/256 chance of getting
> the address right.
>
> Confirmed by skape here:
> http://blog.metasploit.com/2006/06/few-quick-updates.html
> "Microsoft's implementation is limited to 8 bits of entropy in the 3rd octet"
>
> Those posts are both pre-final Vista, as was ToorCon, so I'm not
> certain how things might
> have changed.
>
> On 2/19/07, jf <jf () danglingpointers net> wrote:
> > As I understood it, they are only randomized once at boot time with 4 bits
> > of entropy, and it's currently opt-in for most applications (including
> > IE), but opt-out for system DLLs. I tend to agree that only randomizing
> > once may be an issue, but no one seems to agree with me.
> >
> > On Mon, 19 Feb 2007, endrazine wrote:
> >
> > > Date: Mon, 19 Feb 2007 19:27:33 +0100
> > > From: endrazine <endrazine () gmail com>
> > > To: Rhys Kidd <rhyskidd () gmail com>
> > > Cc: dailydave () lists immunitysec com
> > > Subject: Re: [Dailydave] The sky's downward trajectory
> > >
> > > Hi dear readers,
> > >
> > > Rhys Kidd a écrit :
> > > > So what does Microsoft provide to make this more secure?
> > > >
> > > > Firstly the push by Michael Howard et al to get ASLR implemented in
> > > > Vista beta 2 and above means the addresses within ntdll.dll are going
> > > > to be somewhat random, thereby making reliable use of this technique
> > > > difficult. NX bit based defenses really should be implemented
> > > > hand-in-hand with some form of memory randomisation, as was documented
> > > > by the PaX project.
> > > Put me in my place if I'm wrong, but adresses are only randomized once
> > > at boot up, making the Vista randomization far less effective than a run
> > > time randomization a la PaX. Well, at least, thats what I understood
> > > from the Microsoft TechDays in Paris 2 weeks ago.
> > > > Secondly, as Dave mentioned setting "AlwaysOn" in boot.ini should
> > > > prevent DEP from being disabled on a per-process basis.
> > > >
> > > > HTH.
> > > > Rhys
> > >
> > > Regards,
> > >
> > > endrazine-
> > > _______________________________________________
> > > Dailydave mailing list
> > > Dailydave () lists immunitysec com
> > > http://lists.immunitysec.com/mailman/listinfo/dailydave
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunitysec com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave