Dailydave mailing list archives
Re: The sky's downward trajectory
From: <ol () uncon org>
Date: Tue, 20 Feb 2007 13:05:29 -0000
Thanks for pimpage, the final figures are: Stack - 14 bits Heap - 5+ bits Image (code) - 8 bits PEB - 4 bits Yes image randomization out of the box only occurs upon a reboot. However their is a dirty method I came up with to force a reseed for binaries, but this massivley skews the results. All is contained in the paper which we will be releasing next week and presenting at Blackhat DC (Thursday) and EuSecWest (Friday). Cheers Ollie ----- Original Message ----- From: "Dominique Brezinski" <dominique.brezinski () gmail com> To: <dailydave () lists immunitysec com> Sent: Tuesday, February 20, 2007 7:15 AM Subject: Re: [Dailydave] The sky's downward trajectory Vista's stack gets 14 bits, heap and image 8 bits and PEB 4 bits. Ollie Whitehouse did a complete analysis of Vista's ALSR implementation in the final release that he will be presenting at Black Hat DC in a week. For those of you that can't make it, we should have his presentation up online shortly after the conference. I believe Symantec will also be publishing the white paper then. His analysis looks at the statistical distributions within the various process-space segments that are randomized with some interesting results. I think the material will be good reading for this list. Cheers, Dominique On 2/19/07, Jonathan Wilkins <jwilkins () gmail com> wrote:
Ok, I dug a little more and here's what I found:
http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx
"This helps defeat a well-understood attack called "return-to-libc", where exploit code attempts to call a system function [...] In the case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of 256 locations, which means an attacker has a 1/256 chance of getting the address right. Confirmed by skape here: http://blog.metasploit.com/2006/06/few-quick-updates.html "Microsoft's implementation is limited to 8 bits of entropy in the 3rd
octet"
Those posts are both pre-final Vista, as was ToorCon, so I'm not certain how things might have changed. On 2/19/07, jf <jf () danglingpointers net> wrote:As I understood it, they are only randomized once at boot time with 4
bits
of entropy, and it's currently opt-in for most applications (including IE), but opt-out for system DLLs. I tend to agree that only randomizing once may be an issue, but no one seems to agree with me. On Mon, 19 Feb 2007, endrazine wrote:Date: Mon, 19 Feb 2007 19:27:33 +0100 From: endrazine <endrazine () gmail com> To: Rhys Kidd <rhyskidd () gmail com> Cc: dailydave () lists immunitysec com Subject: Re: [Dailydave] The sky's downward trajectory Hi dear readers, Rhys Kidd a écrit :So what does Microsoft provide to make this more secure? Firstly the push by Michael Howard et al to get ASLR implemented in Vista beta 2 and above means the addresses within ntdll.dll are
going
to be somewhat random, thereby making reliable use of this technique difficult. NX bit based defenses really should be implemented hand-in-hand with some form of memory randomisation, as was
documented
by the PaX project.Put me in my place if I'm wrong, but adresses are only randomized once at boot up, making the Vista randomization far less effective than a
run
time randomization a la PaX. Well, at least, thats what I understood from the Microsoft TechDays in Paris 2 weeks ago.Secondly, as Dave mentioned setting "AlwaysOn" in boot.ini should prevent DEP from being disabled on a per-process basis. HTH. RhysRegards, endrazine- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: The sky's downward trajectory, (continued)
- Re: The sky's downward trajectory George Ou (Feb 18)
- Re: The sky's downward trajectory Dave Aitel (Feb 18)
- Re: The sky's downward trajectory George Ou (Feb 18)
- Message not available
- Re: The sky's downward trajectory Rhys Kidd (Feb 19)
- Re: The sky's downward trajectory endrazine (Feb 19)
- Re: The sky's downward trajectory jf (Feb 19)
- Re: The sky's downward trajectory endrazine (Feb 19)
- Re: The sky's downward trajectory jf (Feb 19)
- Re: The sky's downward trajectory Jonathan Wilkins (Feb 19)
- Re: The sky's downward trajectory Dominique Brezinski (Feb 20)
- Re: The sky's downward trajectory ol (Feb 20)
- Re: The sky's downward trajectory ol (Mar 03)
- Re: The sky's downward trajectory Dave Aitel (Feb 18)
- Re: The sky's downward trajectory George Ou (Feb 18)
- Re: The sky's downward trajectory jf (Feb 20)
- Re: The sky's downward trajectory Jonathan Wilkins (Feb 19)
- Re: The sky's downward trajectory Halvar Flake (Feb 20)
- Re: The sky's downward trajectory Halvar Flake (Feb 20)
- Re: The sky's downward trajectory Alexander Sotirov (Feb 20)
- Re: The sky's downward trajectory don bailey (Feb 21)
- Re: The sky's downward trajectory don bailey (Feb 22)
- Re: The sky's downward trajectory ol (Feb 23)
- Re: The sky's downward trajectory don bailey (Feb 26)