tags:

views:

372

answers:

2
Q: 

Heap randomization in Windows

Windows 7 has Heap randomization and Stack randomization features. How could I manage it? How they are affects performance of my application? Where I could find more information on how it works?

I'm using Visual Studio 2008 for developing C++ programs. I can't find any compiler's options for that features.

A: 

Surely its just an OS feature? It shouldn't bother you in the slightest. The OS will move your application around and as long as you don't assume your applciation is loaded to a specific memory address (Which you really should never assume anyway) you won't get any problems.

Goz  2009-08-05 09:25:49
My question was not about address randomization, but about heap randomization. I'm able to create new heap at any time of program life. Randomization could be a heavy procedure. I want to be sure that it will not take place without my approvement.
Kirill V. Lyadvinsky  2009-08-05 09:31:21
AFAIK Heap randomization just means that if you do a malloc the block of memory it returns on one run will not be the same as the block of memory it returns on the next ... Its only happening in the process's virtual address space anyway .. isn't it?
Goz  2009-08-05 10:00:44
I don't know. That's why I'm asking :) These features were mentioned in 'Windows 7 Client Software Logo' document. I can't find any additional info on that.
Kirill V. Lyadvinsky  2009-08-05 10:09:53
Well thats all they can do. They can't break older applications. Its all set up to make it harder for a hacker to do a code injection because the hacker no longer knows what will be where in memory.
Goz  2009-08-05 10:43:46
+2  A: 

Ok, Heap randomization and Stack randomization are Windows features, but have to be explicitly enabled for each process at link time. Mark Russinovich described how it is work in his 5-th Windows Internals book.

Stack randomization consists of first selecting one of 32 possible stack locations separated by either 64 KB or 256 KB. This base address is selected by finding the first appropriate free memory region and then choosing the xth available region, where x is once again generated based on the current processor's TSC shifted and masked into a 5-bit value.<...>

Finally, ASLR randomizes the location of the initial process heap (and subsequent heaps) when created in user mode. The RtlCreateHeap function uses another pseudo-random, TSC-derived value to determine the base address of the heap. This value, 5 bits this time, is multiplied by 64 KB to generate the final base address, starting at 0, giving a possible range of 0x00000000 to 0x001F0000 for the initial heap. Additionally, the range before the heap base address is manually deallocated in an attempt to force an access violation if an attack is doing a brute-force sweep of the entire possible heap address range.

Kirill V. Lyadvinsky  2009-08-28 11:17:49

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS