tags:

views:

141

answers:

3
+5  Q: 

Memory randomization as application security enhancement?

I recently came upon a Microsoft article that touted new "defensive enhancements" of Windows 7. Specifically:

  • Address space layout randomization (ASLR)
  • Heap randomization
  • Stack randomization

The article went on to say that "...some of these defenses are in the core operating system, and the Microsoft Visual C++ compiler offers others" but didn't explain how these strategies would actually increase security.

Anyone know why memory randomization increases security, if at all? Do other platforms and compilers employ similar strategies?

+2  A: 

It makes attacks like return to libc (or return to user-provided data buffer in the case of the latter two) much harder. And yes, it is available in Linux, BSD, and Mac OS. As you would expect, the details vary by OS. See Wikipedia for an introduction.

Matthew Flaschen  2010-04-21 19:33:06
+7  A: 

It increases security by making it hard to predict where something will be in memory. Quite a few buffer overflow exploits work by putting (for example) the address of a known routine on the stack, and then returning to it. It's much harder to do that without knowing the address of the relevant routine.

As far as I know, OpenBSD was about the first to do this, at least among the reasonably well-known OSes for PCs.

Jerry Coffin  2010-04-21 19:34:32
Please provide links!
Matt Joiner  2010-08-31 01:09:59
@Matt: Links to what?
Jerry Coffin  2010-08-31 02:49:37
Links to support your claims, I'd like to read more about them.
Matt Joiner  2010-08-31 11:32:25
http://en.wikipedia.org/wiki/Stack_buffer_overflow, http://kerneltrap.org/node/573
Jerry Coffin  2010-08-31 14:31:22
A: 

By randomizing the stack you make vanilla buffer overflow attacks like Aleph One's Smashing the Stack for Fun Profit impossible. The reason why is because the attack is relying on placeing a small ammount of executable code calld shellcode into a predictable location in memory. The function stack frame is corrupted and its return address overwritten with a value that the attacker chooses. When the corrupted function returns the the flow of execution moves to attacker's shellcode. Traditionally this memory address is so predictable that it would be identical on all machines that are running the same version of the software.

Despite advanced memory protection implemented on Windows 7 remote code execution is still possible. Recently at CanSecWest a machine running Windows 7 and IE 8 was hacked within seconds. Here is a technical description of a modern memory corruption attack utilizing a dangling pointer in conjunction with a heap overflow.

Rook  2010-04-21 20:14:23

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?