Is it possible to emulate some of Vista's security features?

Vista-Probe is a tool that does a few checks of your Windows version compared to Vista's security features. (it also does a few other things).
http://www.tuxedo-es.org/blog/2006/06/15/vista-probe-01-released/

One interesting area it covers, is the detection of "Address Space Layout Randomization" (or ASLR) features...ASLR was developed by an open-source project called PaX. (Yeah, kind of ironic...MS criticises open-source for the last 5 years, and they end up using a security concept from them in Vista...I guess open-source is bad when Microsoft isn't using it).

Anyway, if you're gonna boycott Vista, you'll probably wonder if you can get ASLR capability in existing Windows versions...Well, WehnTrust is supposed to bring this.

See here.
http://www.wehnus.com/products.pl
(Home User version is free)

The problem of course, is when I ran Vista-Probe. Of the 4 categories in the ASLR section, it only covers Heap Randomization and Stack Randomization. But not DLL base Randomization and EXE base Randomization tests. I've filed a Bug Report with WehnTrust, just to see what they say about this. (I ran this under Win2k SP4).


Anyway, this has got me thinking...

Is it possible to emulate some of the security features of Vista on current or older Windows versions? (Thereby reducing the reasons for an unnecessary upgrade).

Its an interesting topic to discuss, don't you think?

 

there is this which i think might be abit like one of the vista features, i don't know much about vista though. and i haven't used this program, it might be a good though
http://sudown.mine.nu/index.php

 

I know this is an older thread, but I thought it would be better to reply to it than do start a new one after taking into consideration the content of the first post.

I tested Vista-Probe against Wehntrust and StackDefender. Wehntrust has not changed since the first post, Heap Randomization and Stack Randomization is covered, but not DLL base Randomization or EXE base Randomization. All of the Normal testing shows as Not Vulnerable (along with GS Canary randomization) while all of the Advanced Testing shows as Vulnerable. Return-to-function (With CopyMemory()) also shows as vulnerable.

The results are the same when testing StackDefender, exept that SD does not cover any Heap/Stack randomization according to Vista-Probe.

Since the version of Wehntrust I tested is free and seems to do a better job than StackDefender (which is not free), I am going to go with Wehntrust for now. It would be nice to see results on other software if anyone has a chance.

Edit: The testing utility that came with StackDefender was easilly blocked by the Windows Data Execution Prevention which I have enabled on all programs.

 

Very nice tests AJohn
So, according to your tests, the only "exclusive" security feature of Vista (ASLR) can be (partially) added to XP using third-party apps? What kind of incompatibilities and/or instabilities can be expected by using these tools?

 

Here is a very interesting test done by the makers of BufferShield:

http://www.sys-manage.com/english/products/products_BufferShield_Exploits.html

It seems no matter how carefully I install BS on my PC, it installs as "Not running!" and there is no way to fix this as far as I can tell. I have tried repairing the installation and even went as far as uninstalling all security software/disabling Windows DEP.

 

Thanks for the link
However, I'm scared to use any of these apps. I've tested Wehntrust in a VM and it seems stable, but I haven't enough trust to install it on production systems.

 

Wehntrust has never caused any problems for me on WinXP SP2 MCE running along any Comodo software (including BOClean), Samurai, Softsphere DefenseWall, GeSWall, or anything else I have tried. I did notice somewhere that StackDefender does not work under VMware.

Have you ever tried TotalUninstall? I use it for testing software, if I ever get anything like a BSOD I just boot into safe mode and remove the problem and cleanup with TU.

 

I do test software inside VMs or I take system images before installing the software. I'm not fan of uninstallers.
Your posts have made me reconsider Wehntrust for real/stable systems. My biggest worry is serious patching of the core OS, which is what this kind of security apps do, right?

 

As far as I could tell your biggest worries would be it installing one driver and one service, but keep in mind I can not guarantee anything even though I have never had any trouble with it on my system.

Has anybody got a chance to test any others?

 

I just received a response from Wehnus, here is my inquiry and their answer:

"On Mon, Apr 23, 2007 at 03:12:40PM -0700, AJohn wrote:
> > Hello, I was just playing with the Vista-Probe software from
> > tuxedo-es.org which is designed to test ASLR software such as
> > Wehntrust. I noticed that Vista-Probe does not recognize Wehntrust as
> > having DLL and EXE base randomization. I do not know if this is an
> > error in Vista-Probe or Wehntrust, maybe this is a matter worth looking
> > into. I also noticed a feature in V-P called 'Return-to-function(with
> > CopyMemory())' which it claims Wehntrust fails along with
> > 'VirtualProtect() permissions change' for Executable stack, head, bss
> > segment, data segment, mapping, dll data segment and DLL bss segment are
> > all noted as Vulnerable as well.

I'm not familiar with how Vista-Probe works specifically, but I imagine
it's checking to see if the binaries have a flag that enables ASLR.
WehnTrust does not use this flag. It's ASLR is transparent to the
operating system, and as such it's unlikely that Vista-Probe will detect
it. You can verify that WehnTrust is randomizing things by looking at
the base addresses of modules after subsequent reboots.

Thanks,
Matt Miller"

 

BTW, wehnus.com has version 1.0.0.9 while wehntrust.com seems to not be updated.

 

Thought I would add that when installing Defensewall HIPS or Spyberus AFTER Wehntrust, I get a BSOD before windows boots. When installing DW HIPS or Spyberus BEFORE Wehntrust, things seem to go ok.