On the effectiveness of DEP and ASLR

MrBrian · Dec 18, 2010

http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx

elapsed · Dec 18, 2010

The first improvement can be seen in the latest version of the Enhanced Mitigation Experience Toolkit (EMET) which now includes support for a feature known as mandatory ASLR. This feature enforces ASLR for all modules regardless of whether or not they are ASLR aware (which effectively eliminates predictable DLL mappings when enabled on Windows Vista and above). This resolves the ASLR bypass technique we described previously and it has been used in practice to successfully mitigate exploits in the wild.
Click to expand...

The second improvement consists of JIT spraying mitigations that have been directly incorporated into the JavaScript JIT compiler that was recently released in the Internet Explorer 9 beta. These mitigations act as countermeasures against the JIT spraying techniques that have been described in attack research.
Click to expand...

I don't know why MS don't make information like this "more known", so that the public are atleast aware without having to read a blog. For example, that's the first time I've heard of that IE9 improvement. It wasn't mentioned in the IE9 blog or website.

chronomatic · Dec 22, 2010

elapsed said:

I don't know why MS don't make information like this "more known", so that the public are atleast aware without having to read a blog. For example, that's the first time I've heard of that IE9 improvement. It wasn't mentioned in the IE9 blog or website.
Click to expand...

Because most people don't know what DEP/ASLR even are. Everyone has been conditioned to believe that security = AV software. Give me DEP/ASLR along with OS level access controls any day over AV software.

trismegistos · Dec 23, 2010

An exploit that bypasses ASLR and DEP on Windows 7

An exploit that bypasses ASLR and DEP on Windows 7... http://www.infoworld.com/d/security-central/researchers-reveal-attack-code-new-ie-zero-day-981

Unlike some other recent IE bugs , this one can be exploited on the newest browser, IE8, running on Microsoft's newest OS, Windows 7, by defeating the latter's DEP (data execution prevention) and ASLR (address space layout randomization) anti-exploit defenses.

According to HD Moore, the chief security at Rapid7 and the creator of Metasploit, Drake's code works reliably against IE8 on Windows 7, but is slightly less dependable when aimed at IE on Windows XP.

The exploit is notable for the way it circumvents DEP and ASLR, Moore said. It relies on a flaw in Windows that lets hackers force the operating system to load outdated .Net DLLs (dynamic-link libraries) that do not have ASLR enabled.

"The .Net [return-oriented programming] is what is used to bypass ASLR and DEP for this exploit," Moore said in an e-mail reply to questions. "It's a solid technique that will apply to future exploits unless Microsoft blocks loading of older .Net libraries."

The .Net-based attack strategy was first spelled out by a pair of McAfee researchers -- Xiao Chen and Jun Xie -- during a presentation at the XCon security conference in Beijing last August. Moore credited Xiao Chen with discovering the .Net technique.

Although Microsoft has put much stock in ASLR's and DEP's defenses, it has acknowledged that researchers are finding ways to bypass both by exploiting weaknesses in ASLR.
Click to expand...

Log in or Sign up

On the effectiveness of DEP and ASLR

MrBrian Registered Member

elapsed Registered Member

chronomatic Registered Member

trismegistos Registered Member

Log in or Sign up

On the effectiveness of DEP and ASLR

MrBrian Registered Member

elapsed Registered Member

chronomatic Registered Member

trismegistos Registered Member

Useful Searches