Security software can reduce effectiveness of DEP/ASLR

Discussion in 'other security issues & news' started by MrBrian, Sep 5, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I have Trillian forced with EMET. For some reason Process Explorer does not show it as supporting ASLR. Perhaps it differentiates between Pseudo and standard ASLR?

    Either way, it's a shame. Every other running process currently supports ASLR.
     
  2. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,342
    Location:
    USA
    There is a difference Hungry. They are not the same. Also Pseudo ASLR is weaker than standard ASLR.

    http://blog.didierstevens.com/2011/08/16/so-how-good-is-pseudo-aslr/
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I'm definitely aware that there's a difference lol I just find it interesting that it makes the differentiation.
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    The MandatoryASLR setting on the settings per process in EMET does not force ASLR on the process but on it's DLL's if I'm correct, and the system-wide ASLR settings controls ASLR for the processes.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    It's a bit different.

    ASLR randomizes the .dll's. So does Pseudo-ASLR. It's the methods that are different.

    ASLR loads the .dll's into different memory addresses.

    If the .dll's are not working with ASLR you can use PseudoASLR to reserve the address that the .dll would normally go to thus forcing it to move to a new spot.

    It's not nearly as good as ASLR on its own.

    http://blog.didierstevens.com/2011/08/16/so-how-good-is-pseudo-aslr/

    EDIT: That is how I interpreted it. I could be wrong.
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    This is written in the manual of EMET:
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Thanks Boe.

    Actually m00n I was just rereading that coincidentally haha
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I finally decided to give QTTabBar a try. It's a great little application, but the damn thing loads so many dlls into explore.exe, without ASLR support. None of the dlls support ASLR, from what I could see.

    :argh:

    I'm going to try HashTab whenever I can. It's another application I've been wanting to use. I just hope this one supports ASLR. I imagine it loads dlls into explore.exe?
     
  10. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I use it. It loads HashTab64.dll (or HashTab32.dll) into explorer.exe No ASLR. I haven't tried to force EMET onto explorer.exe.
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Thank you. :thumb:

    I've sent an e-mail to QTTabBar developer. Let's see. I'll also contact with HashTab developers and see what they do.
     
  12. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Couldn't hurt but I also see that none of the .dlls that Kaspersky or Acronis loads into explorer.exe have ASLR either. :(

    Has anyone added explorer.exe to EMET? If so what were the results? I hesitate to try it myself.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I have every .exe in /Windows added to emet. That includes explorer.exe.

    0 issues.
     
  14. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Good to know. Thanks.
     
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    The new Nvidia 285.62 driver now has ASLR enabled for it's processes and the DLL injected in explorer.exe :)
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I wish AMD would do that. I believe ASLR always on breaks because of those drivers.
     
  17. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,342
    Location:
    USA
    Thanks for the info :thumb:
     
  18. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    That is correct. AMD hasn't wowed me with a driver set in a long time. :(
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    I contacted Nvidia about a month ago about their lack of ASLR support and the fact that they made Explorer vulnerable by injecting DLL's. I'm not sure if they fixed it in the new release because I reported it, but they did take it seriously, so it's quite possible. Perhaps ATI/AMD will listen to you if you contact them about it.
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    IDK how I'd even contact ATI. It would be nice if they'd support it.
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Try this avenue... -http://emailcustomercare.amd.com/
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Thanks, I'll write them at email right now.
     
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I suppose this could be considered great news... The next release of HashTab will support ASLR. :D
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I wonder if Tzuk has tested out ASLR
     
  25. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Good news. HashTab is one of those pieces of free software I actually liked enough to make a donation to. Simple yet so very useful.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.