Is it possible to emulate some of Vista's security features?

Discussion in 'other security issues & news' started by aussiebear, Oct 17, 2006.

Thread Status:
Not open for further replies.
  1. aussiebear

    aussiebear Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    8
    Vista-Probe is a tool that does a few checks of your Windows version compared to Vista's security features. (it also does a few other things).
    http://www.tuxedo-es.org/blog/2006/06/15/vista-probe-01-released/

    One interesting area it covers, is the detection of "Address Space Layout Randomization" (or ASLR) features...ASLR was developed by an open-source project called PaX. (Yeah, kind of ironic...MS criticises open-source for the last 5 years, and they end up using a security concept from them in Vista...I guess open-source is bad when Microsoft isn't using it). :rolleyes:

    Anyway, if you're gonna boycott Vista, you'll probably wonder if you can get ASLR capability in existing Windows versions...Well, WehnTrust is supposed to bring this.

    See here.
    http://www.wehnus.com/products.pl
    (Home User version is free)

    The problem of course, is when I ran Vista-Probe. Of the 4 categories in the ASLR section, it only covers Heap Randomization and Stack Randomization. But not DLL base Randomization and EXE base Randomization tests. I've filed a Bug Report with WehnTrust, just to see what they say about this. (I ran this under Win2k SP4).


    Anyway, this has got me thinking...

    Is it possible to emulate some of the security features of Vista on current or older Windows versions? (Thereby reducing the reasons for an unnecessary upgrade).

    Its an interesting topic to discuss, don't you think? ;)
     
  2. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    there is this which i think might be abit like one of the vista features, i don't know much about vista though. and i haven't used this program, it might be a good though
    http://sudown.mine.nu/index.php
     
  3. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I know this is an older thread, but I thought it would be better to reply to it than do start a new one after taking into consideration the content of the first post.

    I tested Vista-Probe against Wehntrust and StackDefender. Wehntrust has not changed since the first post, Heap Randomization and Stack Randomization is covered, but not DLL base Randomization or EXE base Randomization. All of the Normal testing shows as Not Vulnerable (along with GS Canary randomization) while all of the Advanced Testing shows as Vulnerable. Return-to-function (With CopyMemory()) also shows as vulnerable.

    The results are the same when testing StackDefender, exept that SD does not cover any Heap/Stack randomization according to Vista-Probe.

    Since the version of Wehntrust I tested is free and seems to do a better job than StackDefender (which is not free), I am going to go with Wehntrust for now. It would be nice to see results on other software if anyone has a chance.

    Edit: The testing utility that came with StackDefender was easilly blocked by the Windows Data Execution Prevention which I have enabled on all programs.
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Very nice tests AJohn :)
    So, according to your tests, the only "exclusive" security feature of Vista (ASLR) can be (partially) added to XP using third-party apps? What kind of incompatibilities and/or instabilities can be expected by using these tools?
     
  5. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Here is a very interesting test done by the makers of BufferShield:

    http://www.sys-manage.com/english/products/products_BufferShield_Exploits.html

    It seems no matter how carefully I install BS on my PC, it installs as "Not running!" and there is no way to fix this as far as I can tell. I have tried repairing the installation and even went as far as uninstalling all security software/disabling Windows DEP.
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Thanks for the link :)
    However, I'm scared to use any of these apps. I've tested Wehntrust in a VM and it seems stable, but I haven't enough trust to install it on production systems.
     
  7. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Wehntrust has never caused any problems for me on WinXP SP2 MCE running along any Comodo software (including BOClean), Samurai, Softsphere DefenseWall, GeSWall, or anything else I have tried. I did notice somewhere that StackDefender does not work under VMware.

    Have you ever tried TotalUninstall? I use it for testing software, if I ever get anything like a BSOD I just boot into safe mode and remove the problem and cleanup with TU.
     
    Last edited: Apr 23, 2007
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I do test software inside VMs or I take system images before installing the software. I'm not fan of uninstallers.
    Your posts have made me reconsider Wehntrust for real/stable systems. My biggest worry is serious patching of the core OS, which is what this kind of security apps do, right?
     
  9. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    As far as I could tell your biggest worries would be it installing one driver and one service, but keep in mind I can not guarantee anything even though I have never had any trouble with it on my system.

    Has anybody got a chance to test any others?
     
  10. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I just received a response from Wehnus, here is my inquiry and their answer:

    "On Mon, Apr 23, 2007 at 03:12:40PM -0700, AJohn wrote:
    > > Hello, I was just playing with the Vista-Probe software from
    > > tuxedo-es.org which is designed to test ASLR software such as
    > > Wehntrust. I noticed that Vista-Probe does not recognize Wehntrust as
    > > having DLL and EXE base randomization. I do not know if this is an
    > > error in Vista-Probe or Wehntrust, maybe this is a matter worth looking
    > > into. I also noticed a feature in V-P called 'Return-to-function(with
    > > CopyMemory())' which it claims Wehntrust fails along with
    > > 'VirtualProtect() permissions change' for Executable stack, head, bss
    > > segment, data segment, mapping, dll data segment and DLL bss segment are
    > > all noted as Vulnerable as well.

    I'm not familiar with how Vista-Probe works specifically, but I imagine
    it's checking to see if the binaries have a flag that enables ASLR.
    WehnTrust does not use this flag. It's ASLR is transparent to the
    operating system, and as such it's unlikely that Vista-Probe will detect
    it. You can verify that WehnTrust is randomizing things by looking at
    the base addresses of modules after subsequent reboots.

    Thanks,
    Matt Miller"
     
    Last edited: Apr 23, 2007
  11. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    BTW, wehnus.com has version 1.0.0.9 while wehntrust.com seems to not be updated.
     
  12. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Thought I would add that when installing Defensewall HIPS or Spyberus AFTER Wehntrust, I get a BSOD before windows boots. When installing DW HIPS or Spyberus BEFORE Wehntrust, things seem to go ok.
     
Loading...
Thread Status:
Not open for further replies.