Security software can reduce effectiveness of DEP/ASLR

From another topic =p

http://www.stanford.edu/~blp/papers/asrandom.pdf

And one important note:

Stumbled upon this while learning about Buffer Overflow attacks and Return to LibC.

It really makes 32bit ASLR sound useless.

Of course even 64bit ASLR has huge issues.

 

I'll give that a reading... thanks.

I don't know where I've seen it... it was some time ago... but, I remember reading an article mentioning that ASLR on its own doesn't do much, but together with other mitigation techniques, it will be harder for attackers to exploit a vulnerability.

I also remember reading something, not so long ago, and I believe it was on a Microsoft blog about some vulnerability, that an attack was successful either against ASLR or DEP, but not against both.

In the end, the question is: Are we better off without them or with them? I'd like to think with them. lol

 

lol I can tell you with quite certainty that ASLR on its own isn't amazingly effective. The article (keep in mind it's 7 years old) simply brings up that ASLR is really pretty useless on a 32bit system.


Yeah, DEP and ASLR work well together. Both obviously deal with address space - DEP protecting it and ASLR randomizing it.

But there's a lot more to it than that, there's heap spray, getting return address/ exploit from the stack, etc.

I just think it's interesting that ASLR on 32bit is so useless. I had no idea the extent of moving from 32bit to 64bit in terms of ASLR.

 

Are you aware if a new version came out already? I downloaded the installer yesterday, but HashTab won't work inside Sandboxie, so I can't see, if a new version came out already, whether or not it supports ASLR.

-edit-

@ all

The newest Winzip version does support ASLR.

 

Is there any way to get it working in sandboxie? Just curious which setting is killing it.

 

I didn't try to figure it out...

 

=p well alright

 

Turns out that adding explorer.exe to EMET (I didn't verified which mitigation(s) caused it to happen) breaks Adobe Reader X. When opening Adobe Reader X, it will immediately crash. It may well crash many other things that are not in my system.

I really don't see adding explorer.exe as a workaround for the sake of security. Software developers should be the ones providing such support; they are way too lazy!

 

Strange.

I don't like Adobe Reader X anyways so I can EMET explorer all I like =p

 

I agree with this.

 

If devs actually cared about security it would be very interesting to see how their programs changed.

Protected mode applications, DEP/SEHOP/ASLR or other mitigation techniques.

It would be nice if that were the case.

 

Still no new version yet

 

Looks like no. I just checked and it appears that it hasn't been updated since January 2011.

 

Well, they didn't say when it was going to be released... It could happen two years from now... with some good luck...

Oh, well, I decided I'll no longer support and advise software that helps break security to family members and friends; I'll also stop using them.

Maybe if every power user and computer shop technician stopped using them and installing them, these software developers would wake up. Who knows...

 

Could anyone check if HashCheck (-http://code.kliu.org/hashcheck/) supports ASLR? It seems to be a great alternative to HashTab. It's an open source application. Last update was in 2009/07/01. But, if it works and supports ASLR, then that's what we want, right?

Unfortunately, at the image of HashTab it won't run inside Sandboxie, so I cannot test whether or not it supports ASLR. I also don't have virtual machines; very weak laptop.

 

@m00nbl00d,

does this help...

Tested in a Win7x64 VM.

 

Thanks! It's unfortunate that it doesn't support it either. I'm going to contact the author and see if at least this one is willing to provide an update to it, supporting ASLR.

I also got a few suggestions for it, so...

 

You're welcome. Note I edited my response to show it tested in a Win7x64 VM

 

It looks like you're using the old version of Process Explorer, wat0114, which doesn't correctly show ASLR status. This is obvious as DLL's like ieframe, have supported it for quite some time.

However considering the release date of the application in question (2009), I'd highly doubt it supports ASLR.

 

You're right elapsed, I've updated most of the apps in the vm, but kind of negleted that one. It's updated now to 15.11. Thanks for the heads up

Btw, as you suspected, ASLR support still not showing for hashcheck.dll

 

Good eye!

Well, I sent an e-mail to the author when I mentioned the application here, but as of yesterday night, no answer.

But, thinking better, I truly don't see a point in using either this one or HashTab. I mean, there are way better alternatives out there and more powerful, also free. Sometime ago I started a thread about software that computes and compares hashes (also hashes in files). If one likes open source, there's FileVerifier++; it has a GUI and command line. There's also MultiHasher from Abelhadigital; the same authors of Hostsman. This one has drag and drop functionality, a very clean UI and command line parameters as well. We can also add MultiHasher to the context menu, but I haven't checked it yet, so I don't know whether or not it supports ASLR, but the context menu is not the most important feature to me; drag and drop is nice.