Jump to content

Vista plays hide-and-seek with hackers


aidan_8181

Recommended Posts

aidan_8181

What do coders think of this is it true???

Windows Vista Beta 2 includes Address Space Layout Randomization, a security feature designed to protect against buffer overrun exploits

Microsoft is starting a game of hide-and-seek with malicious code writers.

Windows Vista Beta 2, released last week, includes a new security feature designed to protect against buffer overrun exploits. Called Address Space Layout Randomization (ASLR), the feature loads key system files in different memory locations each time the PC starts, making it harder for malicious code to run, according to Microsoft.

"It is not a panacea, it is not a replacement for insecure code," Michael Howard, a senior security program manager at Microsoft, wrote in a blog post announcing the feature. "But when used in conjunction with other technologies... it is a useful defense, because it makes Windows systems look 'different' to malware, making automated attacks harder."

A buffer overrun exploit is malicious code that seeks to exploit a common error in computer code called a buffer overrun or buffer overflow. In such an attack, data is stored beyond the boundaries of a buffer, with the result that the extra data overwrites adjacent memory locations. This can cause a process to crash, or allow malicious code to run.

ASLR is not a Microsoft invention. Several open source security systems use it already, including OpenBSD, and the PaX and Exec Shield patches for Linux.

Certain attacks attempt to call Windows system functions, such as the "socket()" function in "wsock32.dll", to open a network socket. The new security feature moves these system files around so they're in unpredictable locations. In Windows Vista Beta 2, a DLL or EXE file could be loaded into any of 256 locations, Howard wrote.

"An attacker has a 1/256 chance of getting the address right," Howard wrote.

Randomisation seems to have served open source systems fairly well, said Russ Cooper, senior scientist at Cybertrust, a security vendor in Herndon, Virginia. The question is how Microsoft implements ASLR and whether the randomisation is predictable at all, he said.

"I suspect this will be the first thing looked for — something which tells you which of the locations has been chosen, or anything that provides you with a pointer," Cooper said.

Attackers could also create malicious software that tries to poke at all 256 memory locations. However, that's more likely to cause the PC to crash, rather than allow a complete compromise, Cooper said. "That's good if all you care about is preventing malware from running, but it might not bode well for keeping systems up and running," he said.

ASLR feedback

Microsoft gets some praise in the security world for its ASLR efforts in Vista. "Remote exploitation of overflows has just got a lot harder," David Litchfield, a researcher at Next Generation Security Software, wrote in an email to the BugTraq mailing list.

But there is also scepticism. Somebody using the alias "c0ntex" wrote in a reply to Litchfield that ASLR has been "trivially circumvented in Linux for years now".

Microsoft has only just added ASLR to a Windows Vista trial release, another sign that the successor to Windows XP is not yet ready for prime time. "We added ASLR pretty late in the game, but we decided that adding it to beta 2 and enabling it by default was important so we can understand how well it performs in the field," Howard wrote.

Together with other enhancements in Vista, ASLR raises the bar in terms of security in the forthcoming operating system, Microsoft says. The company has described Vista, slated to be broadly available in January, as the most secure version of Windows to date.

In addition to ASLR, Howard mentioned a buffer overrun detection option in Visual C++; an exception checker in Vista; function pointer obfuscation; and support for NX, or No-Execute, data execution protection that is included in processors.

"The net of this is, ASLR is seen as just another defense," Howard wrote.

Link to comment
Share on other sites


  • Replies 4
  • Views 2.7k
  • Created
  • Last Reply

and when vista crashes for what ever reason how is it going to repair itself and files. this is just another bug in the works. this will not stop the buffer overload programs. vista would have to know where to put the files each time and where they where before. that is a math problem. therefor it is crack-a-ble. rootkits be even worst.

why cant microsoft make a nice OS and stop with the drm and other crap. what is it now? end of 2007 or 08 for vista?

Link to comment
Share on other sites


it's actually even easier than you think...

1. windows has to tell itself, somehow, what all those randomized memory stacks are being used for...

2. hackers will simply locate the stack for the 'randomized list' widows uses and use that to determine which stacks to manipulate accordingly

...they've added another 2-3 steps to the cracking process at the most. and with generic patching engines like dUP most REs won't even have to worry about it (after the engine creator adds support that is) :lmao:

Link to comment
Share on other sites


it's actually even easier than you think...

1. windows has to tell itself, somehow, what all those randomized memory stacks are being used for...

2. hackers will simply locate the stack for the 'randomized list' widows uses and use that to determine which stacks to manipulate accordingly

...they've added another 2-3 steps to the cracking process at the most. and with generic patching engines like dUP most REs won't even have to worry about it (after the engine creator adds support that is) :)

just thought about this: what about anti spyware and virus programs? how the heck are they suppose to work if vista got its crap everywhere?

im sorry but vista sounding more more like ME all the time

Link to comment
Share on other sites


it's actually even easier than you think...

1. windows has to tell itself, somehow, what all those randomized memory stacks are being used for...

2. hackers will simply locate the stack for the 'randomized list' widows uses and use that to determine which stacks to manipulate accordingly

...they've added another 2-3 steps to the cracking process at the most. and with generic patching engines like dUP most REs won't even have to worry about it (after the engine creator adds support that is) :)

just thought about this: what about anti spyware and virus programs? how the heck are they suppose to work if vista got its crap everywhere?

im sorry but vista sounding more more like ME all the time

good ol' XP, more features=more bugs and more things to go wrong. they should leave the security to the professionals.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...