Re: The sky's downward trajectory

[jf <jf () danglingpointers net>]

excuse me, I meant 8 bits of entropy, not 4, im slow and stupid today. I'm
not sure if rjohnson dug into it in his slides or not, but he described in
the toorcon presentation why they only used 8 bits, and basically it broke down to
'thats what we have left to play with'. There was also a fairly long
winded conversation later on about why the DLLs are only randomized once
per boot, and to make a long post short it came down to
performance/mapping across executables.

On Mon, 19 Feb 2007, Jonathan Wilkins wrote:

> Date: Mon, 19 Feb 2007 16:57:45 -0800
> From: Jonathan Wilkins <jwilkins () gmail com>
> To: jf <jf () danglingpointers net>
> Cc: endrazine <endrazine () gmail com>, dailydave () lists immunitysec com
> Subject: Re: [Dailydave] The sky's downward trajectory
>
> Ok, I dug a little more and here's what I found:
> http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx
> "This helps defeat a well-understood attack called "return-to-libc",
> where exploit code attempts to call a system function [...] In the
> case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of
> 256 locations, which means an attacker has a 1/256 chance of getting
> the address right.
>
> Confirmed by skape here:
> http://blog.metasploit.com/2006/06/few-quick-updates.html
> "Microsoft's implementation is limited to 8 bits of entropy in the 3rd octet"
>
> Those posts are both pre-final Vista, as was ToorCon, so I'm not
> certain how things might
> have changed.
>
> On 2/19/07, jf <jf () danglingpointers net> wrote:
> > As I understood it, they are only randomized once at boot time with 4 bits
> > of entropy, and it's currently opt-in for most applications (including
> > IE), but opt-out for system DLLs. I tend to agree that only randomizing
> > once may be an issue, but no one seems to agree with me.
> >
> > On Mon, 19 Feb 2007, endrazine wrote:
> >
> > > Date: Mon, 19 Feb 2007 19:27:33 +0100
> > > From: endrazine <endrazine () gmail com>
> > > To: Rhys Kidd <rhyskidd () gmail com>
> > > Cc: dailydave () lists immunitysec com
> > > Subject: Re: [Dailydave] The sky's downward trajectory
> > >
> > > Hi dear readers,
> > >
> > > Rhys Kidd a écrit :
> > > > So what does Microsoft provide to make this more secure?
> > > >
> > > > Firstly the push by Michael Howard et al to get ASLR implemented in
> > > > Vista beta 2 and above means the addresses within ntdll.dll are going
> > > > to be somewhat random, thereby making reliable use of this technique
> > > > difficult. NX bit based defenses really should be implemented
> > > > hand-in-hand with some form of memory randomisation, as was documented
> > > > by the PaX project.
> > > Put me in my place if I'm wrong, but adresses are only randomized once
> > > at boot up, making the Vista randomization far less effective than a run
> > > time randomization a la PaX. Well, at least, thats what I understood
> > > from the Microsoft TechDays in Paris 2 weeks ago.
> > > > Secondly, as Dave mentioned setting "AlwaysOn" in boot.ini should
> > > > prevent DEP from being disabled on a per-process basis.
> > > >
> > > > HTH.
> > > > Rhys
> > >
> > > Regards,
> > >
> > > endrazine-
> > > _______________________________________________
> > > Dailydave mailing list
> > > Dailydave () lists immunitysec com
> > > http://lists.immunitysec.com/mailman/listinfo/dailydave
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunitysec com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave