Dailydave mailing list archives

Re: The sky's downward trajectory

From: <ol () uncon org>
Date: Tue, 20 Feb 2007 13:05:29 -0000

Thanks for pimpage, the final figures are:

Stack - 14 bits
Heap - 5+ bits
Image (code) - 8 bits
PEB - 4 bits

Yes image randomization out of the box only occurs upon a reboot. However
their is a dirty method I came up with to force a reseed for binaries, but
this massivley skews the results. All is contained in the paper which we
will be releasing next week and presenting at Blackhat DC (Thursday) and
EuSecWest (Friday).

Cheers

Ollie
----- Original Message ----- 
From: "Dominique Brezinski" <dominique.brezinski () gmail com>
To: <dailydave () lists immunitysec com>
Sent: Tuesday, February 20, 2007 7:15 AM
Subject: Re: [Dailydave] The sky's downward trajectory


Vista's stack gets 14 bits, heap and image 8 bits and PEB 4 bits.

Ollie Whitehouse did a complete analysis of Vista's ALSR
implementation in the final release that he will be presenting at
Black Hat DC in a week. For those of you that can't make it, we should
have his presentation up online shortly after the conference. I
believe Symantec will also be publishing the white paper then. His
analysis looks at the statistical distributions within the various
process-space segments that are randomized with some interesting
results. I think the material will be good reading for this list.

Cheers,
Dominique

On 2/19/07, Jonathan Wilkins <jwilkins () gmail com> wrote:

Ok, I dug a little more and here's what I found:

http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx

"This helps defeat a well-understood attack called "return-to-libc",
where exploit code attempts to call a system function [...] In the
case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of
256 locations, which means an attacker has a 1/256 chance of getting
the address right.

Confirmed by skape here:
http://blog.metasploit.com/2006/06/few-quick-updates.html
"Microsoft's implementation is limited to 8 bits of entropy in the 3rd

octet"


Those posts are both pre-final Vista, as was ToorCon, so I'm not
certain how things might
have changed.

On 2/19/07, jf <jf () danglingpointers net> wrote:

As I understood it, they are only randomized once at boot time with 4

bits

of entropy, and it's currently opt-in for most applications (including
IE), but opt-out for system DLLs. I tend to agree that only randomizing
once may be an issue, but no one seems to agree with me.

On Mon, 19 Feb 2007, endrazine wrote:

Date: Mon, 19 Feb 2007 19:27:33 +0100
From: endrazine <endrazine () gmail com>
To: Rhys Kidd <rhyskidd () gmail com>
Cc: dailydave () lists immunitysec com
Subject: Re: [Dailydave] The sky's downward trajectory

Hi dear readers,

Rhys Kidd a écrit :


So what does Microsoft provide to make this more secure?

Firstly the push by Michael Howard et al to get ASLR implemented in
Vista beta 2 and above means the addresses within ntdll.dll are

going

to be somewhat random, thereby making reliable use of this technique
difficult. NX bit based defenses really should be implemented
hand-in-hand with some form of memory randomisation, as was

documented

by the PaX project.

Put me in my place if I'm wrong, but adresses are only randomized once
at boot up, making the Vista randomization far less effective than a

run

time randomization a la PaX. Well, at least, thats what I understood
from the Microsoft TechDays in Paris 2 weeks ago.

Secondly, as Dave mentioned setting "AlwaysOn" in boot.ini should
prevent DEP from being disabled on a per-process basis.

HTH.
Rhys


Regards,

endrazine-
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: The sky's downward trajectory, (continued)
- Re: The sky's downward trajectory George Ou (Feb 18)
  - Re: The sky's downward trajectory Dave Aitel (Feb 18)
    - Re: The sky's downward trajectory George Ou (Feb 18)
    - Message not available
    - Re: The sky's downward trajectory Rhys Kidd (Feb 19)
    - Re: The sky's downward trajectory endrazine (Feb 19)
    - Re: The sky's downward trajectory jf (Feb 19)
    - Re: The sky's downward trajectory endrazine (Feb 19)
    - Re: The sky's downward trajectory jf (Feb 19)
    - Re: The sky's downward trajectory Jonathan Wilkins (Feb 19)
    - Re: The sky's downward trajectory Dominique Brezinski (Feb 20)
    - Re: The sky's downward trajectory ol (Feb 20)
    - Re: The sky's downward trajectory ol (Mar 03)
    - Re: The sky's downward trajectory jf (Feb 20)
    - Re: The sky's downward trajectory Jonathan Wilkins (Feb 19)
    - Re: The sky's downward trajectory Halvar Flake (Feb 20)
    - Re: The sky's downward trajectory Halvar Flake (Feb 20)
    - Re: The sky's downward trajectory Alexander Sotirov (Feb 20)
    - Re: The sky's downward trajectory don bailey (Feb 21)
    - Re: The sky's downward trajectory don bailey (Feb 22)
    - Re: The sky's downward trajectory ol (Feb 23)
    - Re: The sky's downward trajectory don bailey (Feb 26)

(Thread continues...)