Enabling DEP and ASLR on Nmap for Windows

[Fyodor <fyodor () insecure org>]

Hi folks.  MS has been promoting DEP and ASLR as ways to reduce the
exploitability of security vulnerabilities in sofware.  While no
vulnerability has ever been found in Nmap, we can't guarantee that it
never well.  So I welcome defense in depth, especially where we can do
so with little effort on our part.

As far as I know, Nmap is not requesting DEP or ASLR on Windows.  I'd
rather have cross-platform security mechanisms, but we're stuck with
what we're given.  And single-platform mechanisms can still help a
lot, particularly on a very popular platform like Windows.  I guess it
is similar to the way we add -D_FORTIFY_SOURCE=2 if we happen to be
using gcc.

MS has other technologies which might help as well.  Here is an MSDN
overview on "Protecting Your Code with Visual C++ Defenses":

http://msdn.microsoft.com/en-us/magazine/cc337897.aspx#S3

Secunia has been doing surveys since 2008 watching the progress of
popular Windows apps in adopting these mechanisms:  

http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf

That paper says that DEP and ASLR support are "usually trivial to
implement".

So is there any volunteer here who can look into this and figure out
what we have vs. what we should enable, write a patch, test it, and
submit it to nmap-dev?  It may be as easy as just setting the proper
compiler flags.  Though I think for DEP we may also need a call to
SetProcessDEPPolicy() to support XP.  Also we obviously don't want to
break Nmap on Windows platforms which don't yet support these
technologies.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/