Microsoft defends Windows 10 against ASLR criticism

Share on Twitter
Share on Google+

万通地产(600246)早盘大幅飙升10.09% 量比达57.26
Share on LinkedIn
Share on Reddit
Is it a bug or a feature? It’s one of the oldest debates in software.
Earlier this month the OS world was treated to the latest instalment, this time focusing on the way Microsoft implemented a low-level security protection called Address Space Layout Randomization (ASLR) in Windows 8 and 10.
On one side of the argument is Will Dormann, an engineer with Carnegie Mellon University’s CERT Coordination Center (CERT/CC), the body tasked by the US Department of Homeland Security with handing out important security advice.
His opening salvo was a tweet on 16 November in which he described the way Windows implements ASLR as “essentially making it worthless.”
Ouch.
In case anyone was in doubt, this was followed by an official vulnerability alert describing the claimed failings in detail. The summary being:
Windows 8 and later fail to properly randomize every application if system-wide mandatory ASLR is enabled via EMET [Enhanced Mitigation Experience Toolkit] or Windows Defender Exploit Guard [WDEG].
Stung, within days Microsoft put out a refutation stating that “ASLR is working as intended.”
That’s a significant difference of opinion, so who is right?
Let’s skip to the paradox of a punchline: they both might be, albeit within different frames of reference.
The theory behind ASLR (also used in different forms by Linux, Android, iOS and macOS) is to randomise the memory locations where executable programs and DLLs run in order to deter memory attacks such as buffer overflows.
The gist is that attackers can’t assume they know the memory location for a targeted processes because Windows could have put it anywhere.
Except, according to Dormann, it doesn’t work properly:
Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR … The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems.
Microsoft asserts that this is by design and is intended to allow older software not compiled to support ASLR to remain compatible:
ASLR is working as intended and the configuration issue described by CERT/CC only affects applications where the EXE does not already opt-in to ASLR.
That “opt-in” is the /DYNAMICBASE flag which software can use to indicate to Windows that it’s compatible with ASLR (and the operating system can infer that if the flag is missing the software may not work correctly under ASLR).
Windows can treat applications that don’t “opt-in” in a number of different ways. It can leave them to determine their own memory location, move them to a different but non-random location (the behaviour observed by Dormann) or move them to a random location using a setting called mandatory ASLR and bottom-up randomization.
The CERT advisory also notes a problem in the way Windows Defender Exploit Guard implements mandatory ASLR and bottom-up randomization, a point Microsoft concedes:
CERT/CC did identify an issue with the configuration interface of Windows Defender Exploit Guard (WDEG) that currently prevents system-wide enablement of bottom-up randomization. The WDEG team is actively investigating this and will address the issue accordingly.
Sophos Home
Free home computer security software for all the family
Learn More
On the Windows 10 Fall Creators update, the issue can be mitigated manually by setting a registry value.
对大多数互联网用户来说,密码安全是令人头痛的事,安全级别较低的网站使用相同的密码倒无所谓,但是对安全级别较高的网络应用如电子商务,要使用不同的密码,不过,要记住这些不同的密码也是一件不小的挑战。
Neutrals might at this point be wondering what all the fuss is about: ASLR works most of the time as advertised, and the few occasions when it doesn’t won’t apply to many users.
If you like, Microsoft thought it was pragmatically ensuring compatibility (a feature) which Dormann interprets as an area of potential weakness (the bug).
It’s not the first time Dormann has taken a pop at Windows’ security: a year ago, his beef was Microsoft’s plans to drop EMET, now replaced in Windows 10 by WDEG.
Or perhaps the real issue is what users are supposed to make of a back and forth now so technically specialised that even some experts can’t keep up with its finer points.
OS security has been getting more complex with every passing year. It shouldn’t surprise us that the same is happening to arguments about whether these new layers inside Windows and its rivals are up to the job.
以前,在新员工入职培训中,信息安全的课程是比较粗糙乏味的。近来,我开始播放一些视频,以及让他们做些小问答,反馈很棒!

猜您喜欢

环境Environment、健康Health、安全Safety在线动画教程
计算机信息安全基础测试题
网络安全法实施宣传
简氏:中国军工联手高校推进量子技术在海军应用
CHRONO24 0WWW
探讨员工安全意识培训的创新方法