Address Space Layout Randomization


One of the most talked about new programming features is Address Space Layout Randomization (or ASLR). In previous versions of Windows, common Windows APIs (located in Kernel32.dll, Gdi32.dll, Wsock32.dll, and so on) were loaded into well-known or easily discoverable locations. In XP and previous versions of Windows, these APIs were always placed in the same memory location. Malicious code could locate a needed API directly in memory, bypassing OS security mechanisms. ASLR randomly places common Windows APIs in one of 256 possible places during each boot up. With Vista, a malware program trying to directly access the Windows API must guess, on its first try, the correct memory location. Statistically, the program will only correctly guess 1 in every 256 tries. This single feature defeats thousands of old legacy attack programs and makes newer malware programs work less reliably.

Microsoft doesn't stop there. Function memory address pointers are obscured, heap memory blocks are obscured and checksummed, various heap memory metadata elements are XOR-encoded with a random number, and heap memory base addresses are randomized. If Windows Vista detects a problem the application is terminated and recovery is started.

Note 

Many of Windows Vista's new security features have been discovered outside of Microsoft. Various BSD and Linux distributions have had a feature similar to ASLR for several years. While some critics blast Microsoft for appropriating open source ideas, most security analysts applaud Microsoft for adopting, and in some cases improving upon, industry-tested solutions.



Windows Vista Security. Securing Vista Against Malicious Attacks
Windows Vista Security. Securing Vista Against Malicious Attacks
ISBN: 470101555
EAN: N/A
Year: 2004
Pages: 163

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net