Code Integrity

By now you've seen that Vista does indeed incorporate built-in paranoia, and for good reason, as nowadays there is a legion of bad guys. In a change from all previous versions of Windows, Windows Vista randomly reassigns the locations of basic Windows services, making the job of worm writers all the more difficult. One more set of anti-malware provisions includes code integrity, a boot-time check of digital signatures on files, and a new set of rules for 64-bit Windows only. Under these rules, all drivers must be signed. This chapter explains both of those protections in detail. But that's not all for 64-bit systems: the 64-bit kernel contains a feature called "PatchGuard" that attempts to intelligently detect and stop malware.

Address Space Layout Randomization

The first of the post-boot protection tools is simple and yet elegant, as it deals a powerful blow to worm writers. Called Address Space Layout Randomization (ASLR), it does just what its name suggests: it randomizes Vista. Now, that may not sound good, but it is good. You see, if you could peek into your XP system's RAM, you'd find that while there's something different about your computer from everyone else's, there is much that is the same. In particular, the hundreds and perhaps thousands of pieces of Windows in your system load in the same order into your computer's RAM as everyone else's computer. In particular, any Windows DLLs that your system uses are always loaded in the same order.

ASLR changes that by shuffling the actual load order of DLLs at every boot. Its process of doing this allows for 256 different ways to reorder DLLs. This is important because someone writing a program to exploit a buffer overflow has a hard job ahead of him. Sure, the buffer overflow constitutes a way to sneak into Windows code, but once you're in the code, where are you? Furthermore, once you're inside, where is the code that you want to modify in order to take control of Windows? Buffer overflow worm writers can really only get to the "fun" code to attack-a web server, the passwords, or the like-by figuring out a relative distance in RAM between where the buffer overflow occurred and where their target code is.

Randomizing the location of system components would, then, really ruin a worm writer's day. I suppose in theory it'd be possible to build a smarter worm, but it'd be a lot of work, if it's possible at all. Address randomization has been a feature of BSD Unix for quite a while. It's a welcome addition to Windows' arsenal.