Vista plays hide-and-seek with hackers

Microsoft is starting a game of hide-and-seek with malicious code writers.

Windows Vista Beta 2, released last week, includes a new security feature designed to protect against buffer overrun exploits. Called Address Space Layout Randomization (ASLR), the feature loads key system files in different memory locations each time the PC starts, making it harder for malicious code to run, according to Microsoft.

"It is not a panacea, it is not a replacement for insecure code," Michael Howard, a senior security program manager at Microsoft, wrote in a blog post announcing the feature. "But when used in conjunction with other technologies...it is a useful defense, because it makes Windows systems look 'different' to malware, making automated attacks harder."

A buffer overrun exploit is malicious code that seeks to exploit a common error in computer code called a buffer overrun or buffer overflow. In such an attack, data is stored beyond the boundaries of a buffer, with the result that the extra data overwrites adjacent memory locations. This can cause a process to crash, or allow malicious code to run.

ASLR is not a Microsoft invention. Several open-source security systems use it already, including OpenBSD, and the PaX and Exec Shield patches for Linux.

Certain attacks attempt to call Windows system functions, such as the "socket()" function in "wsock32.dll," to open a network socket. The new security feature moves these system files around so they're in unpredictable locations. In Windows Vista Beta 2, a DLL or EXE file could be loaded into any of 256 locations, Howard wrote.

"An attacker has a 1/256 chance of getting the address right," Howard wrote.

Randomization seems to have served open-source systems fairly well, said Russ Cooper, senior scientist at Cybertrust, a security vendor in Herndon, Va. The question is how Microsoft implements ASLR and whether the randomization is predictable at all, he said.

"I suspect this will be the first thing looked for--something which tells you which of the locations has been chosen, or anything that provides you with a pointer," Cooper said.

special coverage
Piecing together Vista

All the latest on Microsoft's Windows update.

Attackers could also create malicious software that tries to poke at all 256 memory locations. However, that's more likely to cause the PC to crash, rather than allow a complete compromise, Cooper said. "That's good if all you care about is preventing malware from running, but it might not bode well for keeping systems up and running," he said.

ASLR feedback
Microsoft gets some praise in the security world for its ASLR efforts in Vista. "Remote exploitation of overflows has just got a lot harder," David Litchfield, a researcher at Next Generation Security Software, wrote in an e-mail to the BugTraq mailing list.

But there is also skepticism. Somebody using the alias "c0ntex" wrote in a reply to Litchfield that ASLR has been "trivially circumvented in Linux for years now."

Microsoft has only just added ASLR to a Windows Vista trial release, another sign that the successor to Windows XP is not yet ready for prime time. "We added ASLR pretty late in the game, but we decided that adding it to beta 2 and enabling it by default was important so we can understand how well it performs in the field," Howard wrote.

Together with other enhancements in Vista, ASLR raises the bar in terms of security in the forthcoming operating system, Microsoft says. The company has described Vista, slated to be broadly available in January, as the most secure version of Windows to date.

In addition to ASLR, Howard mentioned a buffer overrun detection option in Visual C++; an exception checker in Vista; function pointer obfuscation; and support for NX, or No-Execute, data execution protection that is included in processors.

"The net of this is, ASLR is seen as just another defense," Howard wrote.

[firstlast]

Drop in ocean

It's a drop in ocean but finally we might see more secure Windows!
---
Pixel image editor - http://www.kanzelsberger.com

[qwerty75]

Weak band-aid fix

Ah, the great minds at MS.

First of all, it will not take long to identify the 256 possible locations, making this worthless. A hacker would just need slightly more code.

This is why the need to start from scratch. There is very little internal security built into the kernal and these lame workarounds don't work very well.

Look at OSX and Linux and see how tough it is to hack into and call system functions. Ask yourself if they got to that point using amaturish "security" solutions just like this one. Now wonder why the company with the largest bankroll can not do the same.

This is just more ineptitude from the most inept software company in the world.

[qwerty75]

also

If this is an example of the security improvements, stay far away from Vista or pay the price!

[Tanjore]

Microsoft is not claiming that it is the only security fix!!!!

You sound as if microsoft is publishing that this is only fix they are putting in.

Microsoft is going in the right direction.

[aabcdefghij987654321]

Hey MS, how about making your code secure instead?

Na, never happen.

[Mr. Network]

Obviously you are not a developer

You think it is just a matter of writing better code? If you're so smart why don't you offer to help? Microsoft has the best minds in the world hard at work trying to make Windows the most secure O/S in the world.

Code is logic, anyone with intent, coding abilities, and a sharp mind can poke holes in any logic. The logic contains millions of possibilities and exceptions. If you're smart enough to find a work around or 'exception' to some of the logic you can poke holes in it.

If it was just a matter of writing better code it would already be done. The problem is that knowledge and/or logic evolves on a daily basis.

Ever have a good thought and then a few weeks later have a thought on how to make the previous idea better? It's the same concept. So again, if you're soooo talented, why don't you do it and be quite; then everyone will buy your software because it is soo frikkin l33tski.

~Mr. Network

[grangerfx]

Oh yea. That will work.

*bangs head against computer screen*

[UntoldDreams]

Agreed

I can't believe any reputable security engineering team... even ones at Microshaft... would think this would solve anything for any length of time.

I don't get it. I don't respect their work very much but this is far "beneath" them.

The only outcome of this is that they will create more OS bugs rather than decrease viruses.

[UntoldDreams]

That's insane.

I can't believe any reputable security engineering team... even ones at Microshaft... would think this would solve anything for any length of time.

I don't get it. I don't respect their work very much but this is far "beneath" them.

The only outcome of this is that they will create more OS bugs rather than decrease viruses.

[willdryden]

MS has ignored security since Win95

The three basic functions of any multiprocessing OS are I/O control, memory management and CPU scheduling. Starting with Win95 and apparently continuing through Win Vista, they have forgotten to include I/O control in the OS. Buffer overruns should not be possible. The OS should truncate the I/O automatically to fit the allocated buffer as it did in MS DOS. This leads to some really weird data if you make a mistake coding the application, but the security of the system is maintained.

I hope some MS programmer reads this and takes it to his boss. MS has been writing dangerous OS's FOR YEARS.

[qwerty75]

That is crazy talk

Win95 had the most secure password system ever devised.

I mean, making someone think of a word or at least random letters and digits to gain access to any win95 box is security at its finest and most advanced!!! ;)