Re: DEP on Windows XP SP2

nicolas.ruff_at_gmail.com
Date: 07/05/05

  • Next message: Adam Piggott: "Re: what is file refcache.ser" 
    Date: Tue, 05 Jul 2005 12:17:43 +0200
To: focus-ms@securityfocus.com

    > the /gs is enabled in certain SP2 programs. The /gs compiler options allow you
    > to make secure program during compilation. It protect against basic stack
    > overflow. NXBit is a copy from Solar Designer, but it's implemented into the
    > chipset/processor hardely. As Stackguard, PaX, the NXBit need a kernel
    > upgrade. I don't really know (believe) if it's stable and you must know that
    > you are not protected against high-level-overflow like the heap overflow
    > exploitation by an indirect register callback.

            Hello,

    Just a few comments on this :

    - The /GS flag indeed protects applications against buffer overflow
    exploitation by making them crash on stack corruption. Most of XP SP2
    has been recompiled with this flag, but it does not help 3rd party
    applications in any way (unless they were also recompiled with /GS flag).

    - Heap overflow protection is provided by a memory cookie introduced in
    XP SP2 memory allocator. It is a system-based protection and has nothing
    to do with the compiler. 3rd party applications are protected by default.

    - Ret-into-libc techniques are still available (AFAIK), but not very
    common on Windows systems due to their complexity.

    - NX has to be supported by your processor. You have to use the CPUID
    instruction to check for NX support. On my AMD Athlon 64 3000+, the
    following assembly code :
    MOV EAX, 0x80000001
    CPUID
    gives the following result :
    EAX = 00000000000000000000111101001000 (0x00000F48)
    EBX = 00000000000000000000000100001000 (0x00000108)
    EDX = 11100001110100111111101111111111 (0xE1D3FBFF)
                     ^
                     |--- NX supported

    - And yes, NX breaks most applications in "AlwaysOn" mode, because most
    applications are buggy - but you could not notice it thanks to the
    application catching exceptions and resuming normal execution.

    Regards,
    - Nicolas RUFF
    Computer Security Researcher at EADS-CCR

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Adam Piggott: "Re: what is file refcache.ser"

    Relevant Pages

    • Re: New release of BlackIce version 3.6 cbr
      ... > Duane Arnold wrote: ... >>Release Notes for ISS BlackICE PC Protection Release 3.6.cbr ... >> overflow. ... The protection of the machine is a process and not a given! ...
      (comp.security.firewalls)
    • Re: Seeking benchmark data on passwords
      ... Appreciate to get a template for Privacy and Data Protection Policy ... > Passwords must be at least 8 characters long. ... > For security reasons, please do not email your company name if you are ... > integrates six applications for ease of use and lower TCO. ...
      (Security-Basics)
    • Re: WIndows Registry and NIS 2004
      ... >>as or better protection than some which are not free. ... So I am not necessarily disagreeing with you, ... > pay for. ... > objective standards) if the free AV applications are at least as good ...
      (microsoft.public.windowsxp.general)
    • Spices.Fortress 1.0.0
      ... evaluation versions is highly important for any serious developer. ... You might be searching for an easy way to restrict the functionality ... protection of .NET applications, but not their obfuscation ... protection of the data needed to run the application, ...
      (comp.software.shareware.announce)
    • Re: Any protection programs I should download?
      ... I was wondering if there are other free programs you would ... applications are more cleanup than protection. ... As far as what I would recommend for most home users: ... Ensure all installed applications stay patched/updated. ...
      (microsoft.public.windowsxp.general)