Sometimes names just do not reflect the nature of things. Sometimes it is our fault to attribute a wrong meaning to names. I do not know which of the above holds for Windows ASLR. After Alex Sotirov and Mark Dowd’s talk at Blackhat I know that ASLR is not that random despite of its name.
The ASLR abbreviation contains “randomization”, which is enough (at least for me) to deduce that EXEs and DLLs get loaded at randomly chosen addresses. I was wrong to think that this makes it hard for the attacker to guess the loaded addresses. As it turns out, binaries get loaded to somehow predictable addresses.
While I understand that there were some technical difficulties and compatibility issues, the implementation choices made for ASLR effectively weakened it a lot to the point that it failed to deliver the promised.
Another revelation of this talk was that IE happily loads any .NET DLL provided by the web server using the plain old LoadLibrary function. The ramifications of this are enormous because the system is essentially accepting raw binary data (a file of the PE file format) and runs it on the user’s computer. No need to talk about GS, SafeSEH and any other protections mechanisms after this.
The outcome of these two choices is also predictable, as Alex and Mark demonstrated to us: anyone visiting a malicious web site with IE can be easily owned.
There were other interesting talks at Blackhat, no way I can mention all of them here. Just one more pointer: I was amused and amazed by Hovav Scacham’s Return-Oriented Programming. As it turns out, pieces of “good” code in standard libraries can be used to build a turing-complete machine. This machine is programmable by the attacker using a byte code which does not require the X (execute) bit in the page permissions. This defeats W^X or DEP protections.
My talk on decompilers was received well.
Heading to DEFCON now, for more interesting talks!
