Slashdot Mirror
Hacker Bypasses Windows 7/8 Address Space Layout Randomization
hypnosec writes "Microsoft upped its security ante with Address Space Layout Randomization (ASLR) in Windows 7 and Windows 8, but it seems this mechanism to prevent hackers from jumping to a known memory location can be bypassed. A hacker has released a brilliant, yet simple trick to circumvent this protection. KingCope, a hacker who released several exploits targeting MySQL in December, has detailed a mechanism through which the ASLR of Windows 7, Windows 8 and probably other operating systems can be bypassed to load a DLL file with malicious instructions to a known address space."
Click on link in article...
... delay the inevitable.
Every new security feature they can dream up can and will be bypassed with enough time.All they can do is build it hard enough that it takes more time to crack.
Fifty watts per channel, baby cakes.
I'm sure they're aware of that, as is anyone with a shred of knowledge about computer security (or hell, security in general). What is your point?
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
Fill up memory, then free some until enough is free to load the DLL.
And this exploit wasn't obvious from the start? When the heap and dynamically-loaded code share the same address space, this vulnerability always exists. We knew this 30 years ago. It took someone this long to apply it?
Fill memory until only enough space is left for loading whatever it is you're trying to load. Obviously the location is predictable since there's only one spot for it.
I RTFA. The trick relies on memory exhaustion. I'd think if you restrict process working set size on the browser process using Windows job objects, the trick won't work.
So basically use javascript to allocate all available memory. Once you get the allocation exception, begin freeing small chunks. After each free, try loading an Active X DLL (target DLL exploit). As soon as you have freed enough blocks, the DLL will load into the space you freed. Essentially bypassing any ASLR -- there is nowhere to randomize too except the freed memory.
Join the Slashcott! Feb 10 thru Feb 17!
Look in a mirror! It's the address space you have to fill so that there is only one place to map the DLL. The rest can all be mapped to the zero page (and so take up zero physical memory).
It might be possible to use the very same method to exploit other browsers as other browsers give similar opportunities to the exploit writer. I don't want to sound crazy but even other Operating Systems might be affected by this, yet unconfirmed.
Is it possible to "rewrite the instruction pointer of the processor to a known heap address where the shellcode resides quite deterministic" on, say, Firefox on Gnu/Linux [given that flash and java are disabled in the browser]?
True, but you have to consider that ASLR was never intended as an unbreakable security feature. It was always just an impediment to an easy exploit of jumping to a fixed address. There are common tricks published for getting around ASLR to some degree.
Sig Battery depleted. Reverting to safe mode.
The address Space of 64 bit processes is vast compared to available memory. The process will run out of memory before the address Space could be filled.
Unfortunately many browsers still run 32bit even on 64bit systems because of plugin compatibility. Time to move to 64 bit browser processes.
Note also that this attack is only feasible against browsers. Like other ASLR bypasses it will not Work against e.g. Outlook or Word where the attacker has very limited ability to control memory allocation.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Based on the description, so far this is only an exploit for 32-bit versions, I wonder if the size of the address space in 64-bit Windows makes it impractical?
The point with ASLR is for the good process to not be infiltrated by a bad one. I dont see the problem of loading a dll in a known memory location, unless you apply that to a dll of the good application, without it detecting that.
But when you arrive at that point of being able to do that, what's circumventing ASLR good for?
Hivemind harvest in progress..
So are only safe if we run an OS on an isolated partition which has nothing but a web browser and the other partitions are automatically unmounted while the web browser OS is working?
Then whatever we want to take back to other partitions upon reboot (hope you have your SSD) has been scanned thoroughly and copied to an empty partition before that reboot?
The options to remain safe don't seem to be coming from Microsloth from its Microseneian era world of the DOS age of computers.
And these are the guys who think their OS is not only the best but worth the mega-premium versus Apple's OS price or Linux.
Or at least by Windows 10.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
Are we ever going to fix the real issue? You generally use one to start horking the stack and then get the CPU to jump to some address. Then these protections come into play.
I get the feeling people have just given up versus trying to change compilers and hardware to protect the stack. I should be able to keep writing into an unprotected char array and never come close to some instruction pointer shouldn't I. Is it too much to demand?
Just another in a long list of Microsoft/Windows security fails. Big shocker.
So would you rather use an OS with much, much weaker ASLR, like Linux where large parts of the OS and libraries are just loaded at predictable locations without any memory squeezing in the first place?
BTW, this technique will not Work on 64 bit processes. On OSes with weak ASLR and predictable locations for certain modules, moving to 64bits does not help on iota.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
You sure about that?
Mac OS X
Wikipedia ASLR
Apple introduced randomization of some library offsets in Mac OS X v10.5 (released October 2007).[16] Their implementation does not provide complete protection against attacks which ASLR is designed to defeat.[17][18][19][20]Mac OS X Lion 10.7 has improved ASLR implementation for all applications. Apple explains that "address space layout randomization (ASLR) has been improved for all applications. It is now available for 32-bit apps (as are heap memory protections), making 64-bit and 32-bit applications more resistant to attack."[21] Since OS X Mountain Lion 10.8 the kernel as well as kexts and zones are randomly relocated during system boot.[22]
Cwm, fjord-bank glyphs vext quiz
Is this going to make my penis bigger?
Address space randomization is a form of security through obscurity. It's also an admission that your system security really sucks. The concept is that the code is full of exploitable buffer overflows, but address space randomization will make it harder for exploits to patch the right target area. So low-level exploits tend to crash the system, or at least just mess it up, rather than getting their code executed.
There are now "address spraying" attacks which counter address space randomization, so this is already an obsolete defensive measure.
"Please note that Windows Defender detects the Win8 PoC as being an exploit and blocks execution." 'nuf said.
http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/doc/SAPPEUR.pdf?format=raw
And yeah, still in the proof-of-concept stage. But it demonstrates the unsafe Bell Labs stuff is not god-given.
Actually, C and C++ are a major regression from Algol of ca 1970 or so.
The isolated OS for a web browser works. All of my web browsing is done through VMs with persistent disks. Even on my Linux machines.
Parent post is just trolling on the old "Microsoft is insecure" meme. Yawn.
Sane per-process memory allocation limits will effectively prevent this exploit. In other words: use ulimit.
Return slightly less than requested? If I malloc for sizeof(mystruct) then there better as hell be enough space to hold it. Or I suppose we can go around teaching programmers that when you ask for something you can't trust that the computer will actually give it to you. Fuzzy memory allocation means fuzzy programming. Fuck that.
And that says nothing for pointer arithmetic.
just another variant of the "everybody is as shitty as M$" meme.
Every new security feature they can dream up can and will be bypassed with enough time.All they can do is build it hard enough that it takes more time to crack
I'm sure they're aware of that, as is anyone with a shred of knowledge about computer security (or hell, security in general). What is your point?
Legend has it that Finnish field marshal Mannerheim was interviewed by a journalist after the Winter war. The journalist asked him if he had at any time doubted that the Finns would eventually be defeated by the Soviets. Apparently the old man sent the journalist a sharp look and then replied that just because the odds are against you it does not mean you have to make life easy for your attacker. Dunno fi that is true but if I was in computer security, that's what my outlook would be... come up with nasty defences, whey they are breached you ambush the bastards and then come up with a new line of even nastier defences.
The workaround to increase the complexity of stack smashing in this regard is in ASLR/FMA, address space layout randomization with fuzzy memory allocation. Basically, reduce the predictability of memory locations from memory-fill attacks by causing memory allocation (in hardware, transparent to the OS) to return slightly more or less than what is called for. This has some implications for programmers to be sure; for example, for malloc(), if you think you'll need 1000 bytes, you just call for 1500 to make sure you get enough back from the OS to work with.
WTF? Do you have any idea how malloc() actually works? Why the hell would the hardware have a feature to fuzz malloc() sizes? (a) that's a really bad idea, because it'll introduce a massive new set of buffer overflow attacks, and (b) even if you did for some reason want to implement it, you wouldn't do it in hardware, because the hardware designer doesn't know anything about malloc.
Just use VMs...
No need to do an entire partition/separate OS thing the hard way these days. Especially not just for web browsing.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
From TFA: The PoC makes use of the following vulnerability and therefore for testing the PoC the patch must not be installed. MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability This vulnerability is identified as CVE-2012-4969. So it's already preventable. (Yes, yes, patching is a bitch, doesn't happen, etc etc.) And also, it's already detected: Please note that Windows Defender detects the Win8 PoC as being an exploit and blocks execution. Yes, it's an interesting PoC, but it's not exactly taking my breath away overall.
Microsoft released ASLR slightly before Apple, and when Apple did release it their implementation was incomplete. I also seem to recall that microsoft was possibly the first or close to the first to sandbox their browser. The Linux kernel had ASLR earlier than both but lets be honest - theres a difference between bringing a technology out and releasing it to 1% of computers via the internet (Linux), and shipping it in a consumer OS (Microsoft)
As for making up names about Microsoft - well that really is from the DOS age.
security through obscurity
I do not think that means what you think it means.
"Security through obscurity" is being deliberately insecure and relying on other people not knowing about the insecurity as your defense.
Something like this relies on the fact that choosing a random address is much easier than guessing a random address that was previously chosen. This flaw results in forcing the victim to choose a non-random address when they intend to choose a random one. And "address spraying" works by increasing the size of the target the attacker must hit from a single exact address to a large number of ranges which covers most of the available addresses.
So are only safe if we run an OS on an isolated partition which has nothing but a web browser and the other partitions are automatically unmounted while the web browser OS is working?
Actually, we are only safe while the system is powered off, disconnected from all cabling and still in the box it came in. Trust me. After dealing with security weenies and various system lock-down methodologies for many, many years, a truly "secure" system (to their satisfaction, anyway) is unusable and you might as well not even bother to unpack it.
It must have been something you assimilated. . . .
MOD PARENT DOWN.
You have no fucking idea what you are talking about.
There's no hardware involved in malloc(3), it isn't even a syscall.
It's people like you who come up with shit like this:
http://use.perl.org/use.perl.org/_Aristotle/journal/33448.html
Please don't ever write any code again.
Just another in a long list of Microsoft/Windows security fails. Big shocker.
I know that you are probably trolling here (considering that this is a generic technique that could be applied to other operating systems), but since you have to turn off Windows Defender to get this to work (at least in Win8) then it isn't that great a failure.
Well, ASLR is the wrong answer in the first place. It's security through obscurity, which means it's adding obscurity, not security.
And you're good.
Please, PLEASE mod parent down. It's written by someone who is blowing it out his/her ass, who has absolutely no idea what they are talking about, with at least two complete falsehoods already pointed out by others who responded to this. Sheetrock apparently wants to look like someone who knows about computer programming, when in reality that couldn't be further from the truth.
That's what the Japanese did on Iwo Jima. It's a well-known military and IT strategy called "defense in depth".
Hail Eris, full of mischief...
E pluribus sanguinem
That won't work, if your address is only slightly off, then you can start your exploit code with a bunch of NOPs and then jump right in the middle of it. Then you don't need to know the exact address.
Also, returning slightly less memory than requested is a good way to get people to stop using your OS, when basically every software starts crashing.
"First they came for the slanderers and i said nothing."
So are only safe if we run an OS on an isolated partition which has nothing but a web browser and the other partitions are automatically unmounted while the web browser OS is working?
OS on read-only media, sessions in disposable VMs.
"I've got more toys than Teruhisa Kitahara."
Well, if you didn't do address space layout randomisation, then you'd be that much easier to stack smash. ASLR is intended to make such an exploit harder, so this technique just makes an exploit that is comparatively easy on non-ASLR systems possible on a system that does it.
Nearly every top voted comment --and this is really saddening-- is using the fallacy of gray. They're all variation on the theme: "no software can ever be secure, so everything is going to be rooted/admin'ed at some point, so it doesn't matter which OS you choose because you'll get hacked anyway".
It is a very very sad fallacy.
I've got a simple question: why did, for years, the OpenBSD main page claim: "No remote root exploit in the default install since x years"?
Then at one point they had a first root issue, then a second but still. It's a darn impressive track record.
Do you guys really think there are some mystical little faeries wearing boots casting spells on the hardware that somehow make root / admin exploit a fatality?
Because from a pure technical and logical standpoint, an OS can be made to be secure.
I don't buy that all OSes are equal when it comes to security because logical fallacies have never been my thing. I also don't buy that it's impossible to write secure software.
And, thankfully, there are people (even at Microsoft) taking the matter seriously.
But kneejerking "zomg, security is too hard, nothing is ever gonna be secure" is really not an interesting mindset for one to have.
didn't work for the japanese, because no possibility of resupply, reinforcement, or retreat. Defeat thus assured. About 21,844 killed, 216 survivors taken prisoner. A horrible bloodbath and yes 6800 american soldiers killed, but it didn't "work"
There's also a really easy solution to this: Change the loader so that if there isn't enough space to perform the ASLR then the load fails. You have to handle the loader failing when you're down to the end of your memory space anyway. Suddenly you are back to not knowing where to jump to again.
Japanese on Iwo Jima was "desperate defense with no hope of victory".
Finnish was "pre-planned defense in order to make enemy bleed so hard, that even Stalin would decide that gains aren't worth the cost".
It succeeded twice with quite possibly the single most insane-looking numbers in history. It was crazy enough to warrant wikipedia page screenshot becoming an internet meme:
http://www.google.com/imgres?imgurl=http://data.whicdn.com/images/18990146/finland-be-afraid-be-very-afraid_thumb.jpg&imgrefurl=http://weheartit.com/tag/soviet%2520russia&h=200&w=240&sz=11&tbnid=e8G9SZNgTBMY-M:&tbnh=87&tbnw=104&zoom=1&usg=__Tk2w1zc2NxuOzEu4OclPzzBZzVc=&sa=X&ei=RjoDUfekBYbKtAaMuYCwCQ&ved=0CCEQ9QEwAw
This success was repeated in 1944 where Finns faced the single biggest offensive in the entire WW2 war European theatre. Soviets focused 20 artillery pieces per every kilometer of the front line. They could literally dig people out of trenches with this much artillery. In the end, finns held out and even pushed back in spite of being completely outnumbered and outgunned. Stalin remembered the lesson from Winter War and signed a peace treaty with Finland allowing it to stay independent again. It ended up going in history as the only country mentioned in Molotov-Ribbentrop that didn't get conquered by either Germany or USSR.
The main difference between these strategies is that Japanese viewed their empire as something holy and to be defended to the death, to the point where survivors should commit suicide if they failed. Finns viewed their country as something of theirs, and to be defended for as long as it remains defensible with as little losses as possible. Key difference was that finnish commanders valued lives of their soldiers very highly for the times. Japanese commanders treated their soldiers as completely disposable pawns. Difference could be explained by the fact that Japan is one of the most populated regions on the planet, while Finland is one of the least populated ones.
It's the advantage of not being a huge country with long and proud history. You learn that to stand between the giants and survive, you need to show humility to the giants in most things, but also show that when needed, you can sting them so painfully, that any potential attempts of capture will not be worth it. And most of all you learn that when you're losing, minimize your losses so you can fight another day.
All knowledge can be located thru the index. Without an index you are lost and will run to and fro. You are no better than a blind man at the mercy of his hearing.
> A hacker has releasedÂa brilliant, yet simple trick to
> circumvent this protection
Beating up the guy after he logs in?
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
This makes no sense at all.
Operating systems use a hardware feature called MMU to give certain pages of physical memory with certain processes. The operating sytem manages which pages are owned by who, and that is why a user needs to ask the kernel to allocate a page before he can use it (the very concept of memory allocation because unnecessary if there is no operating system, though it can still be useful to share memory between different subsystems in the same program). The physical address of the page is unknown to the user and, while deterministic, is difficult to predict since it depends on everything that has happened since the kernel started.
The page appears in a virtual space to the user. On a normal setup, the address in that virtual space will be deterministic and only depend on what has happened since the process started. ASLR simply changes this to make hardware pages be mapped at random addresses.
It was still better than the previous Japanese strategy of meeting us at the beaches and then banzai charges. Kuribayashi did quite well with the hand he was dealt.
Hail Eris, full of mischief...
E pluribus sanguinem
Unnecessary. Absolutely no advantage over just keeping updated and running as non-admin.It's the type of thing people who don't understand security do and then get MITMed without even noticing.
If you ignore ACs because they are anonymous - you're an idiot.
Assuming your code is full of buffer overflows is defense in depth, not security through obscurity.
True, but you have to consider that ASLR was never intended as an unbreakable security feature. It was always just an impediment to an easy exploit of jumping to a fixed address. There are common tricks published for getting around ASLR to some degree.
Anyone who truly understands how computers work and specifically how ASLR does what it does should be fully aware that ASLR only stops absolutely stupid hacks. All important addresses can be looked up. They have to be looked up to be useful. If nothing can lookup an important address, nothing can really do anything to it, making it not real useful for computing in general, let alone hacking.
To get around ASLR all you have to do is consult ... the built in lookup table which is at ... A FIXED ADDRESS as it has to be able to be found for everything to work.
All ASLR does is means you need to spend a few extra clock cycles determining where you want to do your exploitation rather than hard coding it into the file.
Let me restate that ...
All ASLR does is means you have to use proper programming technics in your exploits rather than being lazy and hard coding your values.
The only security it provides is against a bug accidentally causing the same sort of crash twice in a few causes and preventing a few exceptionally lazy people from writing working exploits. Unfortunately, most of the people writing exploits are far from lazy, making ASLR effectively worthless and a good waste of a considerable chunk of processing time as now a metric fuckton of addresses have to be looked up rather than known in advance.
The 'common tricks' to 'get around ASLR' are 'write proper code'.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
It is not security through obscurity at all. It is Defence in Depth, You should ALWAYS assume all code has bugs and a portion of those bugs are potentially security bugs. ASLR is an additional mitigation (Defence in Depth) for when the inevitable human error next pops up to make it harder to exploit.
I thought we were talking about Windows 7/8 address space layout randomization?
You're right that it boils down to just looking up the address, but see, this is a chicken-and-egg problem. You're wanting to determine addresses so you can run code, but you must run code in order to look up addresses!
You might as well say that it is easy to get a dinosaur and a dinosaur egg. To get the dinosaur, just wait for a dinosaur egg to hatch. To get the dinosaur egg, just wait for a dinosaur to lay one. Problem solved, right???
He won't lose control of his hardware unless the attacker finds an exploit for escaping the VM. With snapshots, the VM can even be reliably uninfected.
The point is, that Iwo Jima was a battle they knew they lost, and they threw all of their soldiers under a proverbial bus. Those who survived mostly committed seppuku.
Microsoft is definitely not doing that. They're doing what GP said Mannerheim did, strategic retreats and attacks on vulnerabilities that show up. Sometimes they lose a battle, like they did in this case, but they keep on winning the war. I.e. the OS stays overall secure enough for most users even if some aspects of its security suffer defeats every once in a while.
ASLR lasted for years uncracked for example.
Anyone who truly understands how computers work and specifically how ASLR does what it does should be fully aware that ASLR only stops absolutely stupid hacks. All important addresses can be looked up. They have to be looked up to be useful. If nothing can lookup an important address, nothing can really do anything to it, making it not real useful for computing in general, let alone hacking.
To get around ASLR all you have to do is consult ... the built in lookup table which is at ... A FIXED ADDRESS as it has to be able to be found for everything to work.
No, the lookup table isn't at a fixed address. That is, in fact, the whole bloody point. The lookup table (technically the PLT, at least for ELF binaries) is at a fixed offset relative to the main binary, so if you can figure out where the main program is in memory you can find it very easily, but the point of ASLR is that it's non-trivial for the attacker to find the binary, and so they can't find the lookup table.
Now, admittedly, programs have to actually be compiled to use ASLR for this to work (older programs will randomise the locations of libraries but not of the program itself), and there are still plenty of Linux distributions where it's *still* turned off in the default compiler (Debian and Ubuntu, certainly, and possibly others), but when it's implemented properly the attacker can't easily find the lookup table.
Also, I think you're possibly underestimating the difficulty of using the lookup table once you've found it. It's not like the attacker can just call GetProcAddress() or dlsym() in the target program (because otherwise they'd have a far easier way of gaining control), and it's not like they (usually) have a way of reading arbitrary bits of the program address space. It's not much use knowing where the lookup table is if you can't actually read it.
As a wise friend once said, "Any cause worth dying for, is worth living for." No truer words were ever said.
In theory? Perhaps, although I can't be as sanguine here, nor will I ever. I've been using "PC" browsing appliances since very early days of VMWare (much, much earlier non-x86) and so long as I toss the VM afterwards, who cares if it was somehow compromised.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
Oh its worse than that now, in the old days you'd have one or two high level bug writers that could dig up exploits for major components like this, then there were the script kiddies that were just looking at what the last set of patches were plugging then writing a bug based around those patches.
But thanks to virus kits and a thriving black market for bugs what we have now is a variation of the smart cow problem in that by the time most companies find out there is a new bug targeting a critical subsystem its already been sold, added to one or more virus kits, and a dozen plus variations already are up and running in the wild. This makes it a LOT harder to plug a hole when found because it has spread all over the underground and is used by dozens of other black hats as the foot in the door to come up with a dozen other ways to get their payload ran. If a black hat had found this and sold it on the black market we would have probably gotten a half a dozen or more zero days out of it, using this hack to then target Adobe Flash or Reader or Java or who knows what else as they evolve the attacks so damned quickly nowadays.
ACs don't waste your time replying, your posts are never seen by me.
First of all a public service announcement: To everyone that writes "M$" in 2013...This...Is...YOU! and this is what everyone sees and instantly dismisses when you write that lame ass M$ in 2013. You could write the most brilliant post in the history of Slashdot but a good 80%+ will NEVER read it because they see M$ and think "douchebag" and move on. So don't waste your time unless you want people posting your group photo as the very next post.
Second of all lets get something VERY clear for those that don't seem to understand how these things work, okay? ALL OPERATING SYSTEMS that would be what we consider "modern" are some of the most complex pieces of software EVER written, we are talking millions of LOC in the kernel alone and thousands of little sub-programs that ALL have to work in concert to give the user the illusion that its all one program that "just works". Is Linux even close to immune? Not only is that a big NO but to even suggest it is is a symptom of what is known as "magical thinking" such as "If you buy (product X) then you will magically be safe!". We in IT have seen magical thinking used to sell everything from OSes to firewalls to routers and reality will blow holes in that lie every single time.
So if Linux is vulnerable why don't we see Linux attacks in the news? We do only they are called "Android attacks" and in fact its predicted that later in the year Android will reach the one million infected mark which considering that Android isn't even a decade old is pretty impressive.
Look its actually VERY simple, and evidence has bore this out time and time again. Criminals ARE LAZY and want to do the least amount of work for the biggest bang so they want to go after the biggest targets to yield the most infections they possibly can. I mean writing a OS/2 virus today would probably be the most trivial thing in the world yet you don't see anybody doing it, why? Because the fact is even though eComstation still sells OS/2 there are too few using it to make it a juicy target. But the malware writers WILL go where the targets are, used to be it was always Windows, then Vista bombs and everyone in the press starts talking about how Mac adoption is climbing, what happens? Mac Guardian and Mac Defender. Android phones and tablets explode in usage, what happens? Thousands of Android malware released weekly.
So anybody who thinks their OS is gonna magically protect them from malware because "(product X) doesn't get bugs!" is merely deluding themselves with magical thinking. There are even articles that helpfully helpfully explain this and point out how switching platforms just for the sake of magical thinking (in the article OSX for Linux but you can insert any from and to in there and it still fits) just doesn't work. Be it Linux, Mac, or Windows you can find plenty of bugs, I could spend 5 minutes and cover this page in reports of bugs for all 3, I already listed the 2 biggest Mac bugs of recent memory, TFA is a Windows bug, and just off the top of my head there was the KDELook theme bug and the infected Quake 3 that was served up by most repos for a year and a half on Linux. NO OS is safe, NO OS is immune, and if you are gonna claim security by obscurity is actual security you might as well run Win95 or BeOS because hey, there aren't any bugs circulating targeting those OSes either.
ACs don't waste your time replying, your posts are never seen by me.
Microsoft and Intel spend something like 25% of their annual budgets on computer security. Going all the way from instruction sets, interrupts, supervisors and hypervisors, to DLL and kernel layouts, secure computing initiatives like SecureBIOS, hardware checksumming, file and network virus scanners, authentication protocols, network security applications, best practice virtual network layouts (separate virtual networks for different application levels). Even with all that, a standard desktop system still needs around 250 Megabytes of disk space to store all the anti-virus signature definition files.
That's why the "walled garden" approach to applications is so attractive. You can avoid the overhead of dedicating computing resources to all of those things if they are screened before download.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Apparently you know only how computers in general work, but not how executables are loaded into memory and dynamically linked or otherwise adjusted to the current address space layout (traditionally, a preferred adress may be occupied by some other program or library, nowadays, ASLR). While "modern" Linux ELF executables usually contain position independent code (i.e. can be loaded and executed at any adress whasoever, but pay for that flexibility with 1 Register), Windows uses the COFF derived PE format. There's a Relocation table in there, that alows the loader/linker to patch the program code to adjust for the "sub-optimal" placement in the address space.
Ever heard of qbasic and strings?
Ironically many of the strategies that the Japs used against us that look so stupid now actually worked against the Chinese but the Japanese military doctrine was so strict and unyielding that it just didn't take into account how vastly different the situation with the Chinese was compared to the Americans. The Banzai charge would work against the Chinese because they were armed with bolt action rifles that weren't in the best shape to start with so the Chinese couldn't hope to get more than a couple of poorly aimed shots off before the charge was upon them while the Americans with the BAR and M1 could just keep pouring on the fire.
This was a problem the Nazis also ran into in Stalingrad where the Nazi foot soldiers were armed with K98 bolt action rifles and ran smack dab into entire companies carrying the PPSh-41 which could just spew lead and in the close quarters fighting made up for their lack of accuracy with just punishing firepower.
As for TFA considering how long ASLR has lasted without an exploit I'd say it held up pretty well but of course one should never put all your eggs in one basket and ASLR is just one piece, along with a good AV, sandboxing of the browser (the biggest attack vector IMHO) and plain old common sense, when it comes to keeping a system safe.
ACs don't waste your time replying, your posts are never seen by me.
Not to mention that (especially with a 64bit address) guessing the address of a DLL is of a level of difficulty akin to guessing a password. It isn't completely impossible, but it can be made infeasibly difficult.
Japanese commanders treated their soldiers as completely disposable pawns.
If you watch the very excellent world at war series, you will note an interview with one of those japanese commanders where he says that he was overwhelmed with volunteers for suicide missions. Different culture, different times.
On a side note, there will never be a better WWII documentary, because too many of the key players are dead now. The World At War series (26 episodes) has plenty of interviews with people who were actually there -- although recent declassification of soviet materials has changed the story a bit.
Like all pain, suffering is a signal that something isn't right
Don't advocade this solution. Because if you do and many people will start using it, we'll exploit it and then your VM won't be safe anymore.
The problem with most all security measures is that they are of the same for each instance of a given measure. For example, let's say that you wanted to prevent access to a building. If you had say say 10 different doors made of different materials and different thicknesses then an intruder would need so many tools to break through them that it would not be feasible. We rely on known encryption algorithms, the same implementations of defense-in-depth, etc. Maybe what needs to be done is give users the capability to define their own very low-level of security? Imagine if you needed to create say 1000 different tools to break into 1000 different systems, what about evaluating it at several orders of magnitude? What if all those systems change their signatures multiple times per day...would changing your password more frequently than it would take to break solve the issue...probably not, but what if every user defined their own custom algorithm. Maybe have the user designate a mechanism to intersperse characters into the encrypted password so that it resolves to junk or doesn't conform to anything, but only when the user enters their password and passphrase (which is used to create the characters) does it resolve and then is removed from memory? Passwords and other authentication mechanisms use the same algorithms in virtually all cases based on type; however, if you can establish more user-defined augmentation then the better. Maybe just take an encrypted value and just reverse it...would it resolve to anything known, maybe swap every 3rd and 1st characters, etc?
A KDE file launcher script ... link
AccountKiller
"This is an ASLR bypass technique, not an actual exploitable vulnerability by itself. The attacker still needs an exploitable memory corruotion vulnerability to start the attack. ASLR+DEP is designed to make it much harder for an attack to gain foothold in the face of such an attack", benjymouse
.. has detailed a mechanism through which the ASLR of Windows 7, Windows 8 and probably other operating systems can be bypassed to load a DLL file with malicious instructions to a known address space". 'Once done, the rest of the memory, which was filled up earlier, can be freed and known exploit methods of spraying the heap and heap corruption can be used to exploit the system '
"KingCope
AccountKiller
Some "Nazi" soldiers also told stories of "waves of russians running into the fire of the MG42, until ammo ran out and the gun was glowing".
If your claim is anywhere near the truth, it just shows how incredibly dumb these companies are. MS research definitely had the power to create a memory-safe and efficient (not like C# or Java) programming language. Instead they do what they have done for the last 30 years: C and C++.
Why is it different in the FOSS world ? Because the Linux kernel developers can focus on a rather narrow field, while MS developers constanly have to implement the latestmadness of some MBA crapper. Under that pressure and using C or C++ you MUST fuck-up, security-wise.
Oh yeah, Mr $hill. Thanks for regurgitating "all operating systems are at least as shitty as Windows". Now bring on the statistics. So far, everbody in the know thinks it is quite the opposite. Windows is the worst piece of shit, from a security perspective. And that is not just because of number of lines of code, but because it is anti-modular, full of half-baked, indisciplined and generally shoddy design decisions.
Windows has always been designed by "feature list", and that means it is an overly complex mess even the Micro$hafters don't completely understand. Most Unix-like OSes are muc better modularized and that means they have much less potential for dangerous failure modes.
Here are some examples: A bitmap parser inside the kernel (!) allowed for vrius insertion via USB. A virus elevating itself to Admin mode because some M$ crappers decided that the "Guest" user should have his print jobs executed using "Admin" privileges, and the printer service process was of course the same bug-ridden shite we know from M$. As the Iranians (and probably 75 other nations) how they liked that great feature of Windows when StuxNet used it.
I could go on to tell war stories about Oracle software, which is poisonous vomit if M$ software is shit, but I will spare you that. Suffice to say you better run FOSS-only stacks: Perl, PostgreSQL, Linux, BSD, evince and so on. Commercialware is like a can of worms you can't even inspect before you eat it, because the "deal" is that you have to turn off the lights before eating. Bon appetite !
What makes you think a VM is especially secure ? That sleazebag porker corpo HBGary had a VMWare exploit "on sale". So if these little pork outfits have it, you bet the Russki Mafia and Chicoms have several.
who cares if it was somehow compromised
People who know about exploits like CVE-2009-1244 and similar vulnerabilities?
Dilbert RSS feed
That's why the "walled garden" approach to applications is so attractive. You can avoid the overhead of dedicating computing resources to all of those things if they are screened before download.
No, the walled garden is just one more layer. ALL of the other protections you mentioned are in place and needed. It's simply not possible to really scan an executable for every possible security threat - they do some examinations but there will always be an opening for an application to try something.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Might want to check your history book. Despite a 3-to-1 numerical superiority in infantry, total air superiority, superior small arms, and no Japanese resupply, the defending Japanese managed to inflict 37% casualties on the Americans and nearly 10% KIA. That's as bad as some WW1 battles. Seems like given what was available that was a great defense.
You weren't friends with Han Solo.
There are 2 groups of people you can make fun of on the Internet without fear of attack. The illiterate, and the Amish.
didn't work for the japanese, because no possibility of resupply, reinforcement, or retreat. Defeat thus assured. About 21,844 killed, 216 survivors taken prisoner. A horrible bloodbath and yes 6800 american soldiers killed, but it didn't "work"
By the time of Iwo Jima, Japanese high command would have realized they were losing the war. When this realization sinks in, overall strategy will tend to shift from winning the war over to playing for conditional surrender.
The way you get the enemy to offer you conditional surrender in this situation is by convincing them that totally defeating you is going to be so fantastically expensive, a conditional surrender is preferable. So if you can put up a spirited defence of e.g. Iwo Jima and kill thousands of their troops, and they start asking themselves how many tens or hundreds of thousands they will lose by invading your mainland, then your Iwo Jima defence will have "worked" even if that island itself should fall. It's the pawn you sacrifice to save your nation.
And they would have gotten away with it too, if it hadn't been for those meddling scientists at the Manhattan project.
sigs are hazardous to your health
The Soviets did that against the Finns in the Winter War, too. William Trotter described them as locking arms and marching towards the Finnish positions on at least one occasion.
It's one of those things you can do if your leaders are authoritarian, don't value human life & you've got more people than the other side.
Hail Eris, full of mischief...
E pluribus sanguinem
The rest of your post is logical (though the Slashdot summary points out that this attack probably works on other operating systems, so your idea that this is not known here is pretty stupid).
However I find it fascinating how using "M$" leads to such rabid foaming spew as your first paragraph. I notice that is somebody says "microsuck" or says Bill Gates is Hitler, or some other obviously childish thing, nobody says anything. But if anybody *dares* to put a symbol used for money into an abbreviation for your darling company, you go completely nuts with endless repetitions of "you are being childish". If it really was childish then you would not have to say anything, so your diatribe shows you are desperate to make it true and don't really believe it.
The truth is that "M$" is the shortest way to write this that is not ambiguous and reads correctly. "MS" is the abbreviation for Mississippi, Multiple Sclerosis, Morgan Stanley (the official abbreviation!). And it reads as "miss", while "M$" reads to me as at least "msppp" which is a little closer to triggering the word "Microsoft" in my head.
You can say "childish" all you want but it does not make it so. Your saying this is proof that it isn't.
This is NOT "security through obscurity". The method is well documented (at least it is for Linux, and posts here have specified quite a few times without doubt that Window's version is somewhat better, which means that it must be documented just as well).
The fact that a random number is chosen to control the algorithm does not make it use "obscurity". Otherwise you could make the same claim about *every* for of encryption. I don't think there is any that work if the attacker knows the key.
maybe next time just use what OpenBSD spent ages creating instead of re-inventing the wheel. Then you dont get bypassed. Thanks.
Dude... calm down. People who write "M$" may be childish or just repeating an overused joke but on the other side you are trying too hard.
Nah, if there were no A-bomb, the Soviets would have smashed the Japanese because loss of life was of lesser concern for them.
BeOs still exists?
To quote Mel Brooks "Bullshit bullshit aaaaannnnd bullshit". if you want a shortened way? Use MSFT, it even lets you be snarky as its the stock ticker and you can claim its because "they only care about the stock price instead of putting out a good product" so you can be just as douchey and stupid as you want and people will still understand WTF you are posting.
But the "M$" bullshit is not only from fucking DOS which hasn't even been a product for 20 damned years but it was fucking retarded even THEN. Its just as fucking retarded as writing "Lunix" and deserves to get fucking smacked down for being stupid. And read the guys post dude, i'm assuming you didn't or you wouldn't be trying to apologize for him because it was a classic FOSSie douchebag rant, no different than the douchebag Mac users that insinuate if you aren't using Macs you're either too stupid or too poor, or the Win 8 douchebags that insinuate anybody that doesn't want a cellphone for an OS is too stupid to work it.
But this is SUPPOSED to be a site FOR geeks and BY geeks and I'm pretty sure that in an article on Windows if somebody types MS everyone isn't gonna go "Why is he talking about Mississippi having a vulnerability?" but of course it was NOT about having a short way to type Microsoft, it was another coward that couldn't wait to wave his little dick and brag about his magical OS that he doesn't even understand. Magical thinking has no place on a site about tech and frankly that kind of horseshit needs to be nipped in the bud whenever possible.
ACs don't waste your time replying, your posts are never seen by me.
Yeah and it didn't work either. You can't take out an enemy by just throwing bodies at him if he has superior firepower unless he is suffering from severe ammo constraints or having a LOT of weapon failures and with the Finns neither was the case.
My great uncle was a marine during the Pacific campaign and he said what always disturbed him was how after one Banzai charge failed they would end up regrouping and doing it again sometimes in a different spot, sometimes they would be trying to charge over the bodies of the previous charge.
He said frankly when it came to the bases the grunts didn't even have to use their BARs or M1s hardly at all because he said "We might not have toilet paper but one thing we had a shitload of was the 50 cals" so they had those things mounted everywhere and on everything. Boats, jeeps, trucks, you name it there was one or more 50 cals on it and he said they had plenty of 50s manning the perimeters, which is why he just couldn't understand why they'd ever charge more than once. According to him he said those 50s would just obliterate an entire company in seconds, they would have every area with crossfire support and it wasn't even a fight, it was a slaughter.
ACs don't waste your time replying, your posts are never seen by me.
Actually the Finns did end up running out of ammunition just a few days before the Winter War ended. IIRC they used up their artillery ammo first (particularly at a position that was guarding a frozen-over part of the Gulf that the Soviets were trying to cross) and then ran out of small-arms ammo. They never did have enough antitank weapons or cartridges either - one of their bunkers was finally taken once the Soviet commander realized this and had his tanks park in front of the Finns' firing slits.
With the Japanese... eh. The underlings had a culture of lying to their superiors, lying about failures and exaggerating successes. Made it hard for the overall commanders to get accurate intel about what worked and what didn't. I'm sure there were other factors, though.
Hail Eris, full of mischief...
E pluribus sanguinem
But you can get a similar advantage without all the bullshit by simply having the browser in low rights mode and sandboxed
So given there are exploits for both breaking out of sandboxes and VM's, which one is an attacker realistically going to go for?
Will he infect more systems by breaking out of a VM, which only a handful of people have browser running in - or by buying a sandbox exploit, which would gain access to millions of systems?
Doing the thing that the least number of people are doing is always a better security choice unless you are being targeted specifically.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Indeed. Once you are on a machine as local user, it cannot really be made hard to elevate privileges. (Exception: Minimalistic, hardened environments, but these are not suitable for normal uses. The maximum you can do is plug-in free web-browsing or the like and typically these are for batch-processing when security needs are high.)
Hence what must be prevented is the attack code running locally. As long as users are willing to download code from questionable sources and start it, that is not going to happen. Better software engineering on the application side can help, but it takes a lot of effort to make a secure application. It basically only happens in long-term use software like Apache, the SSH demon, the Postfix mailer, etc. These all have very impressive security records (Apache only if you do not take the various plug-ins into account), and show that it is possible to write secure software. But nothing in the MS world has that type of long-term perspective, as everything has to be "new" all the time and so never gets to maturity.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
And they would have gotten away with it too, if it hadn't been for those meddling scientists at the Manhattan project.
Especially Dr. Jonathan "Jon" Osterman.
In capitalist USA corporations control the government.
So you think it is ok to use "MSFT" even though *YOU* say it is "snarky". But for some reason "M$" is not ok, even though your argument basically is that it is "snarky". Right. The problem is pretty obvious: you think putting a symbol for currency into your beloved companies name is an insult and you will do anything you can to stop it. If it was just "snarky" or "childish" the best thing to do would be to ***IGNORE*** it, but you can't do that because you realize that the usage is not as uncommon as you desperately wish.
I also think it is interesting that your response said "Lunix" as an example of an equivalent. I assume you meant to say "Linsux" but it is pretty telling. A better equivalent would be calling Open Source "O$$", which might even be a sensible thing to use in cases where it is done for profit, either legitimately or in some underhanded way.
You can check my posting history and see that I use "Microsoft" all the time (I used to use "MicroSoft" because I thought that was correct but some incredibly irate person thought *that* was an insult!).
Back around 2005, I was reading an MSDN article about ASLR and one of the things the mentioned was this exact theoretical case which could be used on 32 machines.
As far as I know, the designers of ASLR already knew this could happen but assumed future computers will primarily be 64bit where the address space makes it unpractical.
One still needs to give credit to the first working proof of concept.