Microsoft’s DEP, ASLR: Can’t have one without the other…

There’s an interesting series on the Microsoft Security Research & Defense blog covering ASLR and DEP memory protections found in Windows XP SP3+.

DEP effectiveness (without ASLR)

Summary: DEP breaks exploitation techniques that attackers have traditionally relied upon, but DEP without ASLR is not robust enough to prevent arbitrary code execution in most cases.

ASLR effectiveness (without DEP)

Summary: ASLR breaks an attacker’s assumptions about where code and data are located in the address space of a process.  ASLR can be bypassed if the attacker can predict, discover, or control the location of certain memory regions (particularly DLL mappings).  The absence of DEP can allow an attacker to use heap spraying to place code at a predictable location in the address space.

DEP+ASLR effectiveness

Summary: DEP+ASLR are most effective when used in combination; however, their combined effectiveness is heavily dominated by the effectiveness of ASLR.  Exploits have been developed that are able to bypass DEP+ASLR in the context of browsers and third-party applications.  Nevertheless, the vast majority of exploits written to date do not attempt to bypass the combination of DEP+ASLR.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s