An enterprise guide to Windows XP security after end of updates for XP
A comprehensive collection of articles, videos and more, hand-picked by our editors
I recently read that a recent Secuniaresearch effort found that many popular applications don't take advantage...
of two key security features in newer versions of Windows: address space layout randomization (ASLR) and data execution prevention (DEP). Do you have any opinion of why so few applications take advantage of it, and advice on how I can ensure our internal application developers can learn how to do so?
Before I answer your questions, let me just quickly explain for other readers what address space layout randomization (ASLR) and data execution prevention (DEP) are. The role of ASLR is to move the entry points of system code around in memory so they are in unpredictable locations. This makes it harder for malicious code to locate a system function in order to call it. For example, wsock32.dll might be in physical memory location 0x73200000 when you boot your machine today, but in 0x779b0000 when you boot it tomorrow. DEP is a set of software security checks designed to block malicious code by taking advantage of exception-handling mechanisms in Windows and executing code from data pages.
However, these security features only work if they are incorporated into an application by developers and Secunia's report (.pdf) reveals that many popular software applications don't yet support them, or developers improperly implement them. At the time of the report, Java, Apple QuickTime, Foxit Reader, Google Picasa, OpenOffice.org, RealPlayer and VLC media player all failed to integrate either DEP or ASLR. I imagine this is why many malicious hackers attack applications rather than Windows itself, as most Microsoft-built applications take full advantage of DEP and ASLR. Thankfully, since the report was published, several vendors have added support for these security options in recent patches, or are in the process of doing so.
I imagine the main reasons many organizations don't turn on DEP or ASLR Windows security features are time and money. However, having enterprise developers learn how to incorporate these security controls into internal applications is certainly recommended. If the enterprise's developers use Microsoft's Visual Studio, then implementing these two security features is fairly trivial and the process well documented. There are also several Microsoft resources online that provide step-by-step instructions on how to incorporate them into programs. The Visual C++ Team Blog covers setting the linker options /DYNAMICBASE and /NXCOMPAT: /DYNAMICBASE modifies the header of an executable to indicate whether the application should be randomly rebased at load time by the OS. ASLR and /NXCOMPAT are used to specify an executable as compatible with DEP. You can set these two options explicitly in Visual Studio and in Visual Studio 2010; the default setting is already set to "on."
Windows Vista SP1, Windows XP SP3 and Windows Server 2008 add a new API, SetProcessDEPPolicy, which allows a developer to set DEP on the process at runtime rather than using linker options. Microsoft's Michael Howard explains this in more detail on his blog while the MSDN Library covers some of the programming considerations and application compatibility issues you will need to take into account when using these controls.
ASLR and DEP are two important security features that enterprises should look to incorporate into their applications. Microsoft provides lots of information about how to do this, so even though it may be something new for developers to learn, it's not difficult, and applications will be a lot more secure as a result.
Related Q&A from Michael Cobb
What is BGP hijacking or IP hijacking and how do cybercriminals pull off the attacks? Expert Michael Cobb explains how enterprises can mitigate these...continue reading
Is the Dell eDellRoot security threat a serious problem and, if so, can it be prevented with self-signed root certificate authorities? Expert Michael...continue reading
What does FIPS 140-2 Level 2 certification for devices cover? Expert Michael Cobb explains the FIPS 140-2 security standard and how vendors use it in...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.