Looks Like CERT Reads InsanityBit

Only joking, of course but coincidentally CERT.org has written a post highlighting something I’d mentioned a few days ago. There’s the bit about EMET for Full ASLR, which I wrote about here and AMD/ATI using a hardcoded address space, which I wrote about here.

I’m really happy to see this getting attention from CERT, which is just way more legit than my blog. Hopefully they’ll get ATI to fix their crap.

P.S. CERT, tell them to fix the overflow in 12.3 as well. It’s annoying.

Why I Won’t Be Buying ATI Again

I run a nice midrange laptop with a nice i5 520m, 8GB of RAM, a hybrid drive, and an ATI 5650.

The performance is really exactly as I’d expect, I can play the games I want to play and I can watch HD videos while I browser and talk to friends all at once without a stutter and without my computer burning up.

The GPU has performed admirably and I’m entirely happy with its performance.

But AMD for whatever reason (I guess performance) will not work with PAX or full system ASLR. There are actually buffer overflows in the code that prevent me from turning ASLR on to the full extent that I’d like and because of the hardcoded address space I can’t (at least on Windows) turn ASLR to anything other than “Application Opt-In.”

That’s really not acceptable. GPU security issues aren’t super new and they’re plenty talked about. I get that in the past it wasn’t a priority, of course. But things have changed. We have OpenGL now and we have the GPU integrated into virtually every process. The GPU isn’t just about games (which are also now online) it’s used in everything… like my browser (or this?), like Flash, my UI, and multiple other programs.

AMD/ATI, step it up. I may not be buying another system for years but if I were buying one tomorrow I’d go nVidia.