Windows 8 Takes ASLR To The Next Level

Microsoft has recently released the latest version of Windows dubbed Windows 8. The operating system features, among other things, a new user interface called Metro, which has been fairly controversial. On top of the user interface Microsoft has taken serious efforts to improve security – Windows 8 includes a far stronger implementation of ASLR.

ASLR (Address Space Randomization)

Address Space Randomization, or ASLR for short, is an exploit mitigation technique invented by the PaX team. The idea is that attackers generally need to know where code is in a processes address space in order to carry out attacks. ASLR, as the name, randomizes the address space and makes it more difficult for attackers to exploit programs.

More Areas Randomized

One of the issues with ASLR is that if any area of address space isn’t randomized it can mean a full bypass for an attacker. Windows 8 now randomizes many new areas of the address space. Most significantly, all bottom up allocations (VirtualAlloc() VirtualAllocEx()) are now randomized, which closes up holes like this one. All bottom up and top down memory allocations being random makes the implementation of ASLR far better than in Windows 7.

One bypass of EMET 3.5 relied on a universal ASLR bypass using predictable pages and an information leak. Those (specific ones) are now gone.

Higher Entropy

ASLR randomizes allocations but if those randomized areas of memory are predictable an attacker can bruteforce their way to a useful area. Windows 8 has added significantly greater entropy to top down allocations and also added an opt-in feature titled High Entropy ASLR, which increases entropy across the board for all areas of address space. On a 64bit system it becomes unlikely that an attacker will bypass ASLR through  bruteforcing as the address space is much larger – though this large address space is not necessarily enough.

Force ASLR

Another very significant feature of Windows 8 is native support for Force ASLR. As I stated above a single area of address space being predictable is often enough for an attacker to bypass ASLR entirely and Force ASLR is built to ensure that no areas can be predictable. Often times when we run a program we add plugins or third party extensions – a web browser binary extension for example, or a program that adds a context menu to explorer.exe – and these third parties may not have enabled ASLR on their software. On Windows 7 and previous this would have meant an attacker could predict that area of address space and bypassed ASLR but not on Windows 8. With Force ASLR enabled all non-ASLR modules injected into a process are forced to use ASLR as wellm thus ensuring the entire process is randomized.

The improvements don’t end there but those three have the largest impact (as well as no more USER_SHARED_DATA bypasses). It’s clear that Microsoft has put effort into making Windows 8 their most secure operating system yet. When mainstream programs begin to make use of these mitigation techniques attackers are going to be forced to start finding other avenues of attack.

Mark Shuttleworth Talks About UI – Unity, Metro

This is a long article and it’s worth reading the whole thing. I just want to point out one tiny little piece that, after using Windows 8 since public release, I’ve found to be really true.

[In Windows 8] you have this shiny tablet interface, and you sit and you use  then you press the wrong button then it slaps you in the face and Windows 7 is back. And then you think OK, this is familiar, so you’re kind of getting into it and whack [Windows 8 is back].”

 This is exactly the situation I was in. I loved the new Windows 7’y metro style interface but all of a sudden I’d be in some full screen application. And then back and forth.

I Am Not Confident About Windows 8

Microsoft is primed to release Windows 8 with the Release Preview having been out for quite some time now. Windows 8 has some great new security features and marginal performance improvements. In general, if you’re looking at things that can be ‘measured’ in some way or another (not to say you can measure security, but still) Windows 8 is just better than 7. But I really don’t think it’s going to succeed on the laptop/ desktop market.

Windows 8 features the new Metro UI and whether you like Metro or not there is definitely a significant group of people who absolutely hate it. And whether or not their hate is justified  is entirely irrelevant. If you have hundreds of thousands of people saying “Oh, Windows 8 sucks” you’re going to have a massive crowd spreading this stuff to people who otherwise might consider the OS.

The truth is that, for better or worse, Metro is different and people just don’t like change. I just can’t imagine people adapting so easily so a radical change. I think this is a big mistake on Microsoft’s part because I hear people saying “Well if I have to relearn Windows I may as well just learn how to use OSX or Ubuntu.” What Microsoft had up until this point is complete backwards compatibility and a consistent experience – they’ve just killed the consistent experience.

The UI experience of Windows XP was similar to that of Windows Vista and that of Windows 7. For over a decade people have been using their systems in a very similar way and Metro breaks that chain.

Yes, that’s how progress works and I advocate progress. But that’s not really the matter at hand – most people don’t actually give a damn about progress, they want their system to ‘just work’ and you can bet that most people simply won’t care to relearn Windows.

So I’m gonna go ahead and say we’ll see some ridiculously long support life for Windows 7 just as we did with XP because I’m confident that Windows 8 will be a flop.

Chris Pirillos Dad Using Windows 8 / Ubuntu 12.04 / OSX For The First Time

Windows 8


Ubuntu 12


He does pretty well with Unity, he definitely likes the workspace switcher if he could figure it out. he gets right away how to launch programs and switch between workspace and hsi desktop UI.

Windows 8 he’s completely lost.

One Final Post About SecureBoot?

I did a post highlighting the positive side of things and then a very negative M$$$-bashy type post. I want something I can point to that at least makes an attempt at fair and balanced with enough information for the reader to make a decision so here it is.

What Is SecureBoot?

SecureBoot is a UEFI protocol that blocks anything that isn’t digitally signed from running before the operating system starts. Essentially, untrusted code can not start before trusted code. This directly addresses an entire class of malware and attacks that we already see on systems in the real world. On a SecureBoot system the malware could not start up because it is not digitally signed.

Windows 8 (currently in Release Preview) uses SecureBoot by default on systems that have “Windows 8 Approved” hardware. This means that, by default, these systems will only boot code that’s been digitally signed.

You can disable SecureBoot on x86 devices but not ARM.

So How Does Linux Fit Into This?

Linux, in a SecureBoot environment, is considered untrusted code. It isn’t signed, therefor it can’t boot. Thankfully Microsoft has ordained that all x86 devices must allow the user to disable SecureBoot and users will also be able to sign software with their own keys. You can also purchase a Microsoft signature.

The problem is that, while Linux is not entirely locked out, it’s still discouraging. As a user you have two options:

1) Disable a security feature (potentially difficult to do)

2) Go through the procedure to sign your software with your own key (almost definitely very difficult to do)

And as a developer your options are:

1) Tell anyone who wants to use your OS to disable a major security feature (discouraging)

2) Pay 99 dollars to VeriSign for a Microsoft signature.

These options aren’t good. Microsoft has not locked Linux out but it’s now more difficult for small Linux distros to gain members and it’s more difficult for users to make choices about which distro to use.

And, to reiterate, Linux is entirely locked out of Windows 8 ARM devices.

It’s worth noting that other distros can not simply use Fedora’s bootloader. The entire chain of trusted software must be signed including kernels and modules. This is what complicates things for distros. I personally run my own kernel so this complicates things a ton for me as I now have to go through the process of signing my own kernel and modules and blah blah blah every damn time (well, not really, I don’t have EFI, but I would.)

So Is There A Bright Side?

There is, and in the spirit of fair and balanced I will delve into it.

SecureBoot is actually a really awesome feature. It prevents cold boot attacks* on disk encryption, it seriously restricts malware, and it’s actually implemented in an not totally horrible way (we can sign things! Way better than patchguard!)

*by preventing immediate loading of a livecd/usb for it. It also prevents bootkits, which bypass encryption.

Microsoft is actually subsidizing VeriSign keys so that they’re only 99 dollars (SSL certs can be 200-300 dollars and only last 1-3 years) so that’s pretty nice I guess…

And Linux distros are in fact already working on implementing SecureBoot, which will make transitioning to Linux (well, to some distros of Linux) as smooth as ever while still providing a really fantastic security feature. Fedora has already confirmed it’s working on it and Canonical is likely to announce the same soon.

SecureBoot is actually one of the better security protocols to come about. It’s not some silly little thing to block out mere theoretical attacks, it’s legitimately a strong layer of security.

How Should I Be Feeling?

I can’t really tell you how to feel about this situation. Some people are just happy for the security and are fine with using a big name distro and others are outright pissed at Microsoft and calling for their heads on a plate. But it’s my blog so I’m going to tell you how I feel…

Honestly, I’m really into security so part of me is happy to see it happen… but it feels very forced. I would have preferred to see this come about naturally. If SSL had come about naturally we probably wouldn’t have all of the problems we see today with CA’s just ‘tacked on’ as a last resort “couldn’t think of anything better, had to rush it” type deal. If the community had openly discussed how to do this in a way where everyone benefits I think things could have not only gone smoother but we would also end up with a more secure product. SecureBoot as an idea is amazing, one of the best ideas for security in the last few years really, but this is not the proper process for implementing it.

My 2 cents, I think this covers everything.

Do Not Track On By Default In IE10

Internet Explorer 10 is the browser shipping with Windows 8 (currently in Release Preview) and it’s got an interesting feature. Do Not Track is a new would-be standard for telling advertisers not to track you online. Microsoft has stated that it will be enabled DNT for IE10 by default.

The Importance Of Privacy

Every single user should have complete and final control over their data. No one should be able to track you if you don’t want to be tracked – not the government and not corporations. I hold this to be fundamentally true.

Do Not Track does not actually stop anyone from tracking you. It “asks nicely” for them to stop tracking you and they have no legal obligation to care. Still, as DNT is incorporated into modern browsers it will hopefully become the standard and it could be enforced both by browsers (blacklisting ads that don’t comply) and the law.

The Big Problem

I’m new to blogging, and while I don’t own this domain or use Google Analytics I can see a lot of information. I see where people come from (the majority of users who visit this blog are from Google), which articles are popular, which tags are popular etc. If I were so inclined it would be very easy to make my blog more targeted to take advantage of the information provided to me. Even with a few days of information I can see a ton about how to increase my blogs popularity.

The same is true for advertisers. This tracking isn’t just about being creepy – it really does help. If I’m getting ads for makeup products I’m not going to click them, if I get an ad for some new book about computer or whatever I’m way more inclined to click that ad.

The sad truth of it all is that ads are what make the internet possible. Everyone has to pay for hosting or come up with some other business model, which means selling you something else. That or you’re paying out of pocket.

So while I commend Microsoft for implementing Do Not Track I’m going to outright say that this is a bad decision for the internet as a whole. It should be a choice but it should be off by default. Put a little box asking users to enable it at first run if you want, explain to them what it means. But turning off tracking for 50% of the internet is not ‘healthy’ for it.

If the entire world turned on DNT and Adblock the internet would have no way to maintain revenue. It’s not that every site would shut down overnight but tons of sites would have to start paying monthly fees and a lot would shut down.  I’m not saying to turn DNT off, just think about that.

Personally, I run Adblock Plus (which sends a DNT header) and I whitelist any website that I want to support. Adblock Plus already whitelists ads that it considers to be unobtrusive and that is a policy that I wholeheartedly support.

I think this is a really weighted subject and there’s a lot to talk about here but for now this will do.


You Don’t Need An Antivirus With Windows 8

With Windows 8 out a lot of users are wondering whether they need antivirus with Windows 8, or if they need to pay for an antivirus, or do something else entirely. In my opinion if you’ve been paying for an antivirus for Windows XP, Vista, or 7, you can consider cancelling that next subscription if you’re moving to 8. In my last post about Windows 8 security I glazed over Microsoft Security Essentials and I wouldn’t call what I said ‘positive.’ For my quick non-security oriented review of Windows 8 Release Preview click here.

This post will highlight why MSE is the type of antivirus a consumer needs and why it might be the right choice for Windows 8 users.

Microsoft Is Best Suited For The Job

The fact is that Microsoft created Windows. It’s a closed source project and antivirus companies spend a ton of money just trying to figure it out. Microsoft has a massive advantage here. They know what their code is like, they know where there’s most likely to be a hole, they have the ability to “tap” systems with crash reports or opt-in data collection on a level no antivirus company can ever match. They simply have the most data.

The fact that only Microsoft has access to the source code is one major reason why you should be trusting them to secure your system.

Years Of Practice

We’re a long way away from Windows XP. Windows is not so full of holes as it used to be, Vista brought many security mitigation techniques and a new MAC system to the operating system and Windows 8 expands further on that with new techniques and a new MAC system.

The Windows system has been hacked and torn apart for years and Microsoft has not sat idly by. The company has created new tools such as EMET, which are very effective at what they do. They’ve seriously improved their patch response time and there simply is no comparison between Windows 8 security and Windows XP.

Microsoft has seen years of malware. They know what they’re up against and at this point you’d better believe they know a few ways to fight back.

Reinforced Throughout The Operating System

Microsoft has made it clear that Microsoft Security Essentials is just one layer. Windows 8 also includes SmartScreen, a reputation based heuristics filter that acts system wide to inform and protect users from unknown files that are potentially dangerous. The focus of SmartScreen is on 0day malware and samples that an antivirus might normally not catch.

Where MSE stops SmartScreen begins, picking up slack. Antiviruses are inhibited by their inability to deal with the unknown, something that they will always struggle with. SmartScreen aims to specifically deal with the unknown using heuristics based on file reputation. File reputation essentially checks how “popular” the file is – how many systems it’s been seen on. Only a major company could pull off something like this and Microsoft is absolutely the best company for it – no antivirus can be installed on more Windows systems than exist.

Windows 8 Was Built With MSE In Mind

The fact is that Microsoft didn’t built Windows 8 thinking “let’s create a system that works great with Sophos and Mcafee” they built a system to work with MSE and they built MSE to work with the system. Layered security means understanding which layers are important and which needs to be covered, having full control over every layer leads to a potentially more secure system.

Consistent Heuristic Scores And Low False Positives “grades” antivirus software and Microsoft Security Essentials does fairly well. It’s not amazing but it’s not terrible, and that’s fine because it’s reinforced by other areas of Windows. What it is, consistently, is quiet. Heuristics is basically a way of “guessing” something – you use heuristics for spam filters, antivirus, language analysis, anything where you need to guess. Naturally this is going to lead to wrong guesses and in an antiviruses case that’s a false positive. MSE has very few false positives, often the lowest or second lowest compared to other antiviruses. Almost all of the antiviruses that get higher heuristic detection scores also have tons of false positives (you can see the correlation) and I think that having few false positives is just as important as having high detection rates.

If my AV is constantly telling me that files that I know are good are actually bad I won’t trust it. And when the time comes and the file I think is good is actually bad and my AV alerts me I simple won’t believe it. We’re all familiar with The Boy Who Cried Wolf, same principal here.

So Is Windows 8 Impregnable?

Well, while I’m very pleased that Microsoft has stepped up its security I think there is still need for some set up to get the system closer to where it should be. I still don’t consider Windows 8 to be as secure as my own configured Linux system but there are significant improvements and for the average user I think we can expect things to go smoothly.

Much of what’s in Windows 8 is untested and may not work out well in the real world. I’m optimistic about some features and not so much about others. Time will tell. I’ve had the Windows 8 Developer Preview, Consumer Preview, and now Release Preview all installed so I have a fair bit of experience with it though.

And, of course, as Windows 8 popularity rises so will hackers interest in bypassing its features so it’s still important to take the extra measures and to keep up with patches. MSE has consistently had decent heuristics with low false positives, which I think is very important.

Windows 8 – A Quick Review

I’ve gotten around to installing the Windows 8 Release Preview and I figure I may as well post about it.

Windows 8’s most obvious feature is the new Metro UI, of which I am a fan. It’s gotten a ton of hate but it’s smooth and familiar in the right ways.

Does this look so different from what you’re used to?

The only really major difference is that the start menu (now a corner) is full screen.

If you can’t handle that I suggest you don’t upgrade because Microsoft has removed the old methods to get Windows 7’s Aero UI working on Windows 8.

I then proceeded to do what I always do on a new Windows installation, install EMET.

And then this happened.

I guess SmartScreen isn’t quite up to par yet as this happened a few more times later on. In the Developer Preview and Consumer Preview I got quite a lot of noise from SmartScreen telling me it doesn’t recognize applications. I’m not confident that users will appreciate this and I won’t be surprised if it’s disabled on most machines.

Still, DEP and SEHOP set to Always On works for me. I can’t do ASLR to Always On because ATI Drivers suck.

Metro also has “Apps”, which are run full screen. I checked out the mail app (and I’m not going to be posting my emails, just the spam folder) and I think it’s very nice.

My favorite app, however, is the weather app.

The app (after asking permission) figured out my state and it even comes with a cool live tile.

Not the most in depth review out there on the net, just a few things I took note of. The OS feels really smooth, it’s great looking, and if I weren’t already spoiled by Ubuntu (I miss alt + drag, super + W, and security) I’d be really pumped for Windows 8. I may be one of the few but I really like this new look and the security improvements would absolutely be enough reason for me to upgrade from 7.

Personally, I don’t think it’s going to do well. Users hate UI changes and this one’s major. I like Metro but I’ve also always liked Unity (I just hated how buggy it used to be) so I’m not going to assume anyone shares my opinion. While Windows 8 is definitely more secure and I absolutely love Metro more than Aero I just can’t imagine users adapting to it within the next two years. Time will tell.

As it stands, it’ll be nice to have it around for games.

Universal ASLR Bypasses And How To Solve Them

Address Space Layout Randomization is an exploit mitigation technique that focuses on preventing Return Oriented Programming attacks. It’s become one of the “must have” tools for a secure program (like DEP) and it’s preset in all modern user-oriented operating systems.

Mitigating ROP is pretty important as most modern exploits take advantage of it. And ASLR would be entirely effective in an ideal world where every single part of address space is randomized and 64bit address space is impossible to bruteforce and heapspray doesn’t exist. We don’t live in that world and there are universal ASLR bypasses for Windows and Linux, heapspray does exist, and the majority of users are stuck in a 32bit address space (and 64bit vanilla ASLR isn’t necessarily impossible to bruteforce).

Windows is actually pretty on top of things with ASLR (as of Windows 8) and /FORCEASLR but there’s always going to be a way around it (unless some things seriously change.)

So what’s the answer?

Well, for non-performance critical applications perhaps a solution like Gadgetless Binaries would be a viable option. Gadgetless binaries would compile code in such a way that an attacker would be unable to make use of static address space instructions to form their attack.

There is a performance hit here so I’m not saying to compile everything with it, but for security critical applications why not? There are specific areas of Windows address space that are loaded in the same exact place every time – why not compile that area with gadgetless binaries and avoid situations like this?

There’s also a somewhat less effective In-Place Code  Randomization technique and even less effective (though still welcome) EAF, which is what Microsoft has implemented.

Perhaps I’m just missing something. Maybe this would require paying out or some such thing but it seems like a great idea to me as ASLR isn’t going to solve every problem. At least not with current implementations (outside of PaX ASLR, which makes use of many other features via Grsecurity to prevent attacks against ASLR).


Windows 8 Release Preview Is Out – Let’s Talk Security

I could take screenshots and do a full review of the Windows 8 OS but some other blog that gets paid to do reviews would just do it better so I’ll stick to what this blog is for – security.

Windows 8 has officially been released as a Release Preview, meaning that just about everything you see in this RP is what you’ll see in the final release. The biggest changes in Windows 8 are pretty surface – the highlight is an entirely new Metro UI, which features a full screen start page and various other major UI changes. There are also some big changes under the hood – Windows 8 is a lighter, faster OS than 7 with lower RAM usage and improved multicore support. And then there’s security…


Address Space Layout Randomization (ASLR) is a mitigation technique first designed by PaX foundation. The idea is to randomize a programs address space (the range of virtually memory addresses that make up a process) in order to prevent Return Oriented Programming (a technique used to bypass Data Execution Prevention.) Essentially, because the attacker does not know where areas of the address space are they are unable to make use of that address space in a way that would otherwise allow further compromise of the system.

ASLR relies on the attacker not being able to guess the location of address space. They only have three real options (in terms of defeating ASLR):

1) Find part of the address space that isn’t ASLR enabled

2) Make use of information leaks

3) Bruteforce through the addresses

Windows 8 attempts to directly address (1) and (3.)


In Windows 7- if I run a program like Firefox*, which is ASLR enabled but I use Norton Toolbar, which isn’t ASLR enabled I basically defeat the purpose of ASLR because there’s a predictable address. Windows 8 address this with /FORCEASLR, a compile time flag that will force the entire address space to be ASLR enabled (oversimplification, not entirely true, good enough.)

The benefits are obvious, simply using the /FORCEASLR flag in your program means that no other program will significantly degrade the effectiveness of ASLR.

*Firefox has actually solved this issue by forcing toolbars to use ASLR. It’s an outdated example but it works.

Improved Randomness

ASLR effectiveness necessitates the inability of an attacker to guess or predict locations of address space. If there isn’t sufficient address space or there isn’t sufficient entropy the ASLR won’t be effective and an attacker can bruteforce their way to a useful area.

Windows 8 has improved the random number generator and thereby increased randomness in ASLR.

For 32bit systems this is important. Virtual address space on a 32bit system is much smaller than that of a 64bit system (addressable space on 32bit is 2^32 as opposed to 2^64 for 64bit) so bruteforcing is much easier. Improved randomness will make this more difficult – though because of the small address space it’s potentially a lost cause.

Guard Pages

Guard pages work to prevent usable buffer overflows. Developers can make use of Guard Pages to protect areas of address space – when an attacker tries to overflow an area protected by Guard Pages, they’ll end up throwing an exception.


There aren’t a lot of details about AppContainer yet but it looks like Windows is finally getting proper Mandatory Access Control. The ability to apply finely grained application MAC is hugely beneficial both to preventing and limiting exploitation.

Programs don’t have to squeeze into low integrity anymore, they can use whole-process sandboxes (which aren’t actually better, just easier) to segregate themselves from the system.

The jury’s out on this feature. If it’s as powerful as AppArmor I’ll be happy.

Internet Explorer 10 Metro

IE10 Metro runs in the new Metro environment (WinRT) and is sandboxed from the rest of the system.  It also contains a built in Flash player, which Microsoft has integrated into the browser for improved stability, security, and performance. A smart move on Microsoft’s part as the Flash player is still necessary for viewing a ton of the internet and it is also one of the most commonly exploited applications.

Internet Explorer 10 Desktop

The desktop IE10 (and this applies to Metro) will make use of all of the new security mitigations like FORCEASLR and improved randomness. IE10 will also include an “Enhanced Protected Mode”, which implements a further least-privilege mode based on the earlier Protected Mode principals.

The enhanced protected mode continues IE’s least privilege model, which is great and it should prove more difficult to break out of.

Full System Smart Screen

Smart Screen is an application reputation and heuristics system. Previously it was built into IE9 and an NSS Labs report noted it blocking 96+% of malware (there isn’t enough research on the effectiveness, take that report with a golf ball sized chunk of salt.)

SmartScreen in Windows 8 is now system wide. If an application hasn’t been seen before by MS you get a little message saying “hey, we haven’t seen this before, be careful.”

Personally, I don’t like it and I don’t think it will be effective. That’s just me. I don’t think users are capable of making decisions based on information like that and it threw me a ton of “false positives” (not actually FPs as it’s not calling it malware, same principal) so my trust in its opinion of software is seriously diminished. It won’t be effective for the same reason an AV that throws false positives isn’t effective – if I can’t trust the product I’ll never know when it’s right or wrong.

We’ll see.


SecureBoot is a much reviled feature as everyone though MS would be locking Linux out of Windows 8 hardware. As I posted about earlier Fedora is already working on implementing it. SecureBoot prevents untrusted code from running before the OS. This will prevent rootkits from bypassing full disk encryption and/or wedging themselves deep into the operating system. It’s a great security feature and I think it will be very effective.

Microsoft Security Essentials 

MSE is a widely used antivirus known for being pretty light and quiet – no false positives. It provides pretty decent detection ~50% when out of date and making use only of heuristics (most people probably don’t stay up to date) but I think we can expect that to fall.

As MSE has gotten more popular it’s also started to drop in performance. This is the case with any popular program. The first thing a hacker will do with their payload is test it against a number of antiviruses (automated tools exist for this) and if it passes by MSE but maybe Panda catches it they might release it anyway because MSE still makes up a huge part of market share.

Windows 8 will increase that market share and increase how seriously hackers take bypassing MSE. It’s detection, not preventative, so it’s flawed in that way.

Did I Miss Anything?

I’ve probably forgotten something. If so, leave me a comment.

All in all, Windows 8 is significantly more secure than Windows 7. If AppContainer turns out well it’ll be a huge boon. Even without AppContainer the numerous memory protections added as well as SecureBoot put Windows 8 far ahead of 7 and I’m excited to see Microsoft really taking security seriously. Personally I still feel safer on Ubuntu thanks to being able to do this but it makes Windows feel way more viable and competitive.