I would think that the cost increase is likely to be negligible. The paper comes with full source code that’s well-commented and pretty general.

The difficulty for seasoned folks has not increased substantially but anything you do to make them take extra steps buys you something. CAPTCHAs for example are pretty much broken, but there is still value in having a good one. Determined attackers can still get through, but if your system is slightly more difficult than a similar size competing target people will tend to choose it over you. Vista can be broken, but is it worth the extra effort when it isn’t even needed for XP, a much larger target (granted you can get both going after Vista, but path of least resistance is usually the chosen one).

either create a large padding section

Yeah, that and the no-op segments were the best recomendations, but while the actual logic code of the binary is quite small in those situations the physical size would not be. To get around this they advocate using gzip compression so the physical size is negligable, but there are many servers that don’t have this enabled by default. Thus they would either own their own servers or be choosey in which compromised servers they use to serve the control. Either way simply introducing the need for a hosted control increases the cost of the attack, if one was trying to break ASLR rather than simply avoid it.

In any case, Flash is probably the better vector, since it’s far and away the most widely deployed plugin, and never ASLR protected anyway. No need to circumvent what isn’t there.

Well, quite true, and it is not as if flash is lacking in vulnerabilities at the moment. That said, the browser isolation of IE 7 was specifically designed with that scenario in mind, so I am quite curious if it mitigates this threat. The paper seemed very short on details concerning the browser isolation so I don’t know what conclusion to draw. I honestly would think it much bigger news that the logical isolation was broken so I’d love to hear confirmation one way or another.

I wasn’t trying to downplay that this is big, but some context is necessary. This is not Vista security rendered next to worthless as is being reported. The paper primarily targets browsers and many of the tactics will not work in, say, WMP, which is compiled with DEP and doesn’t have anywhere near as vulnerable a plugin model (even though in the past it was a popular target of buffer overflows). Additionally, while browsers were the primary target the paper was generally mum about the IE 7 isolation protection. Specific aspects of Vista security, very important aspects to be sure, but only specific aspects none the less are not as effective. That is hardly the end of the world, and I think the authors were pretty open about even those aspects going forward in new versions of windows (for example, 64 bit Win2k8 server which is much less susceptable because of policy enforcement).

I would think that the cost increase is likely to be negligible. The paper comes with full source code that’s well-commented and pretty general.

“For example, to defeat ASLR the authors advocates hosting a .Net Web Component of sufficient size to dramatically impact how the address space can be randomized, and in order to facilitate downloads they also recommend the webserver hosting the component use gzip compression (which in turn means controlling web server configuration). ”

You don’t need a huge .NET DLL–the paper shows a couple of ways to make that a non-issue (either create a large padding section, or use a malformed header to make the assembly incompatible with ASLR). Hopefully the latter issue will be fixed sooner rather than later. The former will continue to be an issue until we move to 64-bit processes (it’s not possible to cover any appreciable portion of a 64-bit address space, so randomized 64-bit processes could be sufficiently sparse as to make ASLR decently robust).

In any case, Flash is probably the better vector, since it’s far and away the most widely deployed plugin, and never ASLR protected anyway. No need to circumvent what isn’t there.

PS: I’m going to be in town week of Sept 22. Pass the word. BBQ anyone?

I’ve also seen the Asira project before and I like the intent of it. That said, I have a concern with it. It is technically feasible to crawl petfinder and download all of the images, which are conveniently categorized by type (cat, dog, bird, rabbit, etc) and then create a simple database that uses a hash from the image as a key to look up the type. Then, when crawling sites that are asira enabled the images could just be rehashed and looked up.

Hopefully MS is actually doing some modifications (resize, slight color filter, etc) that would cause the Asira image to have a different hash value, which would frustrate that approach.

http://research.microsoft.com/asirra/?0sr=a

Flash is definitely and easier route in terms of server resources, but you are absolutely right about it being a pain with the myriad of flash versions (is flash even present, is it a smart device that uses flash-lite, etc).