|Home » Learning Curve » Can't Take a Punch
Microsoft's Remedies: Address Randomisation
Protecting that glass jaw.
Address space layout randomisation (ASLR) is another attempt to get hackers to trip up - so that they can't know where the various parts of a program will end up in memory.
The layout of processes, library modules, heaps, stacks, process and thread control blocks can all be randomised with later versions of Windows.
The randomisation of addresses of DLLs (dynamic linked/shared libraries) is crucial. Normally all these libraries are 'rebased' together with efficient virtual memory starting addresses so as to conserve as much as possible of available address ranges.
A difficulty here is Windows has to have DLLs loaded for all programs at the same physical address in memory so they can be shared by all client processes. Microsoft now use a global data object called _MiImageBitMap to represent the address space 0x50000000 - 0x78000000. _MiImageBitMap is 0x2800 bits in length with each bit representing 64 KB of memory.
As a library is loaded for the first time a start address is chosen at random and the corresponding bits in _MiImageBitMap are set. The next time the same library is loaded the system consults _MiImageBitMap and maps the library at the same address.
Microsoft are also trying the technique of randomising the location of allocation heaps using a technique that gives hackers only one chance in 32 to guess it correctly. Stack addresses are also randomised to a certain degree: the stack base as well as the starting stack pointer are both randomised.
Given all these techniques for messing with hackers - how can hackers still get in? For get in they can! Read on.