Early Security Stories — ASLR
Story time. This one is about a feature in Windows called ASLR.
It was 2005. We were working on Windows Vista. Most remember it as the release with the maligned User Account Control feature. For us in Trustworthy Computing it was the first full Windows cycle where we could apply all the security engineering tools we had from start to finish.
Efforts such as fuzzing file parsers, scrubbing code using ‘banned APIs’ across millions of lines of code, fixing masses of potential bugs from static analysis, and driving initiatives to deal with newly discovered ‘diseases’ like mismatched container COM instantiation.
We hired the most spectacular group of researchers I’ve seen assembled from NGS, iSEC Partners, IOActive, and n.runs, gave them source code, access to Windows engineers, and told to hack without boundaries. My words to them in an early meeting were “you are here to blow sh*t up”
A quieter effort was going on to shore up our memory safety mitigations. Mitigations touch the holiest of holies in the OS: the compiler, the memory manager, the loader. Areas you just don’t mess with late in an OS release.
The breathing room created by hardware Data Execute Protection we added in XP SP2 was gone. Exploits were using return-to-libc attacks and taking advantage of the fact that much of the memory layout in a Windows process was predictable.
This was a feature. A lot of work went in to carefully laying out memory so commonly loaded DLLs would never ‘collide’ and require the OS to relocate them at load time. The performance saving across every boot, every process load, on every PC was massive.
And we needed to undo that work to build a new defense — Address Space Layout Randomization or ASLR. ASLR would scramble the location of loaded modules and other process structures. However, it was late in the release, crazy late, to contemplate a change of this magnitude.
We had a few things in our favor. The feature was championed by @MattT_Cyber. Sometimes things happen because the right person says they need to happen. This was one of those features and Matt was one of those people.
Our Exec VP, Jim Allchin, wanted it. Ever since Blaster, he pushed the team to contemplate big security “sledgehammers” instead of just fighting bugs in “hand to hand combat”. Host firewall on by default in XPSP2, hardware DEP support, and now ASLR.
Brian Valentine, who oversaw Windows development, recalled a @bluehat talk by @hdmoore where he showed these tables that Metasploit had for identifying code gadgets in consistent locations across OS and service packs. “Will this break that?” It would and that was enough for him.
Sponsorship was there but could we pull it off? A crucial moment arrived when the developer responsible for the memory manager, Landy Wang, finished up his backlog of work and got a free moment to consider it. It was a complex change and would it have the desired payoff?
He turned to a trusted engineer, Neill Clift, and privately asked if it was worth doing. Neill gave it a nod. I remember Landy doing an initial prototype over a weekend. Suddenly we were in the game.
A boatload of work remained to make it truly viable with contributions across the company:
- Architecture and Development: LandyW, ArunKi, RichardS, BryanT
- Security Analysis: NeillC, NiGoel, MichalCh, SergFo
- AppCompat Analysis: RobKenny, RPaige, TBaxter
Needless to say, it happened. We pondered how to announce it. Since ASLR was a feature that security researchers would notice, we decided to introduce it at a researcher conference. The year before I attended PH-Neutral put on by the legendary Phenoelit group in Germany.
Window Snyder took me around and introduced me to people at the con. Sometimes people are right where they need to be. Microsoft needed @window and she brought down walls between Microsoft and the researcher community. This conference was the right spot. I flew to Berlin.
In 2006 Microsoft was very controversial in security circles. Showing up as the representative of the “evil empire” in a den of security researchers dedicated to finding our flaws and revealing them to a seeming clueless corporate behemoth was enough to give anyone pause
I entered the room to give my presentation. The room filled up. Completely up. People were sitting on the floor, standing along the walls, hovering in the doorway. There was an electricity in the air — the room was finally going to hear from a Microsoft insider on our efforts.
Would people be hostile? Interrupt and challenge me? There were plenty of reasons for the crowd to be cynical. I had no idea how this was going to go. I had prepared a very technical presentation because I that’s how I thought to best respect the audience.
FX (@41414141) came up to the front and introduced me. Then he did something I’ll never forget. Seeming on the spur of the moment, he didn’t join the audience and instead sat next to me by the podium.
It was a small thing in some ways, but it meant the world to me. His presence next to me seemed to suggest to the room “he is a guest here and we will treat him with respect”.
To feel like an outsider and have the ultimate insider in his forum make sure you will be treated right is one of the kindest gestures I’ve ever received. I completed my presentation and found the subsequent hallway conversations thrilling.
I later delivered the same brief at Blackhat (blackhat.com/presentations/…). As time went on, the value of ASLR diminished but I remember most the human moments that brought together an unlikely cast working on the messy hairball of security, enduring headwinds and advancing forward.
This story was originally published here: https://twitter.com/JohnLaTwC/status/1093956949073289216