Alleged Bugs in Windows Vista’s ASLR Implementation

I’ve had some people ask me about a paper that was recently published detailing alleged bugs in Address Space Layout Randomization in Windows Vista. It’s great to see people looking at and scrutinizing Windows Vista before we ship.

With that said, it turns out this analysis is incomplete and leads the author to an incorrect assumption. Let me explain.

There are three areas of randomization enabled by default in Windows Vista:

  • Image Randomization

  • Stack Randomization

  • Heap Randomization

The author is looking only at the entropy in the stack randomization.

When a new thread is created, the starting page for its stack is shifted by 0 .. 31 slots. Because pages are large and we don’t want to unnecessarily fragment an application’s memory, we chose not to spread stacks out over the entire address space. Instead, we further randomize the stack start WITHIN the starting page. Hence the total stack randomization is not 5 bits (1 of 32 variations) – it’s up to 14 bits (1 of 16,384 variations).

You can check this out for yourself by compiling, linking and running the following code on Windows Vista RC1 or later with the updated linker.

#include <stdio.h>

void main(){ 
  int x;

Link with the /dynamicbase switch and run the code multiple times; you’ll see that the address of x bounces around much more than the paper describes.

On a final note, it is true that we don’t have as much randomization as PaX and other more aggressive ASLR implementations. For instance, image randomization is only 8 bits (1 of 256 variations). Images have to be 64K aligned, and so on a 32-bit system we could have theoretically randomized images by up to 15 bits (1 of 32, 768 variations), but the incremental security gain is small – if you navigate to a Website and your browser crashes, will you go back to that site another 255 times – and would have come at the expense of fragmenting the entire address space, thereby reducing the contiguous memory available to applications and degrading system performance? We think we hit a nice balance.

Comments (13)

  1. Dean Harding says:

    > if you navigate to a Website and your browser crashes, will you go back to that site
    > another 255 times

    Actually, I was going to reply back saying that while *I* wouldn’t go, you’d only have to convince another 255 people to go there instead. But then I did some calculations… Botnets today of 10,000 computers are not uncommon (even 100,000 computers). With only a 1:256 chance of infecting a computer, that reduces my botnet to only 40 (or 400) computers. And given that most botnets grow using the infected computers as a launching point, with only 40 computers in my botnet, growing it to just 400 will be quite difficult.

    So yeah, I agree that 1:256 is probably enough – at least in the initial version! I imagine there plenty more up your sleeves for version 2.0 🙂

  2. Dean, don’t forget that ASLR is just *one* defense in Windows Vista. There are a ton of other defenses in IE7 and the OS as a whole, and they are all enabled by default 🙂

  3. Ali Rahbar says:


    I am the author of the paper on Vista’s ASLR.
    I just want everyone to know that after further analysis with the help of Microsoft’s security engineers I have find out why the entropy of the stack (EBP) was so low on my machine.
    There is two phase of randomization on Vista. In my analysis I was using the stack range (from the TEB) to measure the entropy. The second phase is done after that the stack range is initialized(EBP is randomized). So my analysis doesn’t reflect the second phase of randomization which is quite important.
    So dont worry Vista’s stack randomization is OK.

  4. Deonna says:

    are you the same old friend who wrote the book on the head of a pin? just curious if you’re the same michael howard.

    I’m enjoying your blog 🙂

  5. Darren says:

    Michael, is there a way to disable ASLR?  The randomization makes it difficult to track down certain types of bugs when developing native applications.

  6. mn19522 says:

    I wrote to experts-exchange about this paper and they referred me to your blog, which I joined.  I am glad that the research was incomplete and that Microsoft had not ignored, but actually improved upon what the reseacher reported.

    I realize that the following is only tangentially related to security, but your blog gives me the opening.  Perhaps you can redirect me to the correct person to answer this innane question regarding naming conventions, if there are any relating to this particular file.

    I have a question about how Microsoft comes up with names.  In this case there is no indication that the MountPoint name is a Microsoft product.  This name caused my security scanning software and me unnecessary problems.  I spent the last three days and nights researching a potential problem that was flagged by the AVG Anti-Malware 7.5 software.  It is a folder known as: C:System Information FolderMountPointManagerRemoteDatabase.  AVG provided a warning flag, but no capability to remove or quarantine it.  I used Google to try to find out what this was and most identified it as a Root Kit.  Worrisome to say the least because this is the first time that anything got through my defenses.  In desperation, I finally called Microsoft security.  They told me that this folder and MountPoint were part of the operating system relating to disk management.  A big sigh and a refreshing sleep.  

    I immediatly wrote to AVG and asked them to remove this from their potential bad things file.  False positives can cause agony!  

    Can you ‘splain to me how this name was selected and are there any other names which one would never think to be part of a that one should be concerned about triggering a response from one of my many scanners?  Kidding about the other names curious on how these non Microsoft names are created.  Sincerely, Michael

  7. Julien says:

    You can also use slipfest to detect ASLR in Vista. Slipfest will launch several processes and threads for you, record some addresses (stack, TEB, PEB…) and run a  basic statistical analysis.

    Feel free to add better statistical analysis though 🙂

  8. Names: based on my experience, there is no one person or group in charge of names like directory names. That being said, which OS are you using?

  9. Steve says:

    void main?  The guys in comp.lang.c go nuts about this.  Per ANSI/ISO, main must return int.

  10. Arron Alexander says:

    When I first heard of this particular implimentation, I was strucken with a few ways to potentially overcome this security implimentation.  One way around this could simply be as easy as subtle misdirection of exception handling (ELF for example).

    Consider your 1/256 chance (1 byte of Rand()), combine it with random string mechanisms that are checked against stack return events (why not just use crc md5/sha1 checks [proc time maybe?]), and we find there to be many similar potential points of "failure" for any possable outcome anyway.

    All it takes is one way, and it’s only a matter of time and talent.

    A step in the right direction.

  11. I use Delphi compiler and cannot run Microsoft’s link.exe to set a new flag in the PE header. Is therer any application that patches the PE header of the compiled EXE file to set the new flag to my application?

  12. Maxim – lemme see what we can do 🙂

    fwiw, you *can* use the MS linker with Delphi, at least that’s what I’m told!

  13. Do you mean editing the compiled Delphi executables by MS linker using link /edit /dynamicbase  (or editbin /dynamicbase )?