I’ve had some people ask me about a paper that was recently published detailing alleged bugs in Address Space Layout Randomization in Windows Vista. It’s great to see people looking at and scrutinizing Windows Vista before we ship.
With that said, it turns out this analysis is incomplete and leads the author to an incorrect assumption. Let me explain.
There are three areas of randomization enabled by default in Windows Vista:
- Image Randomization
- Stack Randomization
- Heap Randomization
The author is looking only at the entropy in the stack randomization.
When a new thread is created, the starting page for its stack is shifted by 0 .. 31 slots. Because pages are large and we don’t want to unnecessarily fragment an application’s memory, we chose not to spread stacks out over the entire address space. Instead, we further randomize the stack start WITHIN the starting page. Hence the total stack randomization is not 5 bits (1 of 32 variations) – it’s up to 14 bits (1 of 16,384 variations).
Link with the /dynamicbase switch and run the code multiple times; you’ll see that the address of x bounces around much more than the paper describes.
On a final note, it is true that we don’t have as much randomization as PaX and other more aggressive ASLR implementations. For instance, image randomization is only 8 bits (1 of 256 variations). Images have to be 64K aligned, and so on a 32-bit system we could have theoretically randomized images by up to 15 bits (1 of 32, 768 variations), but the incremental security gain is small – if you navigate to a Website and your browser crashes, will you go back to that site another 255 times – and would have come at the expense of fragmenting the entire address space, thereby reducing the contiguous memory available to applications and degrading system performance? We think we hit a nice balance.