Jump-start your project by learning from devs who
write Windows drivers and file systems every day.
Take an OSR seminar!

OSR is Hiring! Click here to find out more.

Upcoming OSR Seminars:
Writing WDF Drivers for Windows Lab, Palo Alto, CA 28 April-2 May, 2014
Advanced WDF Driver Lab, Palo Alto, CA 5-8 May, 2014
Developing File Systems for Windows, Boston/Waltham, MA 13-16 May, 2014
Windows Internals & Software Drivers Lab, Dulles/Sterling, VA, CA 23-27 June, 2014


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 7  
10 Dec 12 08:07
Chris Troester
xxxxxx@gmx.de
Join Date: 28 Jun 2011
Posts To This List: 16
DEP/ASLR in a kernel driver

Hello, are the security features DEP, ASLR, SafeSEH and /GS available in kernel drivers? For Dll and Exe files the Visual Studio tool dumpbin displays whether some of these features are activated. For UserSpace programs they are Opt-In by default. The support seems to vary depending on the compilation target (x84/amd64).
  Message 2 of 7  
10 Dec 12 10:31
Doron Holan
xxxxxx@microsoft.com
Join Date: 08 Sep 2005
Posts To This List: 8855
RE: DEP/ASLR in a kernel driver

/gs is available, /dep is not available, but in w8 the concept of non executable np pool was introducer, /aslr doesn't exist in km, and for /safeseh, support is there IIRC d dent from pjone ________________________________ From: xxxxx@gmx.de<mailto:xxxxx@gmx.de> Sent: ?12/?10/?2012 5:07 AM To: Windows System Software Devs Interest List<mailto:xxxxx@lists.osr.com> Subject: [ntdev] DEP/ASLR in a kernel driver Hello, are the security features DEP, ASLR, SafeSEH and /GS available in kernel drivers? For Dll and Exe files the Visual Studio tool dumpbin displays whether some of these features are activated. For UserSpace programs they are Opt-In by default. The support seems to vary depending on the compilation target (x84/amd64). --- NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer --
  Message 3 of 7  
10 Dec 12 11:27
Chris Troester
xxxxxx@gmx.de
Join Date: 28 Jun 2011
Posts To This List: 16
RE: DEP/ASLR in a kernel driver

This article has some information about /GS (in German): http://de.slideshare.net/johanneshoh/stack-und-heapoverflowschutz-bei-windows-xp- und-windows-vista#btnNext "If the attacker has the opportunity to do a write access with size 4 byte before the cookie check is done it is possible to overwrite the master cookie with a known value. Because in the current implementation there are only 256 possible positions for the cookie and the memory range is writable, brute force attacks are feasible." A big security threat is that the attacker overwrites the exception handler and causes an exception. This should be prevented via SafeSEH. The article says that /GS without SafeSEH is useless. It refers to the user mode implementation, I don't know whether it's the same in kernel mode. 64 bit kernel code is always signed, but I would feel better with the checks implemented. Are /GS and SafeSEH activated in device drivers by default? I didn't find an option in build.exe.
  Message 4 of 7  
16 Dec 12 04:01
0xD00D
xxxxxx@gmail.com
Join Date: 19 Sep 2012
Posts To This List: 69
Re: DEP/ASLR in a kernel driver

I don't think I get the comment " /aslr doesn't exist in km". Don't the virtual addresses where the kernel and drivers are loaded change for each boot sessions (much the same way the memory location of ntdll, kernel32, etc. change on each boot)? If so, doesn't it mean address space randomization is indeed happening? On Mon, Dec 10, 2012 at 7:30 AM, Doron Holan <xxxxx@microsoft.com> wrote: > /gs is available, /dep is not available, but in w8 the concept of non > executable np pool was introducer, /aslr doesn't exist in km, and for > /safeseh, support is there IIRC > d > > dent from pjone > ________________________________ > From: xxxxx@gmx.de > Sent: 12/10/2012 5:07 AM > To: Windows System Software Devs Interest List <...excess quoted lines suppressed...>
  Message 5 of 7  
16 Dec 12 11:43
Doron Holan
xxxxxx@microsoft.com
Join Date: 08 Sep 2005
Posts To This List: 8855
RE: DEP/ASLR in a kernel driver

There is no formal aslr in the kernel and I don't think the linker lets you set the flag along with /driver. Drivers have never been able to rely on fixed addresses of other modules, so in effect, aslr has always been present since nt3.1 d ________________________________ From: Puchu Pachok<mailto:xxxxx@gmail.com> Sent: ?12/?16/?2012 1:01 AM To: Windows System Software Devs Interest List<mailto:xxxxx@lists.osr.com> Subject: Re: [ntdev] DEP/ASLR in a kernel driver I don't think I get the comment " /aslr doesn't exist in km". Don't the virtual addresses where the kernel and drivers are loaded change for each boot sessions (much the same way the memory location of ntdll, kernel32, etc. change on each boot)? If so, doesn't it mean address space randomization is indeed happening? On Mon, Dec 10, 2012 at 7:30 AM, Doron Holan <xxxxx@microsoft.com> wrote: > /gs is available, /dep is not available, but in w8 the concept of non > executable np pool was introducer, /aslr doesn't exist in km, and for > /safeseh, support is there IIRC > d > > dent from pjone > ________________________________ > From: xxxxx@gmx.de > Sent: 12/10/2012 5:07 AM > To: Windows System Software Devs Interest List <...excess quoted lines suppressed...> --- NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer --
  Message 6 of 7  
17 Dec 12 12:58
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 8987
Re: DEP/ASLR in a kernel driver

Puchu Pachok wrote: > I don't think I get the comment " /aslr doesn't exist in km". Don't > the virtual addresses where the kernel and drivers are loaded change > for each boot sessions (much the same way the memory location of > ntdll, kernel32, etc. change on each boot)? If so, doesn't it mean > address space randomization is indeed happening? If your driver set doesn't change, then all kernel drivers in your next boot will have the same addresses they had in this boot. The boot process is deterministic. Kernel32.dll is a user-mode DLL, where ASLR makes the module address assignments non-deterministic. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 7 of 7  
17 Dec 12 17:49
Ken Johnson
xxxxxx@valhallalegends.com
Join Date: 24 Jul 2008
Posts To This List: 986
RE: DEP/ASLR in a kernel driver

The kernel has provided ASLR for kernel mode modules since Vista SP1/WS08. The statements earlier in the thread aren't fully correct for these and newer Windows versions. There is no need to opt in to kernel ASLR with the dynamicbase flag for kernel mode modules; it is automatically applied on supported kernels. Prior to Vista SP1, drivers had no preferred base address but would tend to load at the same base address for a given static mix of drivers on a particular machine. NX is also enforced for drivers. There is no need to set the nxcompat flag for kernel mode modules to opt in to this. If an allocation is not protected as executable in kernel mode, then it cannot be executed from unless the user completely disabled NX for the whole system with /noexecute=disable in the OS load options. On Win8 and above, you can request non executable pool allocations from NonPagedPool using the new NonPagedPoolNx pool type http://msdn.microsoft.com/en-us/library/windows/hardware/hh920391(v=vs.85).aspx has details. There is a mechanism to request NX NP pool on Win8, while automatically falling back to executable NP pool on earlier OS versions within the same driver binary; see the MSDN link for details. Drivers built for architectures other than x86/amd64/ia64 (i.e., ARM) default to using NonPagedPoolNx for the NonPagedPool constant unless the NonPagedPoolExecute constant is used in source text. Converting to NX pool is worth doing; your customers would much rather have a vulnerability exist and not be exploited than to be compromised from said issue, and NX pool raises the difficulty in writing working kernel exploit code. - S (Msft) ________________________________ From: Tim Roberts<mailto:xxxxx@probo.com> Sent: ?12/?17/?2012 9:58 To: Windows System Software Devs Interest List<mailto:xxxxx@lists.osr.com> Subject: Re: [ntdev] DEP/ASLR in a kernel driver Puchu Pachok wrote: > I don't think I get the comment " /aslr doesn't exist in km". Don't > the virtual addresses where the kernel and drivers are loaded change > for each boot sessions (much the same way the memory location of > ntdll, kernel32, etc. change on each boot)? If so, doesn't it mean > address space randomization is indeed happening? If your driver set doesn't change, then all kernel drivers in your next boot will have the same addresses they had in this boot. The boot process is deterministic. Kernel32.dll is a user-mode DLL, where ASLR makes the module address assignments non-deterministic. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc. --- NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer --
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 12:16.


Copyright ©2014, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license