Back to Top

Sunday, December 17, 2006

The fact that you write for a big site doesn't make you an expert

The corollary of the above being: don't rephrase what the expert said if you don't understand it. Real life example from an eweek article:

The Redmond, Wash. software giant has convinced major U.S. computer makers—including Dell, Gateway and Hewlett-Packard—to make default changes at the BIOS level to allow a new Vista security feature called ASLR (Address Space Layout Randomization) to work properly.

This sounded very weird to me since you don't have to enable anything in your BIOS for ASLR to work. I soon discovered that the reporter used Michael Howard's Web Log as a source, most probably the following post:

As I mentioned in a previous series of posts, we recently had all the major OEMs on campus to discuss SDL and how we can work together. My big ask of the OEMs (actually, I grovelled, it was pathetic) was to enable DEP/NX in the BIOS by default on all their shipping PCs in time for Windows Vista.

The reason for this ask is pretty simple, for ASLR to be effective, DEP/NX must be enabled by default too.


While this is a little confusing, it doesn't say that ASLR must be enable from the BIOS, it says that DEP/NX must be enabled from the BIOS. I wondered why Michael Howard made the connection between the two protection strategies, so I asked him (in the comments) and basically his answer was:

ASLR and DEP/NX are two barriers (defense in depth is good!) which try to prevent exploits. DEP/NX is aimed more at stack-overflow or heap-overflow type of situations while ASLR is aimed more at return to libc type of attacks. They cross roads in two cases: when an exploit code tries to call functions via hardcoded addresses (because it doesn't have the luxury of the loader resolving the addresses for him) or when it tries to locate a JMP ESP instruction.

Know what you write about! (or at least put a disclaimer there if you don't)


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.