DEP and ASLR Mitigation Technologies and ISVs Adoption

Document Sample
DEP and ASLR Mitigation Technologies and ISVs Adoption Powered By Docstoc
					How to verify an application’s ASLR settings
There are two general approaches that can be used to verify the ASLR settings of an application.  The first
approach involves verifying that the EXE and DLLs that are currently loaded by the application all have
ASLR enabled.   Sysinternals Process Explorer provides easy access to this information by setting the
lower pane to view DLLs for a process and adding the “ASLR enabled”  column to the view.   The
screenshot below provides an example of using Process Explorer to observe a non-ASLR DLL
(jp2ssv.dll) that has been loaded into the context of Internet Explorer (denoted by an empty value for the
ASLR column).

While Process Explorer is a very useful tool for verifying the ASLR settings of DLLs that have been
loaded in a running process, it is not able to provide you with information about DLLs that are not actively
loaded by the application.   This information can be obtained through the use of Microsoft’s BinScope
Binary Analyzer.  BinScope inspects the on-disk settings embedded in EXEs and DLLs and verifies that
the required flags (DYNAMICBASE) have been set in order for ASLR to occur.  The screenshot below
provides a simple example of a report produced by BinScope where one DLL does not opt-in to ASLR
(nodynamicbase.dll) and one DLL does opt-in (dynamicbase.dll):
Guidance for ISVs
In an effort to help ISVs fully take advantage of the security features provided by Windows we have
published updated guidance which shows how mitigation technologies like DEP, ASLR, and GS can be
enabled.  This guidance can be found in the report linked below:


We encourage ISVs to follow this guidance and, more generally, the guidance provided through the
Security Development Lifecycle (SDL).   We also encourage ISVs who have questions regarding the
adoption of mitigation technologies to contact us at