Project

General

Profile

Actions

Feature #682

open

Add DEP and ASLR to Windows Binary

Added by Rich Rumble almost 12 years ago. Updated over 5 years ago.

Status:
Assigned
Priority:
Normal
Target version:
Effort:
low
Difficulty:
low
Label:

Description

The windows Suricata.exe does not have the DEP or ASLR flags set, I'm not sure how to define the peflags in the code, but I've been able to set them on the already compiled code using "peflags" from Cygwin:
peflags --dynamicbase=true --nxcompat=true /cygdrive/c/Suricata\ 1.4rc1-1-32bit/suricata.exe
Doing it afterward seems to have no effect other than DEP and ASLR being used! I know Pidgin/LibPurple recently added these flags in the code (http://pidgin.im/pipermail/commits/2012-September/021591.html) as well.
-rich

Actions #1

Updated by Rich Rumble almost 12 years ago

Looks like LD can also set these if that helps?
man ld
...
--dynamicbase
The image base address may be relocated using address space layout randomization (ASLR). This feature was introduced with MS Windows Vista for i386 PE targets.
--nxcompat
The image is compatible with the Data Execution Prevention. This feature was introduced with MS Windows XP SP2 for i386 PE targets.
-rich

Actions #2

Updated by Victor Julien almost 12 years ago

  • Tracker changed from Optimization to Feature
  • Status changed from New to Assigned
  • Assignee set to Peter Manev
Actions #3

Updated by Peter Manev almost 12 years ago

Is there a way to determine for sure, after a windows msi install , that the suricata.exe has the DEP or ASLR flags set and those are used correctly?

thanks

Actions #4

Updated by Rich Rumble almost 12 years ago

As far as I know, once those flags are compiled in or added, it's up to the OS from that point. I don't see any additional requirements, libraries or extensive code needed to take advantage of these features. I know you can use Process Explorer from Microsoft's Sysinternals suite to see that the OS is reading the flags, whether or not the OS is doing what it's supposed to from that point, I have no idea. Really I think it's just setting a flag on the exe, and the OS taking it from there...
-rich

Actions #5

Updated by Peter Manev almost 12 years ago

  • % Done changed from 0 to 80

Thank you Rich.

The flags are now set on the new 1.4 msi pkg.

We should look for a way to do this in the configure stage under Cygwin (not just using peflags on the exe)....

Actions #6

Updated by Victor Julien almost 12 years ago

  • Assignee changed from Peter Manev to Eric Leblond
  • Target version set to 1.4.1
  • Estimated time set to 2.00 h

Eric, can you figure out a way to do this automatically? I think we need to test if the command is available and then run it at the correct time.

Actions #7

Updated by Rich Rumble almost 12 years ago

I know VLC and Libpurple recently added such code
http://git.videolan.org/?p=vlc.git;a=commitdiff;h=60aa14b737e0f00d34c5785b7e7c62557dd7a10d;hp=54104ba864c568d95b52587bb481529401317d9e
https://developer.pidgin.im/ticket/15290
I think each went about it slightly differently. LD flags seem to be a good way
LD_HARDENING_OPTIONS ?= -Wl,--dynamicbase -Wl,--nxcompat (from pidgin/libpurple)
-rich

Actions #8

Updated by Victor Julien over 11 years ago

  • Target version changed from 1.4.1 to 2.0beta1
Actions #9

Updated by Victor Julien over 11 years ago

  • Target version changed from 2.0beta1 to 2.0beta2
Actions #10

Updated by Victor Julien about 11 years ago

  • Target version changed from 2.0beta2 to 2.0rc1
Actions #11

Updated by Victor Julien almost 11 years ago

  • Target version changed from 2.0rc1 to TBD
Actions #12

Updated by Victor Julien over 6 years ago

  • Assignee changed from Eric Leblond to Anonymous
  • Effort set to low
  • Difficulty set to low
Actions #13

Updated by Andreas Herz over 5 years ago

  • Assignee set to Community Ticket
Actions

Also available in: Atom PDF