Project

General

Profile

Feature #682

Add DEP and ASLR to Windows Binary

Added by Rich Rumble almost 7 years ago. Updated 9 months ago.

Status:
Assigned
Priority:
Normal
Target version:
Effort:
low
Difficulty:
low
Label:

Description

The windows Suricata.exe does not have the DEP or ASLR flags set, I'm not sure how to define the peflags in the code, but I've been able to set them on the already compiled code using "peflags" from Cygwin:
peflags --dynamicbase=true --nxcompat=true /cygdrive/c/Suricata\ 1.4rc1-1-32bit/suricata.exe
Doing it afterward seems to have no effect other than DEP and ASLR being used! I know Pidgin/LibPurple recently added these flags in the code (http://pidgin.im/pipermail/commits/2012-September/021591.html) as well.
-rich

History

#1

Updated by Rich Rumble almost 7 years ago

Looks like LD can also set these if that helps?
man ld
...
--dynamicbase
The image base address may be relocated using address space layout randomization (ASLR). This feature was introduced with MS Windows Vista for i386 PE targets.
--nxcompat
The image is compatible with the Data Execution Prevention. This feature was introduced with MS Windows XP SP2 for i386 PE targets.
-rich

#2

Updated by Victor Julien almost 7 years ago

  • Tracker changed from Optimization to Feature
  • Status changed from New to Assigned
  • Assignee set to Peter Manev
#3

Updated by Peter Manev almost 7 years ago

Is there a way to determine for sure, after a windows msi install , that the suricata.exe has the DEP or ASLR flags set and those are used correctly?

thanks

#4

Updated by Rich Rumble almost 7 years ago

As far as I know, once those flags are compiled in or added, it's up to the OS from that point. I don't see any additional requirements, libraries or extensive code needed to take advantage of these features. I know you can use Process Explorer from Microsoft's Sysinternals suite to see that the OS is reading the flags, whether or not the OS is doing what it's supposed to from that point, I have no idea. Really I think it's just setting a flag on the exe, and the OS taking it from there...
-rich

#5

Updated by Peter Manev almost 7 years ago

  • % Done changed from 0 to 80

Thank you Rich.

The flags are now set on the new 1.4 msi pkg.

We should look for a way to do this in the configure stage under Cygwin (not just using peflags on the exe)....

#6

Updated by Victor Julien almost 7 years ago

  • Assignee changed from Peter Manev to Eric Leblond
  • Target version set to 1.4.1
  • Estimated time set to 2.00 h

Eric, can you figure out a way to do this automatically? I think we need to test if the command is available and then run it at the correct time.

#7

Updated by Rich Rumble almost 7 years ago

I know VLC and Libpurple recently added such code
http://git.videolan.org/?p=vlc.git;a=commitdiff;h=60aa14b737e0f00d34c5785b7e7c62557dd7a10d;hp=54104ba864c568d95b52587bb481529401317d9e
https://developer.pidgin.im/ticket/15290
I think each went about it slightly differently. LD flags seem to be a good way
LD_HARDENING_OPTIONS ?= -Wl,--dynamicbase -Wl,--nxcompat (from pidgin/libpurple)
-rich

#8

Updated by Victor Julien over 6 years ago

  • Target version changed from 1.4.1 to 2.0beta1
#9

Updated by Victor Julien over 6 years ago

  • Target version changed from 2.0beta1 to 2.0beta2
#10

Updated by Victor Julien almost 6 years ago

  • Target version changed from 2.0beta2 to 2.0rc1
#11

Updated by Victor Julien almost 6 years ago

  • Target version changed from 2.0rc1 to TBD
#12

Updated by Victor Julien over 1 year ago

  • Assignee changed from Eric Leblond to Anonymous
  • Effort set to low
  • Difficulty set to low
#13

Updated by Andreas Herz 9 months ago

  • Assignee set to Community Ticket

Also available in: Atom PDF