Feature #682
openAdd DEP and ASLR to Windows Binary
Description
The windows Suricata.exe does not have the DEP or ASLR flags set, I'm not sure how to define the peflags in the code, but I've been able to set them on the already compiled code using "peflags" from Cygwin:
peflags --dynamicbase=true --nxcompat=true /cygdrive/c/Suricata\ 1.4rc1-1-32bit/suricata.exe
Doing it afterward seems to have no effect other than DEP and ASLR being used! I know Pidgin/LibPurple recently added these flags in the code (http://pidgin.im/pipermail/commits/2012-September/021591.html) as well.
-rich
Updated by Rich Rumble over 11 years ago
Looks like LD can also set these if that helps?
man ld
...
--dynamicbase
The image base address may be relocated using address space layout randomization (ASLR). This feature was introduced with MS Windows Vista for i386 PE targets.
--nxcompat
The image is compatible with the Data Execution Prevention. This feature was introduced with MS Windows XP SP2 for i386 PE targets.
-rich
Updated by Victor Julien over 11 years ago
- Tracker changed from Optimization to Feature
- Status changed from New to Assigned
- Assignee set to Peter Manev
Updated by Peter Manev over 11 years ago
Is there a way to determine for sure, after a windows msi install , that the suricata.exe has the DEP or ASLR flags set and those are used correctly?
thanks
Updated by Rich Rumble over 11 years ago
As far as I know, once those flags are compiled in or added, it's up to the OS from that point. I don't see any additional requirements, libraries or extensive code needed to take advantage of these features. I know you can use Process Explorer from Microsoft's Sysinternals suite to see that the OS is reading the flags, whether or not the OS is doing what it's supposed to from that point, I have no idea. Really I think it's just setting a flag on the exe, and the OS taking it from there...
-rich
Updated by Peter Manev over 11 years ago
- % Done changed from 0 to 80
Thank you Rich.
The flags are now set on the new 1.4 msi pkg.
We should look for a way to do this in the configure stage under Cygwin (not just using peflags on the exe)....
Updated by Victor Julien over 11 years ago
- Assignee changed from Peter Manev to Eric Leblond
- Target version set to 1.4.1
- Estimated time set to 2.00 h
Eric, can you figure out a way to do this automatically? I think we need to test if the command is available and then run it at the correct time.
Updated by Rich Rumble over 11 years ago
I know VLC and Libpurple recently added such code
http://git.videolan.org/?p=vlc.git;a=commitdiff;h=60aa14b737e0f00d34c5785b7e7c62557dd7a10d;hp=54104ba864c568d95b52587bb481529401317d9e
https://developer.pidgin.im/ticket/15290
I think each went about it slightly differently. LD flags seem to be a good way
LD_HARDENING_OPTIONS ?= -Wl,--dynamicbase -Wl,--nxcompat (from pidgin/libpurple)
-rich
Updated by Victor Julien about 11 years ago
- Target version changed from 1.4.1 to 2.0beta1
Updated by Victor Julien almost 11 years ago
- Target version changed from 2.0beta1 to 2.0beta2
Updated by Victor Julien over 10 years ago
- Target version changed from 2.0beta2 to 2.0rc1
Updated by Victor Julien about 10 years ago
- Target version changed from 2.0rc1 to TBD
Updated by Victor Julien almost 6 years ago
- Assignee changed from Eric Leblond to Anonymous
- Effort set to low
- Difficulty set to low