Background knowledge on ASLR, DEP and file signatures

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Quoted: Background knowledge on ASLR, DEP and file signatures

As a non-expert, you have to first understand what PE files are and what ASLR, DEP and signatures mean. Here is a brief and and concise explanation that sheds light on this topic.


Only the so-called "user-mode PE (portable executable) files" for 32 and 64 bits are important for an evaluation. All the other files, including the so-called native PE files, were irrelevant for the test. Between 5 and 45% of the installed files of a security solution are PE files. The PE files include, for example:
  • .exe or any "executable" program or module
  • .dll or "dynamic link library", a program library
  • .sys or "system", a system software
  • .drv or "driver", a driver file for a device
Behind the cryptic terms DEP and ASLR are the following:

ASLR or Address Space Layout Randomization stands for a shuffling of memory sectors, making it more difficult to exploit security gaps in computer systems. Using ASLR, stack addresses are randomly allocated to applications. This is intended to prevent, or at least impede, attacks via a buffer overflow.

DEP or Data Execution Prevention is also referred to as NX-Bit (No eXecute). The protection is already based on the hardware. Chip producers AMD and Intel have already been implementing this technology for more than 10 years under the proprietary names of EVP and XD-Bit in all their processors. It is intended to prevent programs from executing random data as programs and thus launching malicious code in this manner.

If a programmer uses DEP and ASLR technologies as a supporting measure, this reduces the risk that a possible vulnerability may actually become exploitable. If an application does not employ DEP and ASLR, this does not necessarily mean that it is unsafe. If the programming is 100% error-free, the level of security cannot be increased either. Thus DEP and ASLR are an additional precaution that a programmer or manufacturer should not do without. Implementation is so easy: it involves existing functions in the compiler that simply need to be activated. The technology has no negative impact on the code size or program run time.

The file signatures with certificates are just as easy to implement. Every manufacturer undoubtedly owns constantly renewed certificates obtained from an official certifying body. This certificate is a copy of the digital corporate identity certified by an independent entity. Tools enable the programmers to simply add the signature containing the certificate to a file. This Microsoft Authenticode code signing technology belongs to the industry standard and is essential to any published file.​

Source (Check 2015: Self-Protection of Antivirus Software) and (Av-Test: Check 2015: Self-Protection of Antivirus Software)
 

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Altering the default settings to, wouldn't help either?

upload_2015-10-26_10-42-3.png
 
L

LabZero

I would like to simplify about ASLR so that everyone can understand this fundamental feature.

It is a security feature that allows to Windows to order into the cells memory the necessary data to a program in a totally random mode. Before the ASLR, cells data locations of a program could somehow be envisaged and this made the program much more vulnerable to attack. Thanks to ASLR who want to exploit a vulnerability in a program must "guess" where the interesting data are loaded into memory with minimal chance to guess the location the first time. If the "expected" location from malware (or malicious user) would be incorrect, the program will crash and when you will run the operating system, will clearly change the position of all memory cells dedicated to it.
 

Cch123

Level 7
Verified
May 6, 2014
335
Altering the default settings to, wouldn't help either?

View attachment 75311

That setting will ensure that all programs run with DEP, unless you choose to exclude them yourself. It is also possible to enforce all programs to run ASLR, but that method involves changes to registry settings and Microsoft does not recommend it as it may cause blue screens.
 
  • Like
Reactions: bitbizket

bitbizket

Level 3
Jul 26, 2011
250
Heh, heh... Look at the study. Comodo barely supports anything. So, if it were targeted... boink !
Bugs and potentially vulnerability only increased the attack surfaced.. Comodo provide a false sense of security to most, it's best as a Geek toy..nothing more. How many expert actually used Comodo in their computers i wonder..
 
H

hjlbx

Bugs and potentially vulnerability only increased the attack surfaced.. Comodo provide a false sense of security to most, it's best as a Geek toy..nothing more. How many expert actually used Comodo in their computers i wonder..

I am no expert, but I use it...

Real experts don't use any AV.
 
  • Like
Reactions: frogboy

bitbizket

Level 3
Jul 26, 2011
250
I am no expert, but I use it...

Real experts don't use any AV.

In theory and in-house test yes, Comodo looks solid but myself once being a long time user Comodo, it have failed to provide the protection that i needs. Onced you're infected there's nothing much you can do. Comodo can be used as a good prevention tool but to non-advanced user its mind boggling that's the reason i say it provide a false sense of security.
 
H

hjlbx

Onced you're infected there's nothing much you can do.

For the most part, that is true of most AV - dependent upon infection type.

With most serious infections, one learns from experience that you cannot depend upon the AV to remove infection. Must use advanced utilities and removal tools with qualified guidance.

Me, I don't even mess around with it - I just clean install OS, but I am very used to it as I have no data on system worth keeping. So it is very easy for me. People that have valuable data big problem if they do not back-up.

Comodo can be used as a good prevention tool but to non-advanced user its mind boggling that's the reason i say it provide a false sense of security.

Mind-boggling = nothing but user mistakes. That is Comodo's greatest weakness.

No web protections are its second greatest weakness.

With knowledge and experience, Comodo is good - not great - but definitely the best at what it is designed to do.
 
  • Like
Reactions: bitbizket
D

Deleted member 178

Im a real expert :p but i use sec softs because im a lazy one when cleaning systems, like Hj i prefer a clean install, all my system setup is designed and organized for it. :D

Heh, heh... Look at the study. Comodo barely supports anything. So, if it were targeted... boink !

It was already targeted and disabled from what i recall.
 
  • Like
Reactions: bitbizket
H

hjlbx

It was already targeted and disabled from what i recall.

Joxean (researcher) tested it. It crashed. He says it would have crashed more, but he just moved on... to others. Particularly Bitdefender. He crashed it 1,500+ times.

There is online study of it by Joxean. @Klipsh directed me to it.
 
Last edited by a moderator:

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Don't forget that SEHOP (Structured Exception Handler Overwrite Protection) which completes the overall package of hardening protection.

Which prevents the attacker to exploit by overwriting a technique, usually abusing the arbitrary code for the dispatching facilities of Windows.

In such depth information then check here

Programs should undertake those 4 types with ease and requirement for security purpose.
 
L

LabZero

According to Joxean Koret - SYSCAN 2014

Antivirus propaganda:

“We make your computer safer with no
performance penalty!”
“We protect against unknown zero day attacks!”.

Reality:

AV engines makes your computer more vulnerable
with a varying degree of performance penalty.
The AV engine is as vulnerable to zero day attacks
as the applications it tries to protect from.
And can even lower the operating system
exploiting mitigations, by the way...

PDF
 
Last edited by a moderator:
  • Like
Reactions: bitbizket and hjlbx

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top