Quoted: Background knowledge on ASLR, DEP and file signatures
As a non-expert, you have to first understand what PE files are and what ASLR, DEP and signatures mean. Here is a brief and and concise explanation that sheds light on this topic.
Only the so-called "user-mode PE (portable executable) files" for 32 and 64 bits are important for an evaluation. All the other files, including the so-called native PE files, were irrelevant for the test. Between 5 and 45% of the installed files of a security solution are PE files. The PE files include, for example:
ASLR or Address Space Layout Randomization stands for a shuffling of memory sectors, making it more difficult to exploit security gaps in computer systems. Using ASLR, stack addresses are randomly allocated to applications. This is intended to prevent, or at least impede, attacks via a buffer overflow.
DEP or Data Execution Prevention is also referred to as NX-Bit (No eXecute). The protection is already based on the hardware. Chip producers AMD and Intel have already been implementing this technology for more than 10 years under the proprietary names of EVP and XD-Bit in all their processors. It is intended to prevent programs from executing random data as programs and thus launching malicious code in this manner.
If a programmer uses DEP and ASLR technologies as a supporting measure, this reduces the risk that a possible vulnerability may actually become exploitable. If an application does not employ DEP and ASLR, this does not necessarily mean that it is unsafe. If the programming is 100% error-free, the level of security cannot be increased either. Thus DEP and ASLR are an additional precaution that a programmer or manufacturer should not do without. Implementation is so easy: it involves existing functions in the compiler that simply need to be activated. The technology has no negative impact on the code size or program run time.
The file signatures with certificates are just as easy to implement. Every manufacturer undoubtedly owns constantly renewed certificates obtained from an official certifying body. This certificate is a copy of the digital corporate identity certified by an independent entity. Tools enable the programmers to simply add the signature containing the certificate to a file. This Microsoft Authenticode code signing technology belongs to the industry standard and is essential to any published file.
- .exe or any "executable" program or module
- .dll or "dynamic link library", a program library
- .sys or "system", a system software
- .drv or "driver", a driver file for a device
ASLR or Address Space Layout Randomization stands for a shuffling of memory sectors, making it more difficult to exploit security gaps in computer systems. Using ASLR, stack addresses are randomly allocated to applications. This is intended to prevent, or at least impede, attacks via a buffer overflow.
DEP or Data Execution Prevention is also referred to as NX-Bit (No eXecute). The protection is already based on the hardware. Chip producers AMD and Intel have already been implementing this technology for more than 10 years under the proprietary names of EVP and XD-Bit in all their processors. It is intended to prevent programs from executing random data as programs and thus launching malicious code in this manner.
If a programmer uses DEP and ASLR technologies as a supporting measure, this reduces the risk that a possible vulnerability may actually become exploitable. If an application does not employ DEP and ASLR, this does not necessarily mean that it is unsafe. If the programming is 100% error-free, the level of security cannot be increased either. Thus DEP and ASLR are an additional precaution that a programmer or manufacturer should not do without. Implementation is so easy: it involves existing functions in the compiler that simply need to be activated. The technology has no negative impact on the code size or program run time.
The file signatures with certificates are just as easy to implement. Every manufacturer undoubtedly owns constantly renewed certificates obtained from an official certifying body. This certificate is a copy of the digital corporate identity certified by an independent entity. Tools enable the programmers to simply add the signature containing the certificate to a file. This Microsoft Authenticode code signing technology belongs to the industry standard and is essential to any published file.
Source (Check 2015: Self-Protection of Antivirus Software) and (Av-Test: Check 2015: Self-Protection of Antivirus Software)
