CMU CERT on ASLR – assumptions a bad idea

Some time ago I wrote a blog post on the topic ASLR, DEP and similar protections offered by Windows.

As I discussed at the time, it’s very easy to make assumptions about these kinds of protective schemes that in many cases fail to hold.

This is because, in the absence of mandatory protection policies, the protections are controlled by the PE executable header flags, which effectively opt-in binaries.

I stumbled across a post by CMU CERT on this very topic by Will Dormann recently, which complements my earlier blog post very well. Worth a look.

This is, of course a very good motivation for:

  • Using the latest version of software
  • Maintaining patch management policies and plans
  • Auditing software, particularly binaries with a heigtened attack surface (e.g. public facing daemons)
  • Protecting legacy software systems

As Ronald Regan famously remarked, “Trust but verify”