Corporealshift

Steps to a Virus Free Windows: DEP and ASLR

For many years Windows has been the primary target for viruses, spyware, and other malware. This is primarily because of the popularity of the system and, to a lesser extent, the flexibility of the system. With two not so new but recently introduced technologies, Microsoft is making significant strides to make Windows (Vista and XP) more resilient to malware.

The first change is ASLR, or Address Space Layout Randomization. ASLR has been introduced to fight an exploit which takes advantage of file storage locations on the hard drive. For an extended period of time Windows has saved key files to the same sector on the hard drive, and by sending low-level run commands to that sector it was possible to run script which normally a software or malware would not have access to. ASLR makes it so that these files are stored in random places each time Windows is loaded on a machine, rendering this type of attack useless.
The second change is DEP, or Data Execution Prevention. This prevents code or script from being run inside of data files. I believe DEP to be one of the more important updates that stemmed from the launch of Vista(DEP is now included in XP as well). While executing code in data files can have its advantages for developers, it has been a very significant cause of malware as well. Most malware gets access to the computer through data files, inserting code which then can run and call code in other locations on the drive. This is partly due to the flexibility of Windows, which is designed to allow applications to run code in other locations to call upon functions of the operating system. With DEP enabled, running script from inside of data files is impossible and makes it impossible for malware which previously took advantage of this failure to be effective. DEP should dramatically decrease the amount of malware that a computer can be affected by, but there are several problems with it.


Problems with DEP
DEP should render most malware ineffective, but the problem right now is that DEP is only being activated in certain software. In fact, most software doesn’t use DEP. Two  in particular are the Java platform and the Adobe Flash platform. These two platforms permeate the vast majority of computers connected to the internet and are used in very many internet applications. Not only do neither of these comply with DEP, there are several known vulnerabilities which can be taken advantage of through these platforms. An easy way to combat this is to turn off scripting, which can be done through IE7 or the Firefox extension no-script. Also, I urge developers to be especially careful when using these technologies to make sure your code is reliable and complies with DEP, even if you’re working in Java or Flash.
DEP is the Future
On a good note, DEP is a requirement for all 64-bit processes in Windows Vista, and Firefox 3 is DEP compliant. This makes Vista 64-bit machines, which are continuing to increase presence in stores like Best Buy, somewhat more secure than their 32-bit counterparts. Hopefully as more people become aware of this technology it will become much more accepted by software producers. DEP combined with ASLR are two significant strides in the fight to reduce and eventually(hopefully) eliminate malware from Windows. In the mean time, a few recommendations:

• Check out Linux or Apple OS X as alternative operating systems. They currently have a much lower chance of malaicious attack(Linux especially) and can still do most of what Windows can, if not more.

• If that’s not possible, definitely get some good Anti-virus and anti-spyware software. Kaspersky is a great brand, but if you want something free check out Avast.

• Be conscious of the links you click on. I would say most malware comes from people clicking on ads or using P2P software like Limewire.

• Use script-limiting software, like setting custom activeX limitations in the security tab in IE, or no-script in Firefox. I personally like Firefox better, and think no-script works very well with minimal setup.

• Eventhough DEP and ASLR do make Windows more secure, don’t rely on technologies like this. They help make some attacks impossible, but there are many other possible ways into a machine.

If you have questions on anything feel free to post to the comments, I’ll do my best to respond quickly.

Tags: Address Spacing Layout Randomization, ASLR, Data Execution Prevention, DEP, Java, malware, Security, vista, windows

This entry was posted on Sunday, September 28th, 2008 at 9:57 pm and is filed under Computers, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.