Last Comment Bug 642365 - DLL blocklisting should reject libraries that lack ASLR
: DLL blocklisting should reject libraries that lack ASLR
Status: RESOLVED DUPLICATE of bug 677797
[sg:want]
: sec-want
Product: Core
Classification: Components
Component: XPCOM (show other bugs)
: Trunk
: x86 Windows 7
-- normal with 4 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Nathan Froyd [:froydnj]
Mentors:
Depends on: 644763
Blocks: exploit-mitigation
  Show dependency treegraph
 
Reported: 2011-03-16 20:44 PDT by Jesse Ruderman
Modified: 2017-01-30 17:00 PST (History)
20 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description User image Jesse Ruderman 2011-03-16 20:44:06 PDT
Importing an ASLR-disabled library into Firefox's address space makes Firefox significantly easier to exploit.

Bug 642243 will help ensure Firefox itself contains only ASLR-enabled libraries, but on most Windows machines, Firefox's address space ends up with lots of third-party libraries.
Comment 1 User image Ted Mielczarek [:ted.mielczarek] 2011-03-17 05:10:56 PDT
Any idea what percentage of plugins and binary extensions this would wind up blocking?
Comment 2 User image chris hofmann 2011-03-17 08:37:34 PDT
It might not be so much the pct., but which high profile plugins need to be fixed before this happens.

sounds like adobe reader is on that list still.

maybe we could gin up a test pilot study or integrate something like this into breakpad to give us some hard data.

http://scriptjunkie1.wordpress.com/2011/03/01/finding-non-aslr-or-dep-modules/
Comment 3 User image Benjamin Smedberg 2011-03-17 08:54:06 PDT
I suspect that it is not practical, given that this would affect all sorts of things which add themselves into Windows processes for good reasons, such as screen readers and other accessibility tools, IMEs, LSPs, and other things.
Comment 4 User image Jesse Ruderman 2011-03-17 12:50:44 PDT
That makes it even more important to ensure they use ASLR!
Comment 5 User image Daniel Veditz [:dveditz] 2011-03-18 12:26:53 PDT
Some of those things are very much wanted by the users who installed them (some not, of course). On my wife's laptop the graphics drivers are not ASLR, and they show up in both the firefox.exe process and a Flash plugin-container.exe process.
Comment 6 User image Jesse Ruderman 2011-03-24 14:25:00 PDT
Maybe we can mine crash-stats to find the popular DLLs that lack ASLR.  Getting them fixed will improve security for Firefox users directly, and make the change proposed in this bug more palatable.  Filed bug 644763.
Comment 7 User image Jesse Ruderman 2011-08-09 17:41:58 PDT
Bug 677797 is an alternative solution with fewer downsides.
Comment 8 User image [Baboo] 2012-04-14 05:39:43 PDT
For Win7 and Win8 there is now a way to let the OS enforce this in a way: http://support.microsoft.com/kb/2639308
Comment 9 User image Florian Bender 2014-06-06 10:10:35 PDT
Are there any plans to land this before / with sandboxing?
Comment 10 User image David Major [:dmajor] 2017-01-30 17:00:32 PST
It looks like bug 677797 has morphed into a more general bug for "require ASLR, regardless of how". Let's use that bug.

*** This bug has been marked as a duplicate of bug 677797 ***

Note You need to log in before you can comment on or make changes to this bug.