DLL blocklisting should reject libraries that lack ASLR

RESOLVED DUPLICATE of bug 677797

Status

()

Core
XPCOM
RESOLVED DUPLICATE of bug 677797
6 years ago
6 months ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 1 bug, {sec-want})

Trunk
x86
Windows 7
sec-want
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want])

(Reporter)

Description

6 years ago
Importing an ASLR-disabled library into Firefox's address space makes Firefox significantly easier to exploit.

Bug 642243 will help ensure Firefox itself contains only ASLR-enabled libraries, but on most Windows machines, Firefox's address space ends up with lots of third-party libraries.
(Reporter)

Updated

6 years ago
OS: Mac OS X → Windows 7
Any idea what percentage of plugins and binary extensions this would wind up blocking?

Comment 2

6 years ago
It might not be so much the pct., but which high profile plugins need to be fixed before this happens.

sounds like adobe reader is on that list still.

maybe we could gin up a test pilot study or integrate something like this into breakpad to give us some hard data.

http://scriptjunkie1.wordpress.com/2011/03/01/finding-non-aslr-or-dep-modules/
I suspect that it is not practical, given that this would affect all sorts of things which add themselves into Windows processes for good reasons, such as screen readers and other accessibility tools, IMEs, LSPs, and other things.
(Reporter)

Comment 4

6 years ago
That makes it even more important to ensure they use ASLR!
Some of those things are very much wanted by the users who installed them (some not, of course). On my wife's laptop the graphics drivers are not ASLR, and they show up in both the firefox.exe process and a Flash plugin-container.exe process.
(Reporter)

Updated

6 years ago
Depends on: 644763
(Reporter)

Comment 6

6 years ago
Maybe we can mine crash-stats to find the popular DLLs that lack ASLR.  Getting them fixed will improve security for Firefox users directly, and make the change proposed in this bug more palatable.  Filed bug 644763.
(Reporter)

Comment 7

6 years ago
Bug 677797 is an alternative solution with fewer downsides.
(Reporter)

Updated

6 years ago
Blocks: 504250

Comment 8

5 years ago
For Win7 and Win8 there is now a way to let the OS enforce this in a way: http://support.microsoft.com/kb/2639308
Keywords: sec-want

Comment 9

3 years ago
Are there any plans to land this before / with sandboxing?

Updated

3 years ago
See Also: → bug 677797
It looks like bug 677797 has morphed into a more general bug for "require ASLR, regardless of how". Let's use that bug.
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 677797
You need to log in before you can comment on or make changes to this bug.