Windows Vista Randomization Gets OEM Thumbs Up

Microsoft's use of code-scrambling diversity in Windows Vista has received a major thumbs up from U.S. OEM partners.

Microsofts use of code-scrambling diversity to secure Windows Vista is getting crucial support from OEM partners.

The Redmond, Wash. software giant has convinced major U.S. computer makers—including Dell, Gateway and Hewlett-Packard—to make default changes at the BIOS level to allow a new Vista security feature called ASLR (Address Space Layout Randomization) to work properly.

ASLR, which is used to randomly arrange the positions of key data areas to block hackers from predicting target addresses, is meant to make Windows Vista more resilient to virus and worm attacks.

However, for randomization to be effective, DEP/NX (Data Execution Prevention/No eXecute) must be enabled by default.

During a three-day conference to in November 2006, Microsoft security program manager Michael Howard said he pleaded with OEMs to enable DEP/NX in the BIOS by default on all their shipping PCs in time for Windows Vista.

Howard, a key evangelist for Microsofts SDL (Security Development Lifecycle) process, used his personal blog to announce that all the major OEMs "have agreed to not disable DEP/NX in their BIOSes by default."

"This is huge," Howard declared.

Because most CPUs that ship today support DEP/NX, Howard explained that Vista users on older hardware can use the control panel to manually verify that PCs have DEP enabled.

With full support from OEMs, Microsoft is effectively using ASLR to create software diversity within a single operating system, a move that is widely seen as Redmonds attempt to address the monoculture risk.

The memory-space randomization technique will block the majority of buffer overflow tricks used in about two-thirds of all worm and virus attacks.

When used in conjunction with other technologies, Microsoft believes ASLR can provide a "useful defense" against malware attacks.

Beyond ASLR, Windows Vista has been fitted with /GS to detect some buffer overruns, a compile-time option in Visual C++ that adds stack-based buffer overrun detection, /SafeSEH, DEP and Function Pointer Obfuscation as technologies that help to lock down the operating system.

Windows Vista also introduces Windows Service Hardening, kernel patch protection, mandatory driver signing, User Account Controls, a new log-on architecture, network access protection, easier smart card deployments and various technologies to protect against malware and hacker intrusions.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.