John Lambert Profile picture
Feb 8, 2019 23 tweets 5 min read Read on X
Story time. This one is about a feature in Windows called ASLR.
It was 2005. We were working on Windows Vista. Most remember it as the release with the maligned User Account Control feature. For us in Trustworthy Computing it was the first full Windows cycle where we could apply all the security engineering tools we had from start to finish.
Efforts such as fuzzing file parsers, scrubbing the code of ‘banned APIs’ across millions of lines of code, fixing masses of potential bugs from static analysis, and driving initiatives to deal with newly discovered ‘diseases’ like mismatched container COM instantiation.
We hired the most spectacular group of researchers I’ve seen assembled from NGS, iSEC Partners, IOActive, and n.runs, gave them source code, access to Windows engineers, and told to hack without boundaries. My words to them in an early meeting were “you are here to blow sh*t up”
A quieter effort was going on to shore up our memory safety mitigations. Mitigations touch the holiest of holies in the OS: the compiler, the memory manager, the loader. Areas you just don’t mess with late in an OS release.
The breathing room created by hardware Data Execute Protection we added in XP SP2 was gone. Exploits were using return to libc attacks and taking advantage of the fact that much of the memory layout in a Windows process was predictable.
This was a feature. A lot of work went in to carefully laying out memory so commonly loaded DLLs would never ‘collide’ and require the OS to relocate them at load time. The performance saving across every boot, every process load, on every PC was massive.
And we needed to undo that work to build a new defense—Address Space Layout Randomization or ASLR. ASLR would scramble the location of loaded modules and other process structures. However, it was late in the release, crazy late, to contemplate a change of this magnitude.
We had a few things in our favor. The feature was championed by @MattT_Cyber. Sometimes things happen because the right person says they need to happen. This was one of those features and Matt was one of those people.
Our Exec VP, Jim Allchin, wanted it. Ever since Blaster, he pushed the team to contemplate big security “sledgehammers” instead of just fighting bugs in “hand to hand combat”. Host firewall on by default in XPSP2, hardware DEP support, and now ASLR.
Brian Valentine, who oversaw Windows development, recalled a @BlueHat talk by @hdmoore where he showed these tables that Metasploit had for identifying code gadgets in consistent locations across OS and service packs. “Will this break that?” It would and that was enough for him.
Sponsorship was there but could we pull it off? A crucial moment arrived when the developer responsible for the memory manager, Landy Wang, finished up his backlog of work and got a free moment to consider it. It was a complex change and would it have the desired payoff?
He turned to a trusted engineer, Neill Clift, and privately asked if it was worth doing. Neill gave it a nod. I remember Landy doing an initial prototype over a weekend. Suddenly we were in the game.
A boatload of work remained to make it truly viable with contributions across the company:
- Architecture and Development: LandyW, ArunKi, RichardS, BryanT
- Security Analysis: NeillC, NiGoel, MichalCh, SergFo
- AppCompat Analysis: RobKenny, RPaige, TBaxter
Needless to say, it happened. We pondered how to announce it. Since ASLR was a feature that security researchers would notice, we decided to introduce it at a researcher conference. The year before I attended Ph Neutral put on by the legendary Phenoelit group in Germany.
@window took me around and introduced me to people at the con. Sometimes people are right where they need to be. Microsoft needed @window and she brought down walls between Microsoft and the researcher community. This conference was the right spot. I flew to Berlin.
In 2006 Microsoft was very controversial in security circles. Showing up as the representative of the “evil empire” in a den of security researchers dedicated to finding our flaws and revealing them to a seeming clueless corporate behemoth was enough to give anyone pause
I entered the room to give my presentation. The room filled up. Completely up. People were sitting on the floor, standing along the walls, hovering in the doorway. There was an electricity in the air--the room was finally going to hear from a Microsoft insider on our efforts.
Would people be hostile? Interrupt and challenge me? There were plenty of reasons for the crowd to be cynical. I had no idea how this was going to go. I had prepared a very technical presentation because I that’s how I thought to best respect the audience.
FX (@41414141) came up to the front and introduced me. Then he did something I’ll never forget. Seeming on the spur of the moment, he didn’t join the audience and instead sat next to me by the podium.
It was a small thing in some ways, but it meant the world to me. His presence next to me seemed to suggest to the room “he is a guest here and we will treat him with respect”.
To feel like an outsider and have the ultimate insider in his forum make sure you will be treated right is one of the kindest gestures I’ve ever received. I completed my presentation and found the subsequent hallway conversations thrilling.
I later delivered the same brief at Blackhat (blackhat.com/presentations/…). As time went on, the value of ASLR diminished but I remember most the human moments that brought together an unlikely cast working on the messy hairball of security, enduring headwinds and advancing forward.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Lambert

John Lambert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JohnLaTwC

Oct 20, 2023
I spoke at @MSFTBlueHat last week.
➡️
I will follow up with a link to the recording when it is posted.

Some highlights from my talk below👇👇👇github.com/JohnLaTwC/Shar…
I talked about how incidents can teach powerful lessons and contain important truths for defenders. Image
I talked about while it is often romanced that offense has a richer toolset compared to the singular metaphor for defense ("the shield"). Defense has many creative ideas within it as well.
Image
Image
Read 12 tweets
Apr 9, 2022
If you work with event logs, here are 2 GREAT utilities:

Parse an EVTX file into JSO: github.com/omerbenamram/e…

Query a JSON stream: stedolan.github.io/jq/tutorial/

Combined with Sysmon and some built-in logs, there is a lot of power at your fingertips 💪
First, export a log to EVTX:
1⃣wevtutil epl Microsoft-Windows-Sysmon/Operational sysmonlog.evtx
2⃣wevtutil epl Security Security.evtx /ow:true
3⃣wevtutil epl "Microsoft-Windows-DNS-Client/Operational" DNS.evtx
List hashes of programs that ran:

evtx_dump-v0.7.2.exe sysmonlog.evtx -o json --dont-show-record-number | jq ".Event | select (.System.EventID == 1) | .EventData | {Hashes} | .Hashes " | sort /unique

(PROTIP: Did you know sort has an undocumented /unique switch?)
Read 6 tweets
Mar 13, 2022
I am preparing for an internal talk on career advice learned from working security crises. My notes 🧵
The fastest way to accomplish things is to build trust
You're always on stage. At work, there really is no way to be different in private v. public.
Read 24 tweets
Sep 26, 2021
My favorite story about VBS files is not the I Love You worm, but one that happened in building 40 at Microsoft.
VB Script files are associated with WScript.exe by default. This is an important detail. The other host for VB Script files is CScript.exe.
CScript is a console program. This allows your VBS to write to StdOut and it shows up in console window like cmd.exe.
Read 10 tweets
Sep 24, 2021
I've had a lot of neat employee moments at Microsoft. here's one of them.
👇
It was Feb 4, 2014. The board had just named @satyanadella as CEO.
📎news.microsoft.com/2014/02/04/mic…
An email said he was going to make some remarks in a building across campus in like 30 minutes. I jumped in my car.
The crowd filled all available space. Ballmer was high energy as usual. It was 2014 so, you know, I had my Windows Phone with me. ImageImage
Read 6 tweets
Sep 19, 2021
Found one of my Microsoft notebooks 📔 from 2005. Here are a few pages on what was on my mind then.
The Longhorn (aka Windows Vista) security plan.
Parsers were having many issues. I put this slide together to create awareness about the pattern we were seeing in MSRC at the time.
Occasionally I printed small versions of my slides and inserted them into my notebooks so I could easily socialize to people in 1-1 conversations.
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(