Is it safe to enable forced ASLR via EMET on Windows?

Posted by D.W. on Server Fault See other posts from Server Fault or by D.W.
Published on 2013-10-27T04:56:55Z Indexed on 2013/10/27 9:57 UTC
Read the original article Hit count: 314

I'd like to enable forced ASLR for all DLLs on Windows. Is this safe?


Background: ASLR is an important security mechanism that helps defend against code injection attacks. DLLs can opt into ASLR, and most do, but some DLLs have not opted into ASLR. If a program loads even a single non-ASLRized DLL, then the program doesn't get the benefit/protection of ASLR. This is a problem, because there are a non-trivial number of DLLs that haven't opted into ASLR.

For instance, it was recently revealed that Dropbox injects a DLL into a bunch of processes, and the Dropbox DLL doesn't have ASLR turned on, which negates any ASLR protection they otherwise would have had. Unfortunately, there are many other widely used DLLs that haven't opted into ASLR. This is bad for system security.

Microsoft provides several ways to turn on ASLR for all DLLs, even ones that haven't opted into ASLR:

  • On Windows 7 and Windows Server 2008, you can enable "Force ASLR" in the registry.

  • On all Windows versions, you can use Microsoft's EMET tool and enable EMET's "Mandatory ASLR" option.

These methods are possible because all DLLs are compiled as position-independent code and they can be relocated to a random location even if they haven't opted into ASLR. These options will ensure that ASLR is turned on, even if the developers of the DLL forgot to opt into ASLR. Thus, forcing on ASLR systemwide may help system security.

In principle, turning on forced ASLR could potentially break a poorly-written DLL, so there is some risk of breakage. I'm interested in finding out just significant this risk is. I have the suspicion that this kind of breakage might be extremely rare. Here's what I've been able to find:

What else should I know? Is it relatively safe to turn on Force ASLR / Mandatory ASLR systemwide to harden the secuity of my system, or will I be in for a world of pain and broken applications? How significant is the risk of compatibility problems and broken applications?

© Server Fault or respective owner

Related posts about Windows

Related posts about security