Is it a bug or a feature? It’s one of the oldest debates in software.
Earlier this month the OS world was treated to the latest instalment, this time focusing on the way Microsoft implemented a low-level security protection called Address Space Layout Randomization (ASLR) in Windows 8 and 10.
On one side of the argument is Will Dormann, an engineer with Carnegie Mellon University’s CERT Coordination Center (CERT/CC), the body tasked by the US Department of Homeland Security with handing out important security advice.
His opening salvo was a tweet on 16 November in which he described the way Windows implements ASLR as “essentially making it worthless.”
In case anyone was in doubt, this was followed by an official vulnerability alert describing the claimed failings in detail. The summary being:
Stung, within days Microsoft put out a refutation stating that “ASLR is working as intended.”
That’s a significant difference of opinion, so who is right?
Let’s skip to the paradox of a punchline: they both might be, albeit within different frames of reference.
The theory behind ASLR (also used in different forms by Linux, Android, iOS and macOS) is to randomise the memory locations where executable programs and DLLs run in order to deter memory attacks such as buffer overflows.
The gist is that attackers can’t assume they know the memory location for a targeted processes because Windows could have put it anywhere.
Except, according to Dormann, it doesn’t work properly:
On the Windows 10 Fall Creators update, the issue can be mitigated manually by setting a registry value.
Neutrals might at this point be wondering what all the fuss is about: ASLR works most of the time as advertised, and the few occasions when it doesn’t won’t apply to many users.
If you like, Microsoft thought it was pragmatically ensuring compatibility (a feature) which Dormann interprets as an area of potential weakness (the bug).
It’s not the first time Dormann has taken a pop at Windows’ security: a year ago, his beef was Microsoft’s plans to drop EMET, now replaced in Windows 10 by WDEG.
Or perhaps the real issue is what users are supposed to make of a back and forth now so technically specialised that even some experts can’t keep up with its finer points.
OS security has been getting more complex with every passing year. It shouldn’t surprise us that the same is happening to arguments about whether these new layers inside Windows and its rivals are up to the job