Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I enable DEP or ASLR for my .NET application?

I'm writing my program in VS2010 and the build target is .NET 4. I believe that the DEP compatibility flag is on by default. Is that true?

Is .NET also compatible by default with ASLR, and is ASLR turned on by default for my process, or do I have to request it at runtime?

like image 686
Scott Whitlock Avatar asked Jul 03 '10 19:07

Scott Whitlock


1 Answers

Yes, the NXCOMPAT flag is turned on by the standard .NET language compilers since .NET 2.0 SP1.

ASLR is essentially automatic in .NET programs by virtue of the JIT compiler. Where it will place the JIT compiled machine code is unpredictable. Albeit that it will likely be repeatable on the exact same machine with the exact same revision number of the CLR and the exact same flow of the startup code and the exact same DLLs getting injected into the process. Not easily targetable by malware though. The ngen-ed .NET assemblies support ASLR since the .NET 3.5 SP1 release.

Much more powerful is the ASLR for data, the more essential counter-measure against attacks. Important because the vast majority of attacks start with malicious data. Every time you start your program, the location of stack of a thread, the GC heap and static data changes. Can be quite painful of you are trying to debug an AVE btw.

ASLR protects against known unpatchable security flaws. The security flaw has to exist first, uncommon in verifiable code.

like image 73
Hans Passant Avatar answered Sep 20 '22 00:09

Hans Passant