Importance Of Data Execution Prevention and Address Space Layout Randomization Mitigation Technologies

The mitigation technologies like DEP, ASLR, and others like them (SEHOP, GS, etc) are designed to make it more difficult for attackers to reliably exploit software vulnerabilities. In practice, effectiveness of DEP and ASLR is heavily dependent on how completely each mitigation tech has been enabled by an app. Failing to completely enableing leaves low-hanging […]

The mitigation technologies like DEP, ASLR, and others like them (SEHOP, GS, etc) are designed to make it more difficult for attackers to reliably exploit software vulnerabilities. In practice, effectiveness of DEP and ASLR is heavily dependent on how completely each mitigation tech has been enabled by an app. Failing to completely enableing leaves low-hanging fruit that an attacker can use to their advantage when developing an exploit.

This point was most recently illustrated in exploit written for Adobe Reader (CVE-2010-2883) where attackers took advantage of a DLL that hadn't opted-in to ASLR. Following examples show importance of fully enabling mitigations:

[Sourc]