Behind Pwn2Own: Exclusive Interview With Charlie Miller

The NX Bit And ASLR

Alan: When the NX bit was first introduced, it was supposed to dramatically reduce the amount of malware. Suppose the Alan Dang Web browser had a bug in the code that parses the URL. If I had a Web address that was too long, it’ll end up copying that data into the memory that’s beyond the space allocated for data. The machine will execute that code and now it’s compromised. My understanding is that the NX bit prevents that from happening. But it seems as if the developers of malware simply transitioned to other methods of exploiting a system. Nowadays, the buzzwords are 64-bit ASLR, code signing for kernel extensions, or sandboxing? How much of this will help?

Charlie: The NX bit is very powerful.When used properly, it ensures that user-supplied code cannot be executed in the process during exploitation. Researchers (and hackers) have struggled with ways around this protection. ASLR is also very tough to defeat. This is the way the process randomizes the location of code in a process. Between these two hurdles, no one knows how to execute arbitrary code in Firefox or IE 8 in Vista right now. For the record, Leopard has neither of these features, at least implemented effectively. In the exploit I won Pwn2Own with, I knew right where my shellcode was located and I knew it would execute on the heap for me.

Alan: And just so that our readers know, ASLR is implemented in Windows Vista (but not XP) and Vista SP1 is required for the full ASLR. Leopard had some binaries placed randomly, but Snow Leopard is rumored to introduce full ASLR. On Linux, kernel 2.6.12 has a weak form of ASLR like Leopard does, but PaX and ExecShield will implement Windows Vista-like ASLR.

I know you can't talk about this year's Mac exploit, but let's talk about last year's Safari flaw. To win, you were able to remotely execute code on the MacBook Air. I would imagine that a malicious hacker would have then directly installed malware without triggering the confirmation for root access, etc?

Charlie: In neither case did I get root/admin access. That would have required additional vulnerabilities. However, just running as the user is still very bad. I could have still watched keystrokes as you went to an online bank, read your calendar and address book, sent emails, etc. In real life, one or all of these things would have occurred. 

Alan: In hindsight, was there anything that could have been done on the user end? That is, if you had outgoing firewalls, anti-spyware/anti-malware software, weren't logged in as a root user, would that have done anything to limit the extent of the breach?

Charlie: None of those protections would have probably worked, or at least there were potential workarounds. The best thing the user could have done is not click on the malicious link. Of course, in some cases such as a man-in-the-middle attack, even this wouldn't have helped. 

Create a new thread in the US Reviews comments forum about this subject
This thread is closed for comments
32 comments
Comment from the forums
    Your comment
  • crisisavatar
    he was born to kill
  • Niva
    Blah, sad he didn't give an estimate to linux security. He said it has some method of protection but didn't expand on that much...

    As osx market share grows we'll see more exploits.
  • Silluete
    Interesting thing about sandboxing, it's mean chrome more safe than other browser? or i missing something here?
  • lire210
    whats up mac
  • pcfxer
    Chrome uses processes instead of threads. The difference is that the memory space for each process is different--better sandboxing.

    Processes have increased headroom: they are making a copy of local variables and structures at the time of "forking".

    Threads "fork off" as functional code and work with their own memory space... in a nutshell.

    Sandboxing doesn't mean that Chrome is safer, it does mean that if sandboxing is implemented correctly Chrome CAN be safer. Security is so relative ;).
  • AlanDang
    Exactly, Chrome is currently safer than any other web browser on Windows Vista or Windows 7. We have an upcoming interview that talks a little bit more about this, but we haven't made plans on a dedicated article. Is that something people are interested in?
  • echdskech
    AlanDangExactly, Chrome is currently safer than any other web browser on Windows Vista or Windows 7. We have an upcoming interview that talks a little bit more about this, but we haven't made plans on a dedicated article. Is that something people are interested in?count me in A


    Count me in. Come to think of it, I spend more time on my browser than any other piece of software (except the OS ofcourse) at any given day. primarily because I use it both at work for research and for play (ie reading articles here). Also, trend these days seem indicate it becoming more and more a target rather than the OS.

    Would be extra nice if the level of detail would be like the articles you guys write when a new cpu architecture is discussed. =)
  • anthony lackey
    There is less ppl attacking Mac's because they aren't the mainstream. Hackers would rather try to infect as many ppl as possible thats why they target PC users.
  • Anonymous
    If Apple does not allow cloning mac os may be safe for a long while, nobody likes to be tied to a single hardware vender. I really don't see how Apple could pull more that 15% to 18% market share without clones. JMO.
  • dedhorse
    Good interview. Makes up for that Mac review.
  • zodiacfml
    count me in. :) i've been using chrome since it came out.
    though, in my usage, they haven't fixed the issue with auto-hide taskbar in vista.
  • eddieroolz
    Great read, nice article Alan!
  • 4c1dr41n1
    What if I use a virtual machine? I could

    1) copy it, open it, surf the web, close it, delete the copy.
    2) copy it again, open it, use internet bank, close it, delete copy again.

    Nice enough sandboxing?
  • Herbert_HA
    It's a very nice article, indeed.

    But please, stop using so many pages! It's a pain in the ass to keep clicking every 2 questions...and that was an small article, other have more than 10 pages, unnecessarily. I guess you people are trying to keep access numbers up, so you could sell more ads, but it's surely not user-friendly to have to load the same content over and over.
  • 4c1dr41n4
    What if I use a virtual machine? I could

    1) copy it, open it, surf the web, close it, delete copy.
    2) copy again, open it, use internet banking, close it, delete copy again.

    Nice enough sandboxing?
  • nukemaster
    4c1dr41n4What if I use a virtual machine? I could1) copy it, open it, surf the web, close it, delete copy. 2) copy again, open it, use internet banking, close it, delete copy again.Nice enough sandboxing?

    In that case, just mount a live linux CD image in the drive then use it. always clean, no need to del + copy.
  • Anonymous
    Miller, page 4: "In neither case did I get root/admin access."

    In other words, he actually didn't hack the Mac.

    What in the world is this fraud? How can you say you 'pwned' a computer without root access?
  • TheFuzzball
    God help us when Conficker becomes cross-platform :D
  • Anonymous
    I wish there was more Charlie's voice in this interview. Now Alan did the most of the talking and Charlie basically had to say yes or no. At least in the most important topics.

    Nice reading, but not perfect.
  • Anonymous
    It's a little upsetting that he sidesteps the issue of linux on the grounds of granny's incompetence, does he expect granny to stay on top of vulnerabilities in all of her installed software on the windows or mac boxes, assuming she'd need more third party software sources on either of the other platforms than say ubuntu with it's repositories.