ASLR has been an interesting topic in the security world since Vistas release, but there hasn’t been a lot of discussion of it in a SCADA context.  For those of you who don’t know ASLR is a technology used by Windows Vista and Server 2008 that changes the memory address space that programs are loaded into each time the program is run and each time the system is rebooted.

As more development shops move to more current versions of Visual Studio and enable protection technologies like ASLR, stack cookies, Data Execution Prevention (DEP), the asset owners of critical systems are going to have to become familair with them.  While these technologies decrease the likelihood of arbitrary code being executed, it also increases the chances of Denial of Service conditions that may be less desirable.  While neither option is very palatable, given the choice of having unknown code running on a system or having access to it there are a nontrivial number of owners and operaters who would choose the latter in hopes of avoiding downtime and trying to mitigate the compromise in other ways.

In the mean time, several tools have been released to analyze binaries and report if the ASLR bit, and other things are enabled.  I’ve personally used LookingGlass from the folks over at Errata a fair amount and its very interesting to see what vendors are using ASLR, possibly without thought, and which ones aren’t.

I’ve written up a brief SCADApedia page with more technical information about ASLR for those interested.