 |
 |
I'm not sure if anyone here is using Sophos, but if you are you may want to reconsider it. It contains a feature called BOPS which essentially tries to implement it's own version of ASLR on XP (a feature introduced in Vista). Except it doesn't work and disables ASLR on the system. It just goes to show that the most well-intentioned things can come back to bite you if you don't know what you are doing. "Microsoft Windows versions prior to Vista did not include good quality exploit mitigations, which has prompted some third parties to develop custom implementations. Sophos sell a product called “Buffer Overflow Protection System”, bundled with their Antivirus product, intended to implement this. A detailed analysis of BOPS is available in the previous paper in this series. The purpose of BOPS (although it does not work) is to provide a faux-ASLR implementation for Windows XP. Sophos ship the product on other platforms but it is essentially a no-op. Sophos uses AppInit_DLLs to force load this on-dynamicbase module into every process, disabling ASLR on platforms that do have it enabled. This effectively disables ASLR on all Microsoft Windows platforms that have Sophos installed, allowing attackers to develop reliable exploits for what might otherwise have been safe systems." https://lock.cmpxchg8b.com/sophailv2.pdf