Proper Support for ASLR
111 views
Skip to first unread message
Jeff Plantinga
Jul 11, 2024, 8:53:27 AMJul 11
to innosetup
The security team at my company has flagged our InnoSetup built installer as not having proper ASLR support. This surprised me as the option is set by default.
Upon examining the code I found the following in CompExeUpdate.pas:
{ Note: because we stripped relocations from Setup(Ldr).e32 during
compilation IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE won't actually
enable ASLR, but allow setting it anyway to make checkers happy. }
compilation IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE won't actually
enable ASLR, but allow setting it anyway to make checkers happy. }
I think this is just saying that the option doesn't really work? It sets one flag, which will make some checkers happy, but the full support isn't there? Do I have that right?
Would it be possible for ASLR support to actually be added?
Thanks!
Martijn Laan
Jul 11, 2024, 9:39:19 AMJul 11
to innosetup
Hey,
Actual support can be enabled by removing these lines in Setup.dpr and SetupLdr.dpr:
{$SetPEFlags IMAGE_FILE_RELOCS_STRIPPED}
Doing so increases the size of a minimal installer (Example1.iss with the [Files] section remove) from 1.55 mB to 1.71 mB.
Once you do Powershell's
Get-ProcessMitigation cmdlet will report ON instead of OFF for ASLR: BottomUp
Seems worth it to me? I know some people care a lot about small sizes and there's stuff in the code to shave of a few kB's but disabling security features for that is outdated.
Greetings,
Martijn
Op donderdag 11 juli 2024 om 14:53:27 UTC+2 schreef Jeff Plantinga:
Jeff Plantinga
Jul 11, 2024, 11:11:45 AMJul 11
to innosetup
That would be great! I strongly agree with your premise about no longer disabling security features.
Martijn Laan
Jul 12, 2024, 3:34:36 AMJul 12
to innosetup
Hey,
I've uploaded a new version: https://jrsoftware.org/download.php/innosetup-6.3.3.exe
Please try it and let me know if it works.
Greetings,
Martijn
Op donderdag 11 juli 2024 om 17:11:45 UTC+2 schreef Jeff Plantinga:
Jeff Plantinga
Jul 12, 2024, 9:51:00 AMJul 12
to innosetup
I'm getting a 404...
Martijn Laan
Jul 12, 2024, 12:02:38 PMJul 12
to innosetup
Sorry, fixed that, please try again.
Greetings,
Martijn
Op vrijdag 12 juli 2024 om 15:51:00 UTC+2 schreef Jeff Plantinga:
Jeff Plantinga
Jul 12, 2024, 3:51:03 PMJul 12
to innosetup
From a cursory inspection, it seems like that fixes it! Hope to see this in the real version. Thanks!
Martijn Laan
Jul 13, 2024, 2:08:04 AMJul 13
to innosetup
Thanks for checking. The version I linked is a real version.
Greetings,
Martijn
Op vrijdag 12 juli 2024 om 21:51:03 UTC+2 schreef Jeff Plantinga:
Reply all
Reply to author
Forward
0 new messages