AMD drivers incompatible with Windows security feature

[Pheran]

CERT/CC, a well known computer security organization, has just published a blog entry pointing out that AMD video drivers are incompatible with a security technology known as ASLR (address space layout randomization) which is able to prevent a number of security exploits. If you globally enable this setting with an AMD driver installed it will BSOD your whole system. Intel and nVidia drivers do not exhibit this problem.

 

[ShintaiDK]

Its just not going well for AMD these days. One punch in the face after the other.

 

[GodisanAtheist]

How prevalent is the use of this security feature? Does it have to be "turned on" globally? Never heard of it.

 

[Ketchup]

Its just not going well for AMD these days. One punch in the face after the other.

I think they are punching themselves in the face.

 

[Cerb]

How prevalent is the use of this security feature? Does it have to be "turned on" globally? Never heard of it.

It's part of preventing exploits via buffer overflows (and similar exploits, like out of range indices), and is used in Vista, 7, Linux, and OS X that I am aware of (OS X's implementation kinda sucks, in comparison, but they've been improving it every dot-release). It helps do this by preventing allocation of the address space from occurring in a strictly incremental manner, in which addresses used for specific entry points can be predicted by some piece of malware.

Shame on AMD, and also shame on Microsoft. WHQL has long had a question as to its usefulness. This doesn't help that, any. I could understand Vista, but for 7, no driver that disables a security feature should have been allowed to get the WHQL stamp.

 

[DaveSimmons]

Shame on AMD, and also shame on Microsoft. WHQL has long had a question as to its usefulness. This doesn't help that, any. I could understand Vista, but for 7, no driver that disables a security feature should have been allowed to get the WHQL stamp.

You're wrong about a couple of points:

1. The AMD drivers do not "disable" this feature, it is disabled by default in Windows because some applications will crash.
2. Any application that wants to can still use it, you just can't force all applications to use it at the OS level you need to leave it up to them:

"Why is this functionality not exposed by default? Some software is not compatible with ASLR and may not function properly as the result of enabling it or other EMET mitigations. "

In other words, even if AMD's drivers supported ASLR you could still cause mystery crashes in programs by forcing it on at the OS level.

 

[Wall Street]

You're wrong about a couple of points:

1. The AMD drivers do not "disable" this feature, it is disabled by default in Windows because some applications will crash.
2. Any application that wants to can still use it, you just can't force all applications to use it at the OS level you need to leave it up to them:

"Why is this functionality not exposed by default? Some software is not compatible with ASLR and may not function properly as the result of enabling it or other EMET mitigations. "

In other words, even if AMD's drivers supported ASLR you could still cause mystery crashes in programs by forcing it on at the OS level.

That is not true. Programs operate at the user-level, so the use of ASLR by the OS is transparent to the program and no program should crash because of it. Because the drivers operate at the kernel-level however, they must be programmed to not crash when ASLR is active as kernel-level drivers are allowed to interact directly with memory outside of the OS memory management system in ways user-level programs are not. When ASLR is on, all programs are using it, as the memory mapper translates all addresses to a random value and the programs truely have no idea where there data is actually stored, where the stack is, etc.

 

[DaveSimmons]

That's not what Microsoft says:

http://support.microsoft.com/kb/2458544
"Are there any risks to using EMET?
The security mitigation technologies that EMET uses carry an application compatibility risk with them. Some applications rely on exactly the behavior that the mitigations block. It is important to thoroughly test EMET on all target computers by using test scenarios before you deploy EMET in a production environment. If you encounter a problem with a specific mitigation, you can individually enable and disable the specific mitigations. For more information, refer to the user's guide that is installed with EMET. "

http://support.microsoft.com/kb/2458544
"ISV Tasks
ISVs should link with Microsoft Linker version 8.00.50727.161 (the first version to support ASLR) or later.
ISVs should link with the /DYNAMICBASE linker switch, unless using Microsoft Linker version 10.0 or later which enables /DYNAMICBASE by default.
ISVs should test their application on Windows Vista and later and note and fix failures due to ASLR."


Edit: certainly AMD should make their drivers ASLR-safe, but flipping the switch to make all programs use DEP and ASLR may still result in programs crashing. If it was 100% safe, MS would have changed the default setting to ON in Vista or 7.

 

[Phynaz]

That is not true. Programs operate at the user-level, so the use of ASLR by the OS is transparent to the program and no program should crash because of it.

Nope. Programs must be ASLR safe.

http://en.wikipedia.org/wiki/Address_space_layout_randomization#Microsoft_Windows

Edit: Dave beat me to it.

 

[Wall Street]

I stand corrected. That wasn't my understanding of how that worked.

 

[IlllI]

I'm sure if there is a problem it will get corrected. Sometimes public exposure to problems gets the issue resolved more quickly

 

[Pheran]

I'm sure if there is a problem it will get corrected. Sometimes public exposure to problems gets the issue resolved more quickly

Most likely that's what they are betting on, since CERT notified AMD about this in February and they haven't bothered fixing it yet.

 

[Stuka87]

It is not uncommon at all for kernel drivers to not support this feature. Most all network and video drivers do not, as its a noticeable performance hit. The driver also has to have specific support for it. Which is why it is disabled by default on all windows installs.

 

[VirtualLarry]

I thought that Windows 8 had a certain measure of ASLR enabled by default, finally? And AMD supplies (beta, still, I think) Windows 8 video drivers.

So I'm not certain what the issue is, other than they perhaps haven't back-ported the ASLR fixes into their mainstream Win7/Vista drivers.

 

[Pheran]

It is not uncommon at all for kernel drivers to not support this feature. Most all network and video drivers do not, as its a noticeable performance hit.

Straight from Microsoft:

In general, ASLR has no performance impact. In some scenarios, there’s a slight performance improvement on 32-bit systems. However, it is possible that degradation could occur in highly congested systems with many images that are loaded at random locations. The performance impact of ASLR is difficult to quantify because the quantity and size of the images need to be taken into account. The performance impact of heap and stack randomization is negligible.

I don't see how "most video drivers don't support it" when 2/3 of the biggest video chip suppliers in the world do support it.

 

[Phynaz]

How prevalent is the use of this security feature? Does it have to be "turned on" globally? Never heard of it.

It's not. You can't even turn it on from within Windows, it requires a separate tool from MS.

 

[VulgarDisplay]

Why is this a huge deal? Any hacker capable of actually exploiting this is not interested in probably 99.99% of the pc's that use AMD gpu's. Probably even 100%.

They are welcome to get into my PC and take all of the sensitive information I don't have on it.

 

[Lonyo]

Why is this a huge deal? Any hacker capable of actually exploiting this is not interested in probably 99.99% of the pc's that use AMD gpu's. Probably even 100%.

They are welcome to get into my PC and take all of the sensitive information I don't have on it.

http://www.anandtech.com/show/5966/uscert-takes-amd-to-task-on-driver-security

However for governments and other high value institutions this means they’re forced to choose between AMD hardware and ASLR, which is not something they want to be worrying about. Furthermore it’s been the long-standing goal of computer security organizations to get OSes and programs to a state where ASLR can be enabled globally for every user, a very messy transition that is held back by programs and drivers that are still not ASLR compatible.

Which is the sort of people hackers would be interested in.
Basically it's the US-CERT complaining because they don't have a choice of GPUs without this feature working.

 

[taltamir]

Shame on AMD, and also shame on Microsoft. WHQL has long had a question as to its usefulness. This doesn't help that, any. I could understand Vista, but for 7, no driver that disables a security feature should have been allowed to get the WHQL stamp.

WHQL has always been a racket. MS aggressively assaults non WHQL drivers. Aside from the myriad warnings you have to click through to actually install them, they also get spontaneously replaced by non functional, wrong device, drivers that are WHQL and there is nothing you can do to stop it.
All done to force all developers to pay them the WHQL fine.
And WHQL stamp of approval can be gotten with the most broken and worthless of drivers.

 

[Cerb]

And WHQL stamp of approval can be gotten with the most broken and worthless of drivers.

But, they work fine when they detect that they are being tested for WHQL compliance!

 

[TheRyuu]

Aside from the one warning you have to click through to actually install them...

ftfy