re: More on Service Pack 1 & VMware ASLR Guidance

Mike B. — Tue, 16 Aug 2011 23:58:55 GMT

It's a tradeoff - lose the security provided by ASLR (there seems to be some documentation questioning exactly how much security this adds) vs. cost savings in large deployments by achieving approximatly 16% greater VM density. In many Enterprise deployments where thousands or even 10k+ VDI VMs are deployed the 16% can translate to some real dollars which management may not want to ignore. Additionaly these larger enterprise deployments are often engineered well beyond the hypervisor layer with network hardware security devices such as enterprise class firewalls, IPS devices and gateway antivirus applainces which are capable of providing sigificantly more protection to the VDI network than a typicaly windows PC will get from localy loaded software and OS features. In such a purpose built VDI environment it may not be unreasonable to disable ASLR to attain cost savings on large scale VDI deployments though security risk need to be preseneted to management and internal security teams for evaluation.

re: More on Service Pack 1 & VMware ASLR Guidance

Libor — Sun, 20 Mar 2011 22:32:49 GMT

I found Eric Horschman comment to be perfectly accurate. Microsoft tends to be PR only, and “forget” to mention well-known fact like that ASLR is no longer being effective.

I have actually never seen VMware memory management and by reading MS posts only I thought it can only perform Page-Sharing and its capabilities are limited. Obviously I was wrong, thank you for the link.

Btw;

I am aso using Chrome and having troubles viewing this page since always.

re: More on Service Pack 1 & VMware ASLR Guidance

Shawn — Thu, 10 Mar 2011 04:45:27 GMT

Isn't saying disabling ASLR makes Windows less secure kind of like saying pouring a bucket of fresh water in the ocean makes it less salty?

re: More on Service Pack 1 & VMware ASLR Guidance

Louis — Sun, 27 Feb 2011 05:29:17 GMT

The site doesn't work for me -- I'm in webkit-based Google Chrome. I imagine webkit-based Safari also has this issue.

Debugging briefly, it appears to be the margin-left: -58px applied to .layout-content.header-top-sidebar-left-content-right .layout-region.content on line 51 of /themes/blogs/wireframe/css/DynamicStyle.aspx. Unchecking the margin-left in Web Inspector fixes the error and puts the blog's body where it belongs -- flush with the right border of the header.

As to reasons for disabling ASLR -- what about nginx and similar caching tools which can't share memory reliably without disabling ASLR? nginx.org/.../windows.html Note that if there's a way to disable ASLR on an application-by-application basis in a way that could be supported by nginx, I'd love to hear it. Our sysadmin is much more versed in Windows than Linux, yet most memory caches require Linux.

This blog also highlighted for me how we probably shouldn't try to run a memory cache off Hyper-V, as there could be other issues involved. It's kind of sad, though, because most websites could be held in no more than 2 GB of RAM and the speed-up is enormous over HDD access (though perhaps not SSD).

re: More on Service Pack 1 & VMware ASLR Guidance

Ed — Mon, 21 Feb 2011 16:11:53 GMT

@Otherkevin, I suggest you check your browser settings - I can view this page in Opera 11 and Firefox 3 & 4 with problems...

re: More on Service Pack 1 & VMware ASLR Guidance

Eric Horschman — Sat, 19 Feb 2011 03:51:02 GMT

Jeff,

Your version of my talk at VMworld 2010 Europe leaves out some important warnings I provided on my slide and verbally during the session. When I brought up the Project VRC findings showing that disabling ASLR could boost vSphere VM density, I cautioned that it would weaken Windows security and should be done only in isolated testbeds. The bullet point on my slide clearly stated, "Testing shows up to a 16% VDI score gain, but lessens security."

I'm not sure how you construe that as a VMware recommendation that customers put their VMs at risk. Your readers can get more background here: blogs.vmware.com/.../hypervisor-memory-management-done-right.html

You might also mention that ASLR doesn't seem to be slowing down malware authors. This paper by Microsoft's own security team acknowledges that the bad guys can easily bypass ASLR: blogs.technet.com/.../on-the-effectiveness-of-dep-and-aslr.aspx

Eric

re: More on Service Pack 1 & VMware ASLR Guidance

Duncan — Thu, 17 Feb 2011 20:33:08 GMT

jlGGY,

I think you are misinterpreting my comment. I am not disregarding it but ignoring it as it is regular FUD. In the first post Jeff talks about "recommendations" and now he refers to two separate statements where advanced techniques are discussed to push the boundaries including a warning and the possible impact. This is something totally different than he initially insinuated.

re: More on Service Pack 1 & VMware ASLR Guidance

jIGGY — Thu, 17 Feb 2011 19:40:11 GMT

I love how now that you have linked to the VMware pages suggesting stupidity the vmware people try and change the subject like Duncan above after the rather engaged call out on your previous posting about vmware suggesting ASLR being disabled.

re: More on Service Pack 1 & VMware ASLR Guidance

PiroNet — Thu, 17 Feb 2011 14:00:18 GMT

Looks like in both camps silly recommendations are 'suggested'.

Don't you recommend to turn off ballooning on virtual machine running, for instance, SQL server?

Cheers,

Didier

deinoscloud.wordpress.com

re: More on Service Pack 1 & VMware ASLR Guidance

SB — Thu, 17 Feb 2011 02:22:35 GMT

@Otherkevin odd, this renders well for me in Firefox 3.6 and Safari