Overview |
By nature, every program running on a computer may be used as an entry point by hackers to attack the Operating System. Recent versions of Windows reduce this concern by allowing programs to be built with features that make it much more difficult for hackers to operate. The Wrapper contributes to improving system security and keeping your system safe by making use of these features. Starting with version 3.5.33, the Wrapper specifies that its binaries (wrapper.exe, wrapperw.exe and wrapper.dll) are compatible with Data Execution Prevention (DEP) and enables Address Space Layout Randomization (ASLR) at load time. - DEP marks memory regions allocated by the Wrapper as non-executable and thus prevents shellcode that would be injected by a malware to be executed. - ASLR protects against buffer overflow attacks by randomizing the locations of different parts of the program in memory. Every time the Wrapper runs, the stack, heap, and libraries are moved to a different address in virtual memory so that attackers can no longer learn through trials where their target is. The terms used to describe these features may sound a bit technical, but it should be enough to just remember that usage of DEP and ASLR has no noticeable performance impact and allows the Wrapper to run in a much safer way on your OS. There is no property to set up in the Wrapper configuration file to enable DEP and ASLR. Both features are automatically enabled when running any version of the Wrapper from 3.5.33. |
Data Execution Prevention (DEP) |
|
The Wrapper enables DEP when running on Windows XP SP3 or any later version of Windows. "java.exe" and "javaw.exe" specify DEP support in a different way with an option (/NXCOMPAT) added in the binary header. This option is understood by Windows Vista and above but not by Windows XP. To match with this behavior, the native library (wrapper.dll) used by the Java process uses the same option and enables DEP for the same versions of Windows. The presence of this option can be confirmed by checking that dumpbin.exe is showing "NX Compatible" among the DLL characteristics:
Note that Windows enforces DEP when running 64-bit executables and thus 64-bit editions of the Wrapper (including versions lower than 3.5.33) are always running with DEP enabled. Also note that the Wrapper will run normally (but at standard security levels) on old versions of Windows that don't support DEP. DEP can be configured at the system level with 4 different policies: - The first two policies can be configured by the local user using the GUI of Windows. On Windows 10, right-click on "This PC", then "Properties". On the left side of the control panel, click on "Advanced system settings". In the "System Properties" window, click on the "Settings" button under "Performance". In the "Performance Options" window, click on "Data Execution Prevention" tab.
- Two other policies are available for administrators, although they should not be necessary in the majority of cases. Windows makes it possible to force DEP for all processes (ignoring any exception lists and options embedded in binaries), or inversely to completely turn off DEP for all processes running on the system. This can be done by using bcdedit.exe in a command line run as Admin (or boot.ini on Windows XP). |
Address Space Layout Randomization (ASLR) |
|
ASLR was introduced in Windows Vista and is implemented in all later versions of Windows. "java.exe" and "javaw.exe" specify an option (/DYNAMICBASE) in their binary headers to inform the OS that the Java application should be rebased at load time using ASLR. "wrapper.exe", "wrapperw.exe" and "wrapper.dll" are linked with the same option to enable ASLR. The presence of this option can be confirmed by checking that dumpbin.exe is showing "Dynamic base" among the DLL characteristics:
There is no configuration needed at the system level for ASLR. Windows Vista and later have ASLR enabled for executables and DLL specifically linked to be ASLR-enabled. For compatibility, it is not enabled by default for other applications. The Wrapper version 3.5.33 and above will run with ASLR enabled. Note that the Wrapper will run normally (but at standard security levels) on old versions of Windows that don't support ASLR. |
How to check whether the Wrapper is running with DEP/ASLR enabled |
||||||
From the Details tab of the Windows Task Manager, it is possible to add a column to visualize whether DEP is enabled or not: right-click on the column header, choose "Select columns" and tick the "Data Execution Prevention" checkbox. The column will show "Enabled" for all processes running with DEP enabled, and "Disabled" when processes are running without this protection. Unfortunately, there is no such column in the Task Manager to see if ASLR is enabled or not. A better way to check if DEP and ASLR are enabled is to use the Process Explorer tool provided by Microsoft. It can be downloaded from the following link: https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx After downloading, just extract the files in a folder and run procexp.exe or procexp64.exe depending on whether your OS is 32-bit or 64-bit. A window will appear showing the processes hierarchically. When the Wrapper is running, we can see the Wrapper process and its managed child Java process. To visualize if DEP and ASLR are enabled for each process, right-click on the columns header and choose "Select Columns...". Click on the "Process Image" tab and tick the "DEP Status" and "ASLR Enabled" checkboxes. Finally, click on "OK" to add these two columns. Below are the results when running the Wrapper version 3.5.32 and 3.5.33 (32-bit and 64-bit) on Windows (Vista and above):
|