Tuesday, September 22, 2015

Quick post: ASLR in China

The recent XCodeGHost incident tells how insecure it is for Chinese software. Personally I've been long-time aware of the huge problem in Chinese software, but I was still surprised that even the core developers from software giants enjoy such a terrible hobby: downloading 3rd-party development tool (or using p2p-based downloading tool to download development tool) - what business secrets you can hold if you fail to protect your core development environment? IMO the security of Chinese-based software is still in the Stone Age - They have gone so far and are still running so quickly while (unfortunately) there is no serious security review/process taken in place.

Here I'd like to quickly go through the most obvious issue: ASLR. What I have chosen here are the most popular software used in China, I think each of them enjoys hundreds of millions –level users. As you will find, none of them fully enables ASLR in their processes. Even ASLR have been introduced by Microsoft since 2007 and has been proven an effective mitigation to stop exploits and it's quite easy for developers to enable it.

This is what I saw on the latest Tencent QQ 7.6.


And here you go Baidu YuanGuanJia (百度云管家) .


The previous two are relatively good, I’d guess they know ASLR but failed on some of the DLLs. However, the following Xunlei (Thunder, 迅雷) is pretty bad: look at the dlls they shipped, almost all of them are non-ASLR (including 3 main programs), have they even heard of ASLR?


The Alibaba’s AliWangWang (阿里旺旺) (their popular tool for online purchasing and chatting) is also not good.


In the security world, ASLR is now a baseline for software security or in any software development – even Microsoft has started to credit findings of non-ASLR issues in their software. In this quick post we showcased the most obvious non-ASLR ones in the most popular Chinese software, this could be considered as a side view reflecting how bad it is for China's software security. However, their problem is far more than this, hopefully I will be able to contribute more time on them and write something down.

Thanks,
Haifei