classification
Title: Enable DEP and ASLR
Type: security Stage: resolved
Components: Windows Versions: Python 3.4
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: brian.curtin, christian.heimes, devin, haypo, jcea, loewis, python-dev, skrah
Priority: normal Keywords: patch

Created on 2012-12-07 10:23 by christian.heimes, last changed 2013-11-20 16:44 by christian.heimes. This issue is now closed.

Files
File name Uploaded Description Edit
depaslr.patch christian.heimes, 2012-12-07 10:23 review
Messages (11)
msg177077 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2012-12-07 10:23
Python 3.3 doesn't use address space layout randomization [1] and data execution prevention [2] on Windows. ASLR and DEP make certain kinds of attacks harder. An attacker can't predict the address of functions or globals anymore and DEP helps against NOP sled attacks.

Python's test suite runs fine with DEP and ASLR on AMD64. I see a crash in test_capi and a couple of crashes in test_faulthandler but these don't seem to be related.

[1] http://en.wikipedia.org/wiki/ASLR
[2] http://en.wikipedia.org/wiki/Data_Execution_Prevention
msg177084 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2012-12-07 12:56
I'm +0. There is a risk that this may break 3rd-party extension modules.
msg177216 - (view) Author: Lukas Lueg (ebfe) Date: 2012-12-09 13:34
Only way to be sure: Enable & announce for 3.5 and wait for bug reports
msg177217 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2012-12-09 13:45
DEP isn't much of an issue. It's automatically disabled for the entire process when one library w/o DEP is loaded.
msg177290 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2012-12-10 13:38
I don't think much caution is needed. If problems don't show up in the beta releases, we can still revert the change for 3.4.1.

Christian, please go ahead and check this in.
msg182970 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2013-02-25 18:29
> I see a crash in test_capi and a couple of crashes
> in test_faulthandler but these don't seem to be related.

Which kind of crash? faulthandler has functions to make Python crash, crashes are expected :-)
msg201122 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2013-10-24 12:56
@Crys: ping?
msg201123 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-10-24 12:58
I'll look in this next time my Windows VM is running.
msg201145 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2013-10-24 15:00
> I see a crash in test_capi and a couple of crashes
> in test_faulthandler but these don't seem to be related.

Perhaps the same as #9116.
msg203185 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-17 14:45
I no longer see the crashs.
msg203504 - (view) Author: Roundup Robot (python-dev) Date: 2013-11-20 16:43
New changeset cb1691d42101 by Christian Heimes in branch 'default':
Issue #16632: Enable DEP and ASLR on Windows.
http://hg.python.org/cpython/rev/cb1691d42101
History
Date User Action Args
2013-11-20 16:44:21christian.heimessetstatus: open -> closed
resolution: fixed
stage: commit review -> resolved
2013-11-20 16:43:32python-devsetnosy: + python-dev
messages: + msg203504
2013-11-17 14:45:24christian.heimessetmessages: + msg203185
2013-10-24 15:00:08skrahsetnosy: + skrah
messages: + msg201145
2013-10-24 12:58:00christian.heimessetassignee: christian.heimes
messages: + msg201123
2013-10-24 12:56:43hayposetmessages: + msg201122
2013-10-24 12:45:21tim.goldensetnosy: - tim.golden
2013-02-25 18:31:11ebfesetnosy: - ebfe
2013-02-25 18:29:53hayposetnosy: + haypo
messages: + msg182970
2013-02-23 21:37:21devinsetnosy: + devin
2012-12-10 13:38:38loewissetmessages: + msg177290
stage: test needed -> commit review
2012-12-10 13:05:32jceasetnosy: + jcea
2012-12-09 13:45:23christian.heimessetmessages: + msg177217
2012-12-09 13:34:58ebfesetnosy: + ebfe
messages: + msg177216
2012-12-08 19:23:52pitrousetnosy: + tim.golden, brian.curtin
2012-12-07 12:56:53loewissetnosy: + loewis
messages: + msg177084
2012-12-07 10:23:01christian.heimescreate