OPC: ASLR Not Enabled for opccomn_ps.dll and opcproxy.dll in OPC. | Classic OPC: DA, A&E, HDA, XML-DA, etc. | Forum

Lost password?

Home Forum Classic OPC: DA, A&E, HDA, XML-…OPC: ASLR Not Enabled for opccomn_p…

OPC: ASLR Not Enabled for opccomn_ps.dll and opcproxy.dll in OPC.

Bibhudatta Bibhudatta

Member

Members

Forum Posts: 3

Member Since:
07/30/2019

Offline

10/12/2019 - 20:42

Address Space Layout Randomization (ASLR) not enabled.

=========================================

The following OPC binaries do not have ASLR enabled when allocating dynamic memory.

opccomn_ps.dll (version: 1.10.105.1)
opcproxy.dll (Version: 3.0.105.1)

I would like to know whether which version of above dll are having "ASLR" enable option and from where I can get it. Could anyone give opinion on it.

Randy Armstrong

Admin

Forum Posts: 1451

Member Since:
05/30/2017

Offline

10/14/2019 - 00:34

The DLLs may predate that feature in the C++ compilers and it is likely not a good idea to turn it on because those DLLs are shared by many different applications and changes like that could break something.

Bibhudatta Bibhudatta

Member

Members

Forum Posts: 3

Member Since:
07/30/2019

Offline

10/17/2019 - 01:51

Randy Armstrong said
The DLLs may predate that feature in the C++ compilers and it is likely not a good idea to turn it on because those DLLs are shared by many different applications and changes like that could break something.

Thank you so much for the information. I would like to get the latest source code of the two binaries (opccomn_ps.dll, opcproxy.dll). Could you please provide link or reference from where I can get the source code downloaded.

Randy Armstrong

Admin

Forum Posts: 1451

Member Since:
05/30/2017

Offline

10/17/2019 - 08:25

These DLLs cannot be built by individual vendors because only one version of the DLL can be installed on a system. The source code is available but only for developer testing - it should never be used to build copies of the proxies for distribution.

Bibhudatta Bibhudatta

Member

Members

Forum Posts: 3

Member Since:
07/30/2019

Offline

11/03/2019 - 22:59

Could you please share your recommendation to mitigate risk associated with not enabling ASLR.
Is there any plan/timeline in the near future to have this addressed, please share the timeline.

Randy Armstrong

Admin

Forum Posts: 1451

Member Since:
05/30/2017

Offline

11/04/2019 - 05:11

I suggest you do some testing after enabling system wide mandatory ASLR on Windows 8 or later:

https://msrc-blog.microsoft.co.....tory-aslr/

It can be used with DLLs that have not enabled ASLR and should give you "better than nothing" protection when you control the specific systems that are being used.

There are no plans to make any changes to proxy/stubs because they are used by thousands of applications that are not maintained anymore and could break if ASLR is enabled in the proxy/stubs. The link above indicates that Microsoft has limited the effectiveness of the mandatory ASLR specifically because of the risk of creating problems with legacy applications.

Max Mustermann

New Member

Members

Forum Posts: 1

Member Since:
06/23/2016

Offline

12/07/2022 - 14:22

Hi Randy,

I understand that the source code is available for testing purposes only. Could you please share where to access the code for these libraries?

Thanks! 🙂

Randy Armstrong

Admin

Forum Posts: 1451

Member Since:
05/30/2017

Offline

12/07/2022 - 20:30

All code is here:

https://opcfoundation.org/deve.....urce-code/

Only available to Corporate Members.

Forum Timezone: America/Phoenix

Most Users Ever Online: 510

Currently Online:

Guest(s) 43

Currently Browsing this Page:
1 Guest(s)