What is ASLR?

How Vista Keeps Attackers Guessing

Man using laptop with cup of coffee
Paul Bradbury/Caiaimage/Getty Images

ASLR stands for "address space layout randomization". Many exploits and malware attacks rely on the ability of the programmer to accurately identify where specific processes or system functions reside in memory. In order for an attacker to exploit or leverage a function, they must first be able to tell their code where to find the function or process to exploit.

With previous versions of Windows, these memory locations were known or easily discovered by attackers and malware developers. With Windows Vista, Microsoft made it into more of a shell game- with 256 shells.

To be fair, Microsoft did not invent the ASLR technique. The PaX Project pioneered techniques like ASLR and DEP (another function incorporated into Windows Vista) as a Linux patch in 2001.

ASLR in Windows Vista

Regardless of its origins, its inclusion in Windows Vista by Microsoft means that exploits and malware that work in Windows XP have only a 1 in 256 chance of succeeding in Windows Vista. In addition, there is a probability that a failed attempt initiated against one of the other 255 memory locations will actually crash the system. Crashed systems are bad, but the fact that the system will crash makes it virtually impossible for an attacker to simply automate an attack that tries all 256 memory locations in order, and also alerts the user that something peculiar is going on.

By itself, ASLR is not a 'silver bullet' defense, but the inclusion of ASLR in addition to other security functions such as DEP (Data Execution Prevention) and the security aspects of UAC (User Account Control) help Vista to defend itself against many threats that would work on Windows XP and other prior operating systems. In Windows Vista, there is a 1 in 256 chance that a given threat will be rendered powerless.