ASLR / DEP in Installer

Got a problem you cannot solve? Try here.
mbond
Posts: 10
Joined: Thu Dec 12, 2013 9:37 am

ASLR / DEP in Installer

Postby mbond » Thu Aug 04, 2022 3:52 pm

I was using X13 for my last release. When testing the Setup.EXE generated by InstallAware, we found that ASLR and DEP were not enabled on them.
  • Has this be resolved by the latest X15 release?
  • Is there a setting in the InstallAware IDE to enable this? A command line switch maybe?
  • If not, please create an enhancement request to add this feature (or to just always turn them on automatically).
I ask because ASLR and DEP are current long-standing standard Windows security features. Not having them enabled is a poor lack of security.

I used the instructions in this post to determine that the Setup.EXE does not have these turned on. The only value set under "DLL characteristics" was "Terminal Server Aware".

Thank you,
Bond

FrancescoT
Site Admin
Posts: 5301
Joined: Sun Aug 22, 2010 4:28 am

Re: ASLR / DEP in Installer

Postby FrancescoT » Tue Aug 09, 2022 10:45 am

No, these settings are related to the App Deployed and these cannot be configured from IA.

These have to be set when your app/library gets compiled.
https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2012/ms235442(v=vs.110)
https://stackoverflow.com/questions/3395890/dep-and-aslr-and-how-to-use-it

Hope this helps you.
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

mbond
Posts: 10
Joined: Thu Dec 12, 2013 9:37 am

Re: ASLR / DEP in Installer

Postby mbond » Tue Aug 09, 2022 11:57 am

I want to be clear - I'm asking about the EXE that InstallAware creates, not the ones that are included in the installer.

The Setup.exe that InstallAware creates is a compiled EXE file and gets run on customer's systems too, just like the programs that the Setup.exe drops.

Please consider this as a security feature enhancement for a future release.

If you use Delphi on the back-end, then it's real easy to do. Just add "{$SETPEOPTFLAGS $140}" to the top of your DPR file. .NET does this automatically. Not sure about other languages, but all modern ones should support it with just a setting change.

Thank you,
Bond

pfennig
Posts: 151
Joined: Wed Nov 08, 2006 8:39 am

Re: ASLR / DEP in Installer

Postby pfennig » Wed Aug 10, 2022 3:47 am

mbond wrote:If you use Delphi on the back-end, then it's real easy to do. Just add "{$SETPEOPTFLAGS $140}" to the top of your DPR file. .NET does this automatically. Not sure about other languages, but all modern ones should support it with just a setting change.

Depending on the Delphi version some or all flags are active by default for new projects.

32 bit version DEP DPI Awareness ASLR
Delphi XE3 Disabled Unaware -
Delphi XE8 Disabled Unaware -
Delphi 10.2 Disabled Per-Monitor Aware -
Delphi 10.3 Disabled Per-Monitor Aware -
Delphi 10.4 Disabled Per-Monitor Aware -
Delphi 11.1 Enabled Per-Monitor Aware ASLR (also provides checkboxes in the Options dialog)
IA X15 Disabled Unaware - (miaa.exe)

InstallAware unaware.png
InstallAware unaware.png (96.06 KiB) Viewed 340 times


For 64 bit exes DEP is available by default at least since Delphi XE3.

The miaa.exe is build with Delphi or C++Builder, but due to the lack of any security settings and since its detail information still show version 1.0.0.0, it seems to me that its a pretty old version of Delphi or C++Builder and InstallAware doesn't care much about security and correct versioning of their own program(s).
Last edited by pfennig on Fri Sep 09, 2022 1:22 am, edited 2 times in total.
Best regards
pfennig

mbond
Posts: 10
Joined: Thu Dec 12, 2013 9:37 am

Re: ASLR / DEP in Installer

Postby mbond » Wed Aug 10, 2022 7:02 am

That's good for InstallAware to know to put security on their IDE and related programs. Hopefully, it will also help with the Setup.exe's that are created by their IDE when one compiles the installer project, which is what I would like to see happen.

Thanks,
Bond

pfennig
Posts: 151
Joined: Wed Nov 08, 2006 8:39 am

Re: ASLR / DEP in Installer

Postby pfennig » Wed Aug 10, 2022 7:21 am

Agreed, of course, I didn't mean to neglect, that those security requirements should be met for each executable they produce for and with their programs.
A 64-bit version would be nice as well.
Best regards

pfennig

FrancescoT
Site Admin
Posts: 5301
Joined: Sun Aug 22, 2010 4:28 am

Re: ASLR / DEP in Installer

Postby FrancescoT » Tue Aug 16, 2022 10:35 am

mbond wrote:That's good for InstallAware to know to put security on their IDE and related programs. Hopefully, it will also help with the Setup.exe's that are created by their IDE when one compiles the installer project, which is what I would like to see happen.

In all honesty, I mistakenly assumed that this was a necessary option limited to OCX binaries only...but I was wrong. Probably this due the link you posted.
At any rate, I forwarded this matter to dev dept.
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

mbond
Posts: 10
Joined: Thu Dec 12, 2013 9:37 am

Re: ASLR / DEP in Installer

Postby mbond » Tue Aug 16, 2022 10:51 am

Thank you!

pfennig
Posts: 151
Joined: Wed Nov 08, 2006 8:39 am

Re: ASLR / DEP in Installer

Postby pfennig » Wed Aug 17, 2022 1:25 am

+1
Best regards

pfennig


Return to “Technical Support”

Who is online

Users browsing this forum: No registered users and 32 guests