Page 1 of 1

ASLR / DEP in Installer

Posted: Thu Aug 04, 2022 3:52 pm
by mbond
I was using X13 for my last release. When testing the Setup.EXE generated by InstallAware, we found that ASLR and DEP were not enabled on them.
  • Has this be resolved by the latest X15 release?
  • Is there a setting in the InstallAware IDE to enable this? A command line switch maybe?
  • If not, please create an enhancement request to add this feature (or to just always turn them on automatically).
I ask because ASLR and DEP are current long-standing standard Windows security features. Not having them enabled is a poor lack of security.

I used the instructions in this post to determine that the Setup.EXE does not have these turned on. The only value set under "DLL characteristics" was "Terminal Server Aware".

Thank you,
Bond

Re: ASLR / DEP in Installer

Posted: Tue Aug 09, 2022 10:45 am
by FrancescoT
No, these settings are related to the App Deployed and these cannot be configured from IA.

These have to be set when your app/library gets compiled.
https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2012/ms235442(v=vs.110)
https://stackoverflow.com/questions/3395890/dep-and-aslr-and-how-to-use-it

Hope this helps you.

Re: ASLR / DEP in Installer

Posted: Tue Aug 09, 2022 11:57 am
by mbond
I want to be clear - I'm asking about the EXE that InstallAware creates, not the ones that are included in the installer.

The Setup.exe that InstallAware creates is a compiled EXE file and gets run on customer's systems too, just like the programs that the Setup.exe drops.

Please consider this as a security feature enhancement for a future release.

If you use Delphi on the back-end, then it's real easy to do. Just add "{$SETPEOPTFLAGS $140}" to the top of your DPR file. .NET does this automatically. Not sure about other languages, but all modern ones should support it with just a setting change.

Thank you,
Bond

Re: ASLR / DEP in Installer

Posted: Wed Aug 10, 2022 3:47 am
by pfennig
mbond wrote:If you use Delphi on the back-end, then it's real easy to do. Just add "{$SETPEOPTFLAGS $140}" to the top of your DPR file. .NET does this automatically. Not sure about other languages, but all modern ones should support it with just a setting change.

Depending on the Delphi version some or all flags are active by default for new projects.

32 bit version DEP DPI Awareness ASLR
Delphi XE3 Disabled Unaware -
Delphi XE8 Disabled Unaware -
Delphi 10.2 Disabled Per-Monitor Aware -
Delphi 10.3 Disabled Per-Monitor Aware -
Delphi 10.4 Disabled Per-Monitor Aware -
Delphi 11.1 Enabled Per-Monitor Aware ASLR (also provides checkboxes in the Options dialog)
IA X15 Disabled Unaware - (miaa.exe)

InstallAware unaware.png
InstallAware unaware.png (96.06 KiB) Viewed 18120 times


For 64 bit exes DEP is available by default at least since Delphi XE3.

The miaa.exe is build with Delphi or C++Builder, but due to the lack of any security settings and since its detail information still show version 1.0.0.0, it seems to me that its a pretty old version of Delphi or C++Builder and InstallAware doesn't care much about security and correct versioning of their own program(s).

Re: ASLR / DEP in Installer

Posted: Wed Aug 10, 2022 7:02 am
by mbond
That's good for InstallAware to know to put security on their IDE and related programs. Hopefully, it will also help with the Setup.exe's that are created by their IDE when one compiles the installer project, which is what I would like to see happen.

Thanks,
Bond

Re: ASLR / DEP in Installer

Posted: Wed Aug 10, 2022 7:21 am
by pfennig
Agreed, of course, I didn't mean to neglect, that those security requirements should be met for each executable they produce for and with their programs.
A 64-bit version would be nice as well.

Re: ASLR / DEP in Installer

Posted: Tue Aug 16, 2022 10:35 am
by FrancescoT
mbond wrote:That's good for InstallAware to know to put security on their IDE and related programs. Hopefully, it will also help with the Setup.exe's that are created by their IDE when one compiles the installer project, which is what I would like to see happen.

In all honesty, I mistakenly assumed that this was a necessary option limited to OCX binaries only...but I was wrong. Probably this due the link you posted.
At any rate, I forwarded this matter to dev dept.

Re: ASLR / DEP in Installer

Posted: Tue Aug 16, 2022 10:51 am
by mbond
Thank you!

Re: ASLR / DEP in Installer

Posted: Wed Aug 17, 2022 1:25 am
by pfennig
+1

Re: ASLR / DEP in Installer

Posted: Fri Oct 28, 2022 7:18 am
by Wolfgang Guertl
@no or bad installaware versioning of their own program: yes
But almost none of the installed installaware binaries are not codesigned!
Its a miracle about those issues...

Wolfgang

Re: ASLR / DEP in Installer

Posted: Fri Oct 28, 2022 12:18 pm
by FrancescoT
This has been fixed by the latest IA x15 minor update v.32.22.

Re: ASLR / DEP in Installer

Posted: Mon Oct 31, 2022 3:28 am
by Wolfgang Guertl
Thank you for the quick response, but the problem is solved partially, only some binaries (C:\Program Files (x86)\InstallAware X15) are signed and the license setup is not signed as well. btw. the license portal is http only, so our username+password credential are transmitted unencrypted and the site is an asp website.

Wolfgang

Re: ASLR / DEP in Installer

Posted: Mon Oct 31, 2022 4:39 am
by pfennig
Thankfully, the newly created setups are DEP and ASLR enabled, InstallAware and most of its "sub"-programs still are not.
InstallAware PESecurity Checks.png
InstallAware PESecurity Checks.png (74.51 KiB) Viewed 17614 times

Also, neither the wrong version number of the main program nor the missing DPI-awareness of it and the created setups are solved.
miae.exe.png
miae.exe.png (90.95 KiB) Viewed 17614 times

miae.exe_properties.png
miae.exe_properties.png (30.17 KiB) Viewed 17614 times

Re: ASLR / DEP in Installer

Posted: Wed Nov 16, 2022 7:12 am
by pfennig
The InstallAware setup and program of build 11.1.2022 still don't fullfil security standards.
InstallAware Setup.png
InstallAware Setup.png (189.32 KiB) Viewed 17430 times

miae.exe.png
miae.exe.png (28.02 KiB) Viewed 17430 times


Our subscription expires in a few weeks. We decided not to renew it unless this problem gets fixed once an for all until then.

Re: ASLR / DEP in Installer

Posted: Fri Feb 23, 2024 11:51 am
by JohnGaver
pfennig wrote:Thankfully, the newly created setups are DEP and ASLR enabled, InstallAware and most of its "sub"-programs still are not.
InstallAware PESecurity Checks.png
Also, neither the wrong version number of the main program nor the missing DPI-awareness of it and the created setups are solved.
miae.exe.png
miae.exe_properties.png


Why are you concerned about the other, literally private parts?

You are not allowed to redistribute them at any rate - that's not what you're doing, is it?