On 10/17/2010 4:36 PM, Dr. Stephen Henson wrote: > On Sun, Oct 17, 2010, aerow...@gmail.com wrote: > >> Ugh. This is worse than I thought. It's *intermittently* failing like >> that. After a few more minutes, I tried it again, and got the expected >> output. >> >> Is there some way to specify a base address during the creation of the DLL, >> after the fipscanister is created? Would that invalidate it? >> >> The default appears to be 0x00d60000, and it works when loaded there. >> > > You can't modify the 1.2 module build process in any way but you can specify > an alternate base address when you link against a newer version of OpenSSL > such as 0.9.8o. > > One way to get more information would be to dump the fingerprinted data in the > FIPS_incore_fingerprint() function along with the addresses when it works and > when it fails. Then see if the addresses and/or the dumped binary data have > changed.
On Windows it is not possible to require that a DLL be loaded at a specific address in memory within a process. The base address is simply a recommendation and if correct will result in the library loading process being faster than if it is not. Any fingerprinting of a library needs to be performed by computing the memory offsets compared to the base address and using those. Microsoft Vista, Server 2008, Win7 and Server 2008-R2 all support enable by default Address space layout randomization (ASLR). Visual Studio 2010 is the first version of Windows development tools to turn ASLR on by default for EXEs and DLLs. To disable, use /DYNAMICBASE:NO when linking. (Or disable the "Randomized Base Address property in Visual Studio.) Jeffrey Altman Secure Endpoints, Inc.
signature.asc
Description: OpenPGP digital signature
