ASLR / DEP in Installer

[mbond]

I was using X13 for my last release. When testing the Setup.EXE generated by InstallAware, we found that ASLR and DEP were not enabled on them.

• Has this be resolved by the latest X15 release?
• Is there a setting in the InstallAware IDE to enable this? A command line switch maybe?
• If not, please create an enhancement request to add this feature (or to just always turn them on automatically).

I ask because ASLR and DEP are current long-standing standard Windows security features. Not having them enabled is a poor lack of security.

I used the instructions in this post to determine that the Setup.EXE does not have these turned on. The only value set under "DLL characteristics" was "Terminal Server Aware".

Thank you,
Bond

[FrancescoT]

No, these settings are related to the App Deployed and these cannot be configured from IA.

These have to be set when your app/library gets compiled.
https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2012/ms235442(v=vs.110)
https://stackoverflow.com/questions/3395890/dep-and-aslr-and-how-to-use-it

Hope this helps you.

[mbond]

I want to be clear - I'm asking about the EXE that InstallAware creates, not the ones that are included in the installer.

The Setup.exe that InstallAware creates is a compiled EXE file and gets run on customer's systems too, just like the programs that the Setup.exe drops.

Please consider this as a security feature enhancement for a future release.

If you use Delphi on the back-end, then it's real easy to do. Just add "{$SETPEOPTFLAGS $140}" to the top of your DPR file. .NET does this automatically. Not sure about other languages, but all modern ones should support it with just a setting change.

Thank you,
Bond

[pfennig]

If you use Delphi on the back-end, then it's real easy to do. Just add "{$SETPEOPTFLAGS $140}" to the top of your DPR file. .NET does this automatically. Not sure about other languages, but all modern ones should support it with just a setting change.

Depending on the Delphi version some or all flags are active by default for new projects.

32 bit version DEP DPI Awareness ASLR
Delphi XE3 Disabled Unaware -
Delphi XE8 Disabled Unaware -
Delphi 10.2 Disabled Per-Monitor Aware -
Delphi 10.3 Disabled Per-Monitor Aware -
Delphi 10.4 Disabled Per-Monitor Aware -
Delphi 11.1 Enabled Per-Monitor Aware ASLR (also provides checkboxes in the Options dialog)
IA X15 Disabled Unaware - (miaa.exe)

InstallAware unaware.png (96.06 KiB) Viewed 28615 times

For 64 bit exes DEP is available by default at least since Delphi XE3.

The miaa.exe is build with Delphi or C++Builder, but due to the lack of any security settings and since its detail information still show version 1.0.0.0, it seems to me that its a pretty old version of Delphi or C++Builder and InstallAware doesn't care much about security and correct versioning of their own program(s).

[mbond]

That's good for InstallAware to know to put security on their IDE and related programs. Hopefully, it will also help with the Setup.exe's that are created by their IDE when one compiles the installer project, which is what I would like to see happen.

Thanks,
Bond

[pfennig]

Agreed, of course, I didn't mean to neglect, that those security requirements should be met for each executable they produce for and with their programs.
A 64-bit version would be nice as well.

[FrancescoT]

That's good for InstallAware to know to put security on their IDE and related programs. Hopefully, it will also help with the Setup.exe's that are created by their IDE when one compiles the installer project, which is what I would like to see happen.

In all honesty, I mistakenly assumed that this was a necessary option limited to OCX binaries only...but I was wrong. Probably this due the link you posted.
At any rate, I forwarded this matter to dev dept.

[mbond]

Thank you!

[pfennig]

+1

[Wolfgang Guertl]

@no or bad installaware versioning of their own program: yes
But almost none of the installed installaware binaries are not codesigned!
Its a miracle about those issues...

Wolfgang

[FrancescoT]

This has been fixed by the latest IA x15 minor update v.32.22.

[Wolfgang Guertl]

Thank you for the quick response, but the problem is solved partially, only some binaries (C:\Program Files (x86)\InstallAware X15) are signed and the license setup is not signed as well. btw. the license portal is http only, so our username+password credential are transmitted unencrypted and the site is an asp website.

Wolfgang

[pfennig]

Thankfully, the newly created setups are DEP and ASLR enabled, InstallAware and most of its "sub"-programs still are not.

InstallAware PESecurity Checks.png (74.51 KiB) Viewed 28109 times

Also, neither the wrong version number of the main program nor the missing DPI-awareness of it and the created setups are solved.

miae.exe.png (90.95 KiB) Viewed 28109 times

miae.exe_properties.png (30.17 KiB) Viewed 28109 times

[pfennig]

The InstallAware setup and program of build 11.1.2022 still don't fullfil security standards.

InstallAware Setup.png (189.32 KiB) Viewed 27925 times

miae.exe.png (28.02 KiB) Viewed 27925 times

Our subscription expires in a few weeks. We decided not to renew it unless this problem gets fixed once an for all until then.

[JohnGaver]

Thankfully, the newly created setups are DEP and ASLR enabled, InstallAware and most of its "sub"-programs still are not.
InstallAware PESecurity Checks.png
Also, neither the wrong version number of the main program nor the missing DPI-awareness of it and the created setups are solved.
miae.exe.png
miae.exe_properties.png

Why are you concerned about the other, literally private parts?

You are not allowed to redistribute them at any rate - that's not what you're doing, is it?