Control Flow Guard
I checked the 1Password directory (C:\Users\username\AppData\Local\1Password\app\6) against the tool Serene (https://summitroute.com/serene/) and noticed that none of the binaries leverage CFG.
Is there a technical reason why this protection is not enabled?
Additionally, why isn't ASLR enabled on the sqlite3 DLLs.
1Password Version: 6.5.401d
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided
Comments
-
@ShadowGuy: Great questions! I'll admit that while I'm familiar with ASLR, I had to look into the rest as it isn't relevant to the new 1Password 6 Windows desktop app, but could not for the life of me think of why off the top of my head. I guess I need to keep up on my Microsoft jargon more. ;)
Anyway, at first blush, CFG isn't really an option for us here since it requires Windows 8.1 or higher, and 1Password need to support Windows 7 as well. But more importantly, CFG is applicable when compiling C++ code and not relevant to C#/.Net, which we're using; as it's memory-managed, the runtime handles all of this.
SQLite, on the other hand, isa 3rd party library and not something we build ourselves, so it is what it is. And while that might sound a bit dismissive, for 1Password's purposes, we're only writing encrypted data to the SQL database, so there's no harm to be done there. It would be useless to an attacker. Cheers! :)
0 -
Makes sense, thanks for getting back so quickly.
0 -
Likewise, thanks for bringing this up! It's an interesting subject. :)
0
