Professional Documents
Culture Documents
Address Space Layout Randomization
Address Space Layout Randomization
Address Space Layout Randomization
Dirk Gordon
Department of Computer Science and Software Engineering
University of Wisconsin-Platteville
gordondi@uwplatt.edu
Abstract
Address Space Layout Randomization (ASLR) is a security technique used to decrease
the probability of a buffer overflow attack from succeeding. ASLR does not remove
security vulnerabilities, but will instead obfuscate them through randomization of certain
elements in the processes memory. The computer utilizing ASLR is still susceptible to
brute force guessing of the targeted memory address. The a return-to-libc attack will
calculate the offset of system() from usleep(), and then the exploit program will be able to
bypass ASLR protection. ASLR has been implemented in many operating systems such
as Windows Vista and Linux. The effectiveness of ASLR is directly related to the amount
of bits used in the randomization process, so a 64 bit system will be more secure than a
32 bit system with ASLR. ASLR is not a solution that will stop all exploits, but the
technology allows the effectiveness of an exploit to be decreased.
Description
The theory of ASLR is that many exploits rely on static address values, so adding some
randomness to the memory layout will cause basic exploits to fail. ASLR will not
completely prevent an exploit that relies on hard coded memory address to succeed. If
the randomized process layout matches the exploit's targeted memory locations then the
exploit will correctly work. The purpose of ASLR is to randomize sections of a
program's memory layout, so that the chances of the exploit that relies on static memory
addresses to succeed is greatly reduced.[4] The most significant regions that ASLR
randomizes the starting location are the program's stack, heap and dynamic libraries.
ASLR will generate the locations one at a time until there are no memory conflicts.
ASLR was developed to reduce the ability and speed at which a given exploit code can
work because each computer running the vulnerable process with ASLR enabled will
have a different process memory layout. The result is the exploit code has to be crafted
to work on all possible memory layouts or that the exploit code must utilize a brute force
attack to succeed.
ASLR in Linux
08048000-08049000
08049000-0804a000
b7dec000-b7ded000
b7ded000-b7f42000
b7f42000-b7f43000
b7f43000-b7f45000
b7f45000-b7f48000
b7f53000-b7f56000
b7f56000-b7f57000
b7f57000-b7f71000
b7f71000-b7f73000
bfd5e000-bfd73000
r-xp
rw-p
rw-p
r-xp
r--p
rw-p
rw-p
rw-p
r-xp
r-xp
rw-p
rw-p
00000000
00000000
b7dec000
00000000
00155000
00156000
b7f45000
b7f53000
b7f56000
00000000
0001a000
bffeb000
03:01
03:01
00:00
03:01
03:01
03:01
00:00
00:00
00:00
03:01
03:01
00:00
49225
49225
0
188632
188632
188632
0
0
0
179874
179874
0
/home/dirk/aslr_demo
/home/dirk/aslr_demo
/lib/i686/cmov/libc-2.7.so
/lib/i686/cmov/libc-2.7.so
/lib/i686/cmov/libc-2.7.so
[vdso]
/lib/ld-2.7.so
/lib/ld-2.7.so
[stack]
r-xp
rw-p
rw-p
r-xp
r--p
rw-p
rw-p
rw-p
r-xp
r-xp
rw-p
rw-p
00000000
00000000
b7e74000
00000000
00155000
00156000
b7fcd000
b7fdb000
b7fde000
00000000
0001a000
bffeb000
03:01
03:01
00:00
03:01
03:01
03:01
00:00
00:00
00:00
03:01
03:01
00:00
49225
49225
0
188632
188632
188632
0
0
0
179874
179874
0
/home/dirk/aslr_demo
/home/dirk/aslr_demo
/lib/i686/cmov/libc-2.7.so
/lib/i686/cmov/libc-2.7.so
/lib/i686/cmov/libc-2.7.so
[vdso]
/lib/ld-2.7.so
/lib/ld-2.7.so
[stack]
{
char buffer[4];
gets(buffer);
puts(buffer);
return 0;
}
Figure 4: Vulnerable C code
Figure 4 shows a simple C program that is vulnerable to a buffer overflow because the
gets() function has no length checking, so that if the value from gets() is larger than 4
bytes there will be a buffer overflow which will overwrite the values of the nearby
memory.
64 bit implementations of ASLR will allow for at least 40 bits to be used for
randomization.[1] Resulting in 240 (1099511627776) possible offsets to be utilized in
ASLR. Since the amount of permutations of randomness is directly correlated to the
amount of bits used in the randomization process the increase from 32 to 64 bit will
greatly increase the security provided by ASLR.
Conclusion
ASLR brings many advantages in security to operating systems. The ability of ASLR to
slow down, and prevent basic buffer overflow attacks from occurring increases the
security of operating systems, but the amount of security ASLR provides is limited to the
amount of bits that are used in the randomization process. Linux uses significantly more
bits for randomization when compared to Windows Vista which makes Linux's
implementation of ASLR to be more secure. The advancement of operating systems to
using 64 bit operating systems allows for more bits to be used in the randomization
process which will further increase the effects of ASLR. ASLR will prevent simple
attacks from succeeding most of the time, but it won't prevent it always. Also, a smart
attack that takes into account the targeted computer is utilizing ASLR will not be
prevented, and will only delay the exploits' ability to correctly guess the memory location
to target. It is important to remember that ASLR by itself will not prevent exploits from
occurring, and that the purpose of ASLR is to reduce the likelihood that an exploit will
succeed.
References
[1] (2004). On the effectiveness of address-space randomization. Retrieved from
http://stanford.edu/~blp/papers/asrandom.pdf
[2] (2007). An Analysis of Address Space Layout Randomization on Windows Vista.
Retrieved from
http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pd
f
[3] (2006). Analysis of Microsft Windows Vista's ASLR. Retrieved from
http://www.packetstormsecurity.org/papers/win/Analysis-of-Microsoft-Windows-VistasASLR.pdf
[4] Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory
Error Exploits. Retrieved from http://seclab.cs.stonybrook.edu/seclab/pubs/usenix03.pdf