[Code-Crunchers] Address-Space Randomization

[Gadi Evron]

[x-posting also to the exploits announcement list]

http://www.stanford.edu/~blp/papers/asrandom.pdf

ABSTRACT
Address-space randomization is a technique used to fortify
systems against buffer overflow attacks. The idea is to in-
troduce artificial diversity by randomizing the memory lo-
cation of certain system components. This mechanism is
available for both Linux (via PaX ASLR) and OpenBSD.
We study the effectiveness of address-space randomization
and  nd that its utility on 32-bit architectures is limited by
the number of bits available for address randomization. In
particular, we demonstrate a derandomization attack that
will convert any standard bu er-over ow exploit into an ex-
ploit that works against systems protected by address-space
randomization. The resulting exploit is as e ective as the
original exploit, although it takes a little longer to compro-
mise a target machine: on average 216 seconds to compro-
mise Apache running on a Linux PaX ASLR system. The
attack does not require running code on the stack.
We also explore various ways of strengthening address-
space randomization and point out weaknesses in each. Sur-
prisingly, increasing the frequency of re-randomizations adds
at most 1 bit of security. Furthermore, compile-time ran-
domization appears to be more e ective than runtime ran-
domization. We conclude that, on 32-bit architectures, the
only bene t of PaX-like address-space randomization is a
small slowdown in worm propagation speed. The cost of
randomization is extra complexity in system support.