[Code-Crunchers] Address-Space Randomization
Jason Geffner
jasongef at microsoft.com
Sun Nov 19 11:25:53 CST 2006
This paper is over two years old. Have there been any changes to ASLR on Linux since then to make this type of attack less feasible?
- Jason
-----Original Message-----
From: Gadi Evron [mailto:ge at linuxbox.org]
Sent: Sunday, November 19, 2006 4:59 AM
To: code-crunchers at whitestar.linuxbox.org
Cc: exploits at whitestar.linuxbox.org
Subject: [Code-Crunchers] Address-Space Randomization
[x-posting also to the exploits announcement list]
http://www.stanford.edu/~blp/papers/asrandom.pdf
ABSTRACT
Address-space randomization is a technique used to fortify
systems against buffer overflow attacks. The idea is to in-
troduce artificial diversity by randomizing the memory lo-
cation of certain system components. This mechanism is
available for both Linux (via PaX ASLR) and OpenBSD.
We study the effectiveness of address-space randomization
and nd that its utility on 32-bit architectures is limited by
the number of bits available for address randomization. In
particular, we demonstrate a derandomization attack that
will convert any standard bu er-over ow exploit into an ex-
ploit that works against systems protected by address-space
randomization. The resulting exploit is as e ective as the
original exploit, although it takes a little longer to compro-
mise a target machine: on average 216 seconds to compro-
mise Apache running on a Linux PaX ASLR system. The
attack does not require running code on the stack.
We also explore various ways of strengthening address-
space randomization and point out weaknesses in each. Sur-
prisingly, increasing the frequency of re-randomizations adds
at most 1 bit of security. Furthermore, compile-time ran-
domization appears to be more e ective than runtime ran-
domization. We conclude that, on 32-bit architectures, the
only bene t of PaX-like address-space randomization is a
small slowdown in worm propagation speed. The cost of
randomization is extra complexity in system support.
_______________________________________________
Code-Crunchers mailing list
Code-Crunchers at whitestar.linuxbox.org
http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
More information about the Code-Crunchers
mailing list