Nytro Posted November 10, 2013 Report Posted November 10, 2013 On the Effectiveness of AddressSpace RandomizationABSTRACTAddress-space randomization is a technique used to fortifysystems against buer overow attacks. The idea is to in-troduce articial diversity by randomizing the memory lo-cation of certain system components. This mechanism isavailable for both Linux (via PaX ASLR) and OpenBSD.We study the eectiveness of address-space randomizationand nd that its utility on 32-bit architectures is limited bythe number of bits available for address randomization. Inparticular, we demonstrate a derandomization attack thatwill convert any standard buer-overow exploit into an ex-ploit that works against systems protected by address-spacerandomization. The resulting exploit is as eective as theoriginal exploit, although it takes a little longer to compro-mise a target machine: on average 216 seconds to compro-mise Apache running on a Linux PaX ASLR system. Theattack does not require running code on the stack.We also explore various ways of strengthening address-space randomization and point out weaknesses in each. Sur-prisingly, increasing the frequency of re-randomizations addsat most 1 bit of security. Furthermore, compile-time ran-domization appears to be more eective than runtime ran-domization. We conclude that, on 32-bit architectures, theonly benet of PaX-like address-space randomization is asmall slowdown in worm propagation speed. The cost ofrandomization is extra complexity in system support.Download:http://benpfaff.org/papers/asrandom.pdf Quote
