address space

Address space layout randomizationFrom Wikipedia, the free encyclopedia

Address space layout randomization (ASLR) is a computer security technique involved in protection from bufferoverflow attacks. In order to prevent an attacker from reliably jumping to a particular exploited function in memory (forexample), ASLR involves randomly arranging the positions of key data areas of a program, including the base of theexecutable and the positions of the stack, heap, and libraries, in a process's address space.

Contents

1 History2 Benefits

2.1 Effectiveness2.1.1 Reducing entropy

3 Implementations3.1 FreeBSD3.2 OpenBSD3.3 DragonFly BSD3.4 Linux3.5 Android3.6 Solaris3.7 Microsoft Windows3.8 OS X3.9 iOS (iPhone, iPod touch, iPad)

4 See also5 References6 External links

HistoryIn 1997 Memco Software implemented a limited form of stack randomization as part of its SeOS Access Controlproduct.[1]

The Linux PaX project first coined the term "ASLR". It published the first design and implementation of ASLR in July2001. This remains the most complete implementation, providing also kernel stack randomization from October 2002onward. It also continues to provide the most entropy for each randomized layout compared to other implementations.[2]

BenefitsAddress space randomization hinders some types of security attacks by making it more difficult for an attacker to predicttarget addresses. For example, attackers trying to execute return-to-libc attacks must locate the code to be executed, whileother attackers trying to execute shellcode injected on the stack have to find the stack first. In both cases, the systemobscures related memory-addresses from the attackers. These values have to be guessed, and a mistaken guess is not

Address space layout randomization - Wikipedia, the free encyc... file:///Users/saumitre/other/read/tech/Address space layout ran...

1 of 7 9/11/15, 12:07 PM

usually recoverable due to the application crashing.

Effectiveness

Address space layout randomization is based upon the low chance of an attacker guessing the locations of randomlyplaced areas. Security is increased by increasing the search space. Thus, address space randomization is more effectivewhen more entropy is present in the random offsets. Entropy is increased by either raising the amount of virtual memoryarea space over which the randomization occurs or reducing the period over which the randomization occurs. The period istypically implemented as small as possible, so most systems must increase VMA space randomization.

To defeat the randomization, attackers must successfully guess the positions of all areas they wish to attack. For data areassuch as stack and heap, where custom code or useful data can be loaded, more than one state can be attacked by usingNOP slides for code or repeated copies of data. This allows an attack to succeed if the area is randomized to one of ahandful of values. In contrast, code areas such as library base and main executable need to be discovered exactly. Oftenthese areas are mixed, for example stack frames are injected onto the stack and a library is returned into.

To begin, let us declare the following variables:

= entropy bits of stack top = entropy bits of mmap() base

= entropy bits of main executable base = entropy bits of heap base = attacked bits per attempt of stack entropy = attacked bits per attempt of mmap() base entropy

= attacked bits per attempt of main executable entropy = attacked bits per attempt of heap base entropy

= attempts made

Where is the total amount of entropy:

To calculate the probability of an attacker succeeding, we have to assume a number of attempts carried out withoutbeing interrupted by a signature-based IPS, law enforcement, or other factor; in the case of brute forcing, the daemoncannot be restarted. We also have to figure out how many bits are relevant and how many are being attacked in eachattempt, leaving however many bits the attacker has to defeat.

The following formulas represent the probability of success for a given set of attempts on bits of entropy.

In many systems, can be in the thousands or millions; on modern 64-bit systems, these numbers typically reach themillions at least. For 32-bit systems at 2004 computer speeds which have 16 bits for address randomization, Shacham andco-workers state "… 16 bits of address randomization can be defeated by a brute force attack within minutes."[3] It shouldbe noted that the authors' statement depends on the ability to attack the same application multiple times without any delay.


2 of 7 9/11/15, 12:07 PM

Proper implementations of ASLR, like that included in grsecurity, provide several methods to make such brute forceattacks infeasible. One method involves preventing an executable from executing for a configurable amount of time if ithas crashed a certain number of times.

Some systems implement Library Load Order Randomization, a form of ASLR which randomizes the order in whichlibraries are loaded. This supplies very little entropy. An approximation of the number of bits of entropy supplied perneeded library appears below; this does not yet account for varied library sizes, so the actual entropy gained is reallysomewhat higher. Note that attackers usually need only one library; the math is more complex with multiple libraries, andshown below as well. Note that the case of an attacker using only one library is a simplification of the more complexformula for .

= number of libraries loaded = number of libraries used by the attacker

These values tend to be low even for large values of , most importantly since attackers typically can use only the Cstandard library and thus one can often assume that . Interestingly, however, even for a small number of librariesthere are a few bits of entropy gained here; it is thus potentially interesting to combine library load order randomizationwith VMA address randomization to gain a few extra bits of entropy. Note that these extra bits of entropy will not apply toother mmap() segments, only libraries.

Reducing entropy

Attackers may make use of several methods to reduce the entropy present in a randomized address space, ranging fromsimple information leaks to attacking multiple bits of entropy per attack (such as by heap spraying). There is little that canbe done about this.

It is possible to leak information about memory layout using format string vulnerabilities. Format string functions such asprintf use a variable argument list to do their job; format specifiers describe what the argument list looks like. Because ofthe way arguments are typically passed, each format specifier moves closer to the top of the stack frame. Eventually, thereturn pointer and stack frame pointer can be extracted, revealing the address of a vulnerable library and the address of aknown stack frame; this can completely eliminate library and stack randomization as an obstacle to an attacker.

One can also decrease entropy in the stack or heap. The stack typically must be aligned to 16 bytes, and so this is thesmallest possible randomization interval; while the heap must be page-aligned, typically 4096 bytes. When attempting anattack, it is possible to align duplicate attacks with these intervals; a NOP slide may be used with shellcode injection, andthe string '/bin/sh' can be replaced with '////////bin/sh' for an arbitrary number of slashes when attempting to return tosystem. The number of bits removed is exactly for intervals attacked.

Such decreases are limited due to the amount of data in the stack or heap. The stack, for example, is typically limited to8 MB[4] and grows to much less; this allows for at most 19 bits, although a more conservative estimate would be around8–10 bits corresponding to 4–16 KB[4] of stack stuffing. The heap on the other hand is limited by the behavior of thememory allocator; in the case of glibc, allocations above 128 KB are created using mmap, limiting attackers to 5 bits ofreduction. This is also a limiting factor when brute forcing; although the number of attacks to perform can be reduced, thesize of the attacks is increased enough that the behavior could in some circumstances become apparent to intrusiondetection systems.

Implementations


3 of 7 9/11/15, 12:07 PM

Several mainstream, general-purpose operating systems implement ASLR.

FreeBSD

FreeBSD does not support ASLR as of January 2014. However, Oliver Pinter started work on a basic ASLR patch andShawn Webb picked up the patch and started enhancing it under the direction of SoldierX (https://soldierx.com/). Activework on ASLR is being done on Shawn Webb's ASLR branch on GitHub (https://github.com/lattera/freebsd/tree/soldierx/lattera/aslr).

OpenBSD

Two years after ASLR was invented and published as part of PaX, a popular security patch for Linux, OpenBSD becamethe first mainstream operating system to support partial ASLR (and to activate it by default).[5] OpenBSD completed itsASLR support after Linux in 2008 when it added support for PIE binaries.[6] More about Exploit Mitigation Techniques:an Update After 10 Years (http://tech.yandex.com/events/ruBSD/2013/talks/103/) in OpenBSD.

DragonFly BSD

DragonFly BSD has an implementation of ASLR based upon OpenBSD's model, added in 2010.[7] It is off by default, andcan be enabled by setting the sysctl vm.randomize_mmap to 1.

Linux

Linux has enabled a weak form of ASLR by default since kernel version 2.6.12 (released June 2005).[8] The PaX and ExecShield patchsets to the Linux kernel provide more complete implementations. Various Linux distributions includingAdamantix, Alpine Linux, Hardened Gentoo, and Hardened Linux From Scratch come with PaX's implementation ofASLR by default.

The Exec Shield patch for Linux supplies 19 bits of stack entropy on a period of 16 bytes; and 8 bits of mmap baserandomization on a period of 1 page of 4096 bytes. This places the stack base in an area 8 MB wide containing 524 288possible positions; and the mmap base in an area 1 MB wide containing 256 possible positions.

Position-independent executable (PIE) implements a random base address for the main executable binary and has been inplace since 2003. It provides the same address randomness to the main executable as being used for the shared libraries.The PIE feature is in use only for the network facing daemons – the PIE feature cannot be used together with the prelinkfeature for the same executable.

The prelink tool implements randomization at prelink time rather than runtime, because by design prelink aims to handlerelocating libraries before the dynamic linker has to, which allows the relocation to occur once for many runs of theprogram. As a result, real address space randomization would defeat the purpose of prelinking.

Support for address space randomization for the Linux kernel itself, which randomizes where the kernel code is placed atboot time,[9] was merged into the Linux kernel mainline in kernel version 3.14, released on 30 March 2014.[10] Whencompiled in, it can be disabled at boot time by specifying nokaslr as one of the kernel's boot parameters.[11]

Android

Android 4.0 Ice Cream Sandwich provides address space layout randomization (ASLR) to help protect system and thirdparty applications from exploits due to memory-management issues. Position-independent executable support was addedin Android 4.1.[12]

Solaris


4 of 7 9/11/15, 12:07 PM

ASLR has been introduced in Solaris beginning with Solaris 11.1. ASLR in Solaris 11.1 can be set system-wide, per zone,or on a per-binary basis.[13]

Microsoft Windows

Microsoft's Windows Vista (released January 2007) and later have ASLR enabled for only those executables and dynamiclink libraries specifically linked to be ASLR-enabled.[14] For compatibility, it is not enabled by default for otherapplications. Typically, only older software is incompatible and ASLR can be fully enabled by editing a registry entry"HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages".,[15] or by installingMicrosoft's Enhanced Mitigation Experience Toolkit (http://support.microsoft.com/kb/2458544).

The locations of the heap, stack, Process Environment Block, and Thread Environment Block are also randomized. Asecurity whitepaper from Symantec noted that ASLR in 32-bit Windows Vista may not be as robust as expected, andMicrosoft has acknowledged a weakness in its implementation.[16]

Host-based intrusion prevention systems such as WehnTrust[17] and Ozone[18] also offer ASLR for Windows XP andWindows Server 2003 operating systems. WehnTrust is open-source.[19] Complete details of Ozone's implementation isnot available.[20]

It was noted in February 2012[21] that ASLR on 32-bit Windows systems prior to Windows 8 can have its effectivenessreduced in low memory situations. Similar effect also had been achieved on Linux in the same research. The test codecaused the Mac OS X 10.7.3 system to kernel panic, so it was left unclear about its ASLR behavior in this scenario.

OS X

In Mac OS X Leopard 10.5 (released October 2007), Apple introduced randomization for system libraries.[22]

In Mac OS X Lion 10.7 (released July 2011), Apple expanded their implementation to cover all applications, stating"address space layout randomization (ASLR) has been improved for all applications. It is now available for 32-bit apps (asare heap memory protections), making 64-bit and 32-bit applications more resistant to attack."[23]

As of OS X Mountain Lion 10.8 (released July 2012) and later, the entire system including the kernel as well as kexts andzones are randomly relocated during system boot.[24]

iOS (iPhone, iPod touch, iPad)

Apple introduced ASLR in iOS 4.3 (released March 2011).[25]

See also

Buffer overflowStack buffer overflowStack-smashing protectionNX bit

References

^ US patent 5949973 (http://worldwide.espacenet.com/textdoc?DB=EPODOC&IDX=US5949973), Yarom, Yuval, "Method ofrelocating the stack in a computer system for preventing overrate by an exploit program", issued 1999-09-07, assigned to Memco

1.


5 of 7 9/11/15, 12:07 PM

Software, Ltd.^ Comparison of PaX to Exec Shield and W^X2. ^ On the Effectiveness of Address-Space Randomization, Shacham, H. and Page, M. and Pfaff, B. and Goh, E.J. and Modadugu,N. and Boneh, D, Proceedings of the 11th ACM conference on Computer and communications security, pp 298—307, 2004

3.

^ a b Transistorized memory, such as RAM, ROM, flash and cache sizes as well as file sizes are specified using binary meaningsfor K (10241), M (10242), G (10243), ...

4.

^ Theo De Raadt (2005). "Exploit Mitigation Techniques (updated to include random malloc and mmap) at OpenCON 2005"(http://www.openbsd.org/papers/ven05-deraadt/index.html). Retrieved 26 August 2009.

5.

^ Kurt Miller (2008). "OpenBSD's Position Independent Executable (PIE) Implementation" (http://www.openbsd.org/papers/nycbsdcon08-pie/). Archived (http://web.archive.org/web/20110612150147/http://openbsd.org/papers/nycbsdcon08-pie/) fromthe original on 12 June 2011. Retrieved 22 July 2011.

6.

^ mmap - add mmap offset randomization (http://gitweb.dragonflybsd.org/dragonfly.git/commit/911e30e25724984efec56accba87f739cfca2937), DragonFly Gitweb, 25 November 2010.

7.

^ The NX Bit And ASLR (http://www.tomshardware.com/reviews/pwn2own-mac-hack,2254-4.html), Tom's Hardware, 25March 2009.

8.

^ Jake Edge (2013-10-09). "Kernel address space layout randomization" (https://lwn.net/Articles/569635/). LWN.net. Retrieved2014-04-02.

9.

^ "1.7. Kernel address space randomization" (http://kernelnewbies.org/Linux_3.14#head-192cae48200fccde67b36c75cdb6c6d8214cccb3). Linux kernel 3.14. kernelnewbies.org. 2014-03-30. Retrieved 2014-04-02.

10.

^ "kernel/git/torvalds/linux.git: x86, kaslr: Return location from decompress_kernel" (https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ab3820fd5b2896d66da7bb2a906bc382e63e7bc). Linux kernel source tree. kernel.org.2013-10-13. Retrieved 2014-04-02.

11.

^ "Android Security" (http://source.android.com/tech/security/index.html#memory-management-security-enhancements).Android Developers. Retrieved 7 July 2012.

12.

^ Controlling Access to Machine Resources (http://docs.oracle.com/cd/E26502_01/html/E29015/concept-13.html#concept-aslr-1), Oracle Information Library, 26 October 2012.

13.

^ "Windows ISV Software Security Defenses" (http://msdn.microsoft.com/en-us/library/bb430720.aspx). Msdn.microsoft.com.Retrieved 10 April 2012.

14.

^ Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (PRO-Developer) ISBN978-0-7356-2530-3

15.

^ Ollie Whitehouse (February 2007). "An Analysis of Address Space Layout Randomization on Windows Vista"(http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf) (PDF).

16.

^ "WehnTrust" (http://www.codeplex.com/wehntrust). Codeplex.com. Retrieved 10 April 2012.17. ^ "Security Architects' Ozone" (http://www.securityarchitects.com/products.html). Securityarchitects.com. Retrieved 10 April2012.

18.

^ "WehnTrust source code" (http://wehntrust.codeplex.com/). Retrieved 15 November 2013.19. ^ "Address-Space Randomization for Windows Systems" (http://seclab.cs.sunysb.edu/seclab/pubs/acsac06.pdf) (PDF). Retrieved10 April 2012.

20.

^ Posted by Ollie (2 March 2012). "Research, Develop, Assess, Consult & Educate | Recx: A Partial Technique Against ASLR –Multiple O/Ss" (http://recxltd.blogspot.co.uk/2012/03/partial-technique-against-aslr-multiple.html). Recxltd.blogspot.co.uk.Retrieved 10 April 2012.

21.

^ "Mac OS X – Security – Keeps safe from viruses and malware" (http://www.apple.com/macosx/security/#sixtyfour). Apple.Retrieved 10 April 2012.

22.

^ "Security" (http://www.apple.com/macosx/whats-new/features.html#security). Apple Inc. Archived (http://web.archive.org23.


6 of 7 9/11/15, 12:07 PM

/web/20110606235315/http://www.apple.com/macosx/whats-new/features.html) from the original on 6 June 2011. Retrieved 6June 2011.^ "OS X Mountain Lion Core Technologies Overview" (http://movies.apple.com/media/us/osx/2012/docs/OSX_MountainLion_Core_Technologies_Overview.pdf). June 2012. Retrieved 25 July 2012.

24.

^ Pwn2Own day 2: iPhone, BlackBerry beaten; Chrome, Firefox no-shows (http://arstechnica.com/security/news/2011/03/pwn2own-day-2-iphone-blackberry-beaten-chrome-firefox-no-shows.ars), Ars Technica, 11 March 2011

25.

External links

ASLR Bypass in Windows - Brian Mariani (https://www.htbridge.com/publications/defeating_data_execution_prevention_and_aslr_in_windows_xp_sp3.html)PaX documentation on ASLR (http://pax.grsecurity.net/docs/aslr.txt)Comparison of PaX to Exec Shield and W^X (http://grsecurity.net/PaX-presentation_files/frame.htm)ASLR for Windows Vista beta 2 (http://blogs.msdn.com/michael_howard/archive/2006/05/26/608315.aspx)ASLR for Windows 2000/XP/2003 (WehnTrust) (http://www.wehnus.com/)Bypassing PaX ASLR protection (http://www.phrack.org/issues.html?issue=59&id=9#article)On the effectiveness of address space layout randomization (http://portal.acm.org/citation.cfm?id=1030124&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618)Test Applications (or libraries) for their ASLR and DEP support (http://www.winitor.com/)ASLR Smack & Laugh Reference (http://www.ece.cmu.edu/%7Edbrumley/courses/18739c-s11/docs/aslr.pdf)U.S. Patent 5,745,569 (http://www.google.com/patents/US5745569) ("Method for stega-cipher protection ofcomputer code", issued 1998-04-28)

Retrieved from "http://en.wikipedia.org/w/index.php?title=Address_space_layout_randomization&oldid=623884571"

Categories: Operating system security

This page was last modified on 2 September 2014 at 17:13.Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. Byusing this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of theWikimedia Foundation, Inc., a non-profit organization.


7 of 7 9/11/15, 12:07 PM

address space

Documents