On the Effectiveness of Address-Space Randomization

By Hovav Shacham, Matt Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh.

In Proceedings of CCS 2004, pages 298–307. ACM Press, Oct. 2004.

Abstract

Address-space randomization is a technique used to fortify systems against buffer overflow attacks. The idea is to introduce artificial diversity by randomizing the memory location of certain system components. This mechanism is available for both Linux (via PaX ASLR) and OpenBSD. We study the effectiveness of address-space randomization and find that its utility on 32-bit architectures is limited by the number of bits available for address randomization. In particular, we demonstrate a derandomization attack that will convert any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization. The resulting exploit is as effective as the original exploit, although it takes a little longer to compromise a target machine: on average 216 seconds to compromise Apache running on a Linux PaX ASLR system. The attack does not require running code on the stack.

We also explore various ways of strengthening address-space randomization and point out weaknesses in each. Surprisingly, increasing the frequency of re-randomizations adds at most 1 bit of security. Furthermore, compile-time randomization appears to be more effective than runtime randomization. We conclude that, on 32-bit architectures, the only benefit of PaX-like address-space randomization is a small slowdown in worm propagation speed. The cost of randomization is extra complexity in system support.

Material

Reference

@InProceedings{SPPGMB04, author = {Hovav Shacham and Matthew Page and Ben Pfaff and Eu-Jin Goh and Nagendra Modadugu and Dan Boneh}, title = {On the Effectiveness of Address-Space Randomization}, booktitle = {Proceedings of CCS 2004}, pages = {298-307}, editor = {Birgit Pfitzmann and Peng Liu}, month = oct, year = 2004, publisher = {ACM Press} }

Navigation: Hovav Shacham // Publications // [SPPGMB04]