Article

On the effectiveness of address-space randomization

Authors:

Nagendra Modadugu, and

Dan BonehAuthors Info & Claims

CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

October 2004

Pages 298 - 307

https://doi.org/10.1145/1030083.1030124

Published: 25 October 2004 Publication History

Abstract

Address-space randomization is a technique used to fortify systems against buffer overflow attacks. The idea is to introduce artificial diversity by randomizing the memory location of certain system components. This mechanism is available for both Linux (via PaX ASLR) and OpenBSD. We study the effectiveness of address-space randomization and find that its utility on 32-bit architectures is limited by the number of bits available for address randomization. In particular, we demonstrate a <i>derandomization attack</i> that will convert any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization. The resulting exploit is as effective as the original exploit, although it takes a little longer to compromise a target machine: on average 216 seconds to compromise Apache running on a Linux PaX ASLR system. The attack does not require running code on the stack.

We also explore various ways of strengthening address-space randomization and point out weaknesses in each. Surprisingly, increasing the frequency of re-randomizations adds at most 1 bit of security. Furthermore, compile-time randomization appears to be more effective than runtime randomization. We conclude that, on 32-bit architectures, the only benefit of PaX-like address-space randomization is a small slowdown in worm propagation speed. The cost of randomization is extra complexity in system support.

References

[1]

Aleph One. Smashing the stack for fun and profit. Phrack Magazine 49(14), Nov. 1996. http://www.phrack.org/phrack/49/P49-14]]

[2]

Anonymous. Once upon a free(). Phrack Magazine 57(9), Aug. 2001. http://www.phrack.org/phrack/57/p57-0x09]]

[3]

Apache Software Foundation. The Apache HTTP Server project. http://httpd.apache.org]]

[4]

Apache Software Foundation. ASF bulletin 20020617, June 2002. http://httpd.apache.org/info/security_bulletin_20020617.txt]]

[5]

Apache Software Foundation.ASF bulletin 20020620, June 2002. http://httpd.apache.org/info/security_bulletin_20020620.txt]]

[6]

E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proc. 10th ACM Conf. Comp. and Comm. Sec. CCS 2003. pages 281--9. ACM Press, Oct. 2003.]]

Digital Library

[7]

S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In V. Paxson, editor, Proc. 12th USENIX Sec. Symp., pages 105--20. USENIX, Aug. 2003.]]

Digital Library

[8]

Bulba and Kil3r. Bypassing StackGuard and StackShield. Phrack Magazine 56(5), May 2000. http://www.phrack.org/phrack/56/p56-0x05]]

[9]

CERT, June 2002. http://www.cert.org/advisories/CA-2002-17.html]]

[10]

CERT. CERT advisory CA-2002-08: Multiple vulnerabilities in Oracle servers, Mar. 2002. http://www.cert.org/advisories/CA-2002-08.html]]

[11]

CERT. CERT advisory CA-2003-04: MS-SQLServer worm, Jan. 2003. http://www.cert.org/advisories/CA-2003-04.html]]

[12]

J. S. Chase, H. M. Levy, M. Baker-Harvey, and E. D. Lazowska. How to use a 64-bit address space. Technical Report 92-03-02, University of Washington, Department of Computer Science and Engineering, March 1992.]]

[13]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer over flow vulnerabilities. In V. Paxson, editor, Proc. 12th USENIX Sec. Symp., pages 91--104. USENIX, Aug. 2003.]]

Digital Library

[14]

C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic detection and prevention of buffer-overflow attacks. In A. Rubin, editor, Proc. 7th USENIX Sec. Symp., pages 63--78. USENIX, Jan. 1998.]]

Digital Library

[15]

T. Durden. Bypassing PaX ASLR protect on. Phrack Magazine 59(9),June 2002. http://www.phrack.org/phrack/59/p59-0x09]]

[16]

H. Etoh and K. Yoda. ProPolice: Improved stack-smashing attack detect on. IPSJ SIGNotes Computer SECurity 014(025), Oct.2001. http://www.trl.ibm.com/projects/security/ssp]]

[17]

FedCIRC. BotNets: Detect on and mitigation, Feb. 2003. http://www.fedcirc.gov/library/documents/botNetsv32.doc]]

[18]

S. Forrest, A. Somayaji, and D. Ackley. Building diverse computer systems. In J. Mogul, editor, Proc. 6th Work. Hot Topics in Operating Sys. HotOS 1997. pages 67--72. IEEE Computer Society, May 1997.]]

Digital Library

[19]

D. Geer, R. Bace, P. Gutmann, P. Metzger, C. Pfleeger, J. Quarterman, and B. Schneier. Cybersecurity: The cost of monopoly--how the dominance of Microsoft 's products poses a risk to security. Technical report, Comp. and Comm. Ind. Assn., 2003.]]

[20]

M. Kaempf. Vudo malloc tricks. Phrack Magazine 57(8), Aug. 2001. http://www.phrack.org/phrack/57/p57-0x08]]

[21]

G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proc. 10th ACM Conf. Comp. and Comm. Sec., pages 272--80. ACM Press, Oct. 2003.]]

Digital Library

[22]

D. Litchfield. Hackproofing Oracle Application Server, Jan. 2002. http://www.nextgenss.com/papers/hpoas.pdf]]

[23]

L. McLaughlin. Bot software spreads, causes new worries. IEEE Distributed Systems Online 5(6), June 2004. http://csdl.computer.org/comp/mags/ds/2004/06/o6001.pdf]]

Digital Library

[24]

Nergal. The advanced return-nto-lib(c)exploits (PaX case study). Phrack Magazine 58(4), Dec. 2001. http://www.phrack.org/phrack/58/p58-0x04]]

[25]

D. Patterson. A simple way to estimate the cost of downtime. In A. Couch, edtor, Proc. 16th Systems Administration Conf. --LISA 2002 pages 185--8. USENIX, Nov. 2002.]]

Digital Library

[26]

PaX Team. PaX. http://pax.grsecurity.net]]

[27]

PaX Team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt]]

[28]

Scut/team teso. Exploiting format string vulnerabilities. http://www.team-teso.net 2001.]]

[29]

Solar Designer. StackPatch. http://www.openwall.com/linux]]

[30]

Solar Designer."return-to-libc" attack. Bugtraq, Aug. 1997.]]

[31]

S. Staniford, V. Paxson, and N. Weaver. How to own the Internet in your spare time. In D. Boneh, editor, Proc. 11th USENIX Sec. Symp., pages 149--67. USENIX, Aug. 2002.]]

Digital Library

[32]

Vendicator. StackShield. http://www.angelfire.com/sk/stackshield]]

[33]

J. Xu, Z. Kalbarczyk, and R. Iyer. Transparent runtime randomization for security. In A. Fantechi, editor, Proc. 22nd Symp. on Reliable Distributed Systems --SRDS 2003 pages 260--9. IEEE Computer Society, Oct. 2003.]]

[34]

C. Yarvin, R. Bukowski, and T. Anderson. Anonymous RPC: Low-latency protection in a 64-bit address space. In Proc. USENIX Summer 1993 Technical Conf., pages 175--86. USENIX, June 1993.]]

[35]

M. Zalewski. Remote vulnerability in SSH daemon CRC32 compression attack detector, Feb. 2001. http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_ssh1crc.cfm]]

Cited By

Sha MCai YWang SPhan LLi FTan K(2024)Object-oriented Unified Encrypted Memory Management for Heterogeneous Memory ArchitecturesProceedings of the ACM on Management of Data10.1145/36549582:3(1-29)Online publication date: 30-May-2024
https://doi.org/10.1145/3654958
Kim SJin HJoo KLee JLee D(2024)DROPSYS: Detection of ROP attacks using system informationComputers & Security10.1016/j.cose.2024.103813(103813)Online publication date: Mar-2024
https://doi.org/10.1016/j.cose.2024.103813
Keromytis A(2024)Buffer Overflow AttacksEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_502-2(1-4)Online publication date: 14-Feb-2024
https://doi.org/10.1007/978-3-642-27739-9_502-2
Show More Cited By

Index Terms

On the effectiveness of address-space randomization
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Breaking Kernel Address Space Layout Randomization with Intel TSX
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Kernel hardening has been an important topic since many applications and security mechanisms often consider the kernel as part of their Trusted Computing Base (TCB). Among various hardening techniques, Kernel Address Space Layout Randomization (KASLR) ...
Read More
Address-space layout randomization using code islands
Best papers of the Sec Track at the 2006 ACM Symposium

Address-Space Layout Randomization (ASLR) techniques prevent intruders from locating target functions by randomizing the process layout. Prior ASLR techniques defended against single-target brute force attacks, which work by locating a single, ...
Read More
Revisiting address space randomization
ICISC'10: Proceedings of the 13th international conference on Information security and cryptology

Address space randomization is believed to be a strong defense against memory error exploits. Many code and data objects in a potentially vulnerable program and the system could be randomized, including those on the stack and heap, base address of code, ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

October 2004

376 pages

ISBN:1581139616

DOI:10.1145/1030083

General Chair:
Vijay Atluri
Rutgers University
,
Program Chairs:
Birgit Pfitzmann
IBM Research, Switzerland
,
Patrick McDaniel
AT&T Labs

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 October 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS04

Sponsor:

CCS04: 11th ACM Conference on Computer and Communications Security 2004

October 25 - 29, 2004

Washington DC, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

591
Total Citations
View Citations
5,234
Total Downloads

Downloads (Last 12 months)242
Downloads (Last 6 weeks)12

Other Metrics

View Author Metrics

Citations

Cited By

Sha MCai YWang SPhan LLi FTan K(2024)Object-oriented Unified Encrypted Memory Management for Heterogeneous Memory ArchitecturesProceedings of the ACM on Management of Data10.1145/36549582:3(1-29)Online publication date: 30-May-2024
https://doi.org/10.1145/3654958
Kim SJin HJoo KLee JLee D(2024)DROPSYS: Detection of ROP attacks using system informationComputers & Security10.1016/j.cose.2024.103813(103813)Online publication date: Mar-2024
https://doi.org/10.1016/j.cose.2024.103813
Keromytis A(2024)Buffer Overflow AttacksEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_502-2(1-4)Online publication date: 14-Feb-2024
https://doi.org/10.1007/978-3-642-27739-9_502-2
KUZUNO HYAMAUCHI T(2023)Protection Mechanism of Kernel Data Using Memory Protection KeyIEICE Transactions on Information and Systems10.1587/transinf.2022ICP0013E106.D:9(1326-1338)Online publication date: 1-Sep-2023
https://doi.org/10.1587/transinf.2022ICP0013
Narayanan VCarvalho CRuocco AAlmasi GBottomley JYe MFeldman-Fitzthum TBuono DFranke HBurtsev A(2023)Remote attestation of confidential VMs using ephemeral vTPMsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627112(732-743)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627112
Xu PYin LMa JYang DDong W(2023)FAEG: Feature-Driven Automatic Exploit GenerationProceedings of the 14th Asia-Pacific Symposium on Internetware10.1145/3609437.3609461(165-173)Online publication date: 4-Aug-2023
https://dl.acm.org/doi/10.1145/3609437.3609461
Ghasempouri TRaik JReinbrecht CHamdioui STaouil M(2023)Survey on Architectural Attacks: A Unified Classification and Attack ModelACM Computing Surveys10.1145/360480356:2(1-32)Online publication date: 15-Sep-2023
https://dl.acm.org/doi/10.1145/3604803
Contreras CDokic HHuang ZStan Raicu DFurst JTchoua R(2023)Multiclass Classification of Software Vulnerabilities with Deep LearningProceedings of the 2023 15th International Conference on Machine Learning and Computing10.1145/3587716.3587738(134-140)Online publication date: 17-Feb-2023
https://dl.acm.org/doi/10.1145/3587716.3587738
Blair WRobertson WEgele M(2023)ThreadLock: Native Principal Isolation Through Memory Protection KeysProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3595797(966-979)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3595797
Porter CKhan SPande SAamodt TJerger NSwift M(2023)Decker: Attack Surface Reduction via On-Demand Code MappingProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3575693.3575734(192-206)Online publication date: 27-Jan-2023
https://dl.acm.org/doi/10.1145/3575693.3575734
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents