Address Space Layout Randomization (ASLR)

From SCADApedia

Address Space Layout Randomization is a security technology enabled in Microsoft operating systems begining with Windows Vista, but only for only for executables which are specifically linked to be ASLR enabled. The technique involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.

1 Benefits and Drawbacks
2 Effectiveness
3 Enabling Support in Build Environment
4 External Links

[edit]

Benefits and Drawbacks

Address space randomization hinders some types of attacks by preventing an attacker from being able to easily predict target addresses. For example attackers trying to execute return-to-libc attacks must locate the code to be executed, and attackers trying to execute shellcode injected on the stack have to first find the stack. In both cases, the related memory addresses are obscured from the attackers and these values have to be guessed, and a wrong guess is not usually recoverable due to the application crashing.

However in a control system context this may be an unwanted effect, and it may be more desirable for a critical system to be compromised and still functioning than to be unavailable. This consideration will have to be worked out between vendors and their customers as more development suites include the ability to enable technologies like this and more systems are deployed on later versions of Vista and Server that can make use of it.

[edit]

Effectiveness

Address space layout randomization relies on the low chance of an attacker guessing where randomly placed areas are located; security is increased by increasing the search space. Thus, address space randomization is more effective when more entropy is present in the random offsets. Entropy is increased by either raising the amount of virtual memory area space the randomization occurs over, or reducing the period the randomization occurs over; the period is typically implemented as small as possible, so most systems must increase VMA space randomization.

To defeat ASLR, an attacker must successfully guess the positions of all areas he is attacking. For data areas such as stack and heap, where custom code or useful data can be loaded, this can be attacked by using NOP slides for code or repeated copies of data; this allows an attack to succeed if the area is randomized to one of a handful of values. In contrast, code areas such as library base and main executable need to be discovered exactly to function as expected. In the case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of 256 locations, which means an attacker has a 1/256 chance of getting the address right. In short, this makes it harder for exploits to work correctly.

In Vistas case the happens in 3 parts, load address randomization, stack address randomization (both enabled with /dynamicbase linker option) and heap randomization. The first randomization changes addresses across Vista reboots. The second randomization happens every time you launch an application linked with /dynamicbase option. The third randomization happens every time you launch an application linked with or without /dynamicbase option as we will see below.

ASLR alone is a powerful technique for preventing arbitrary code execution, but works much better when combined with Stack Cookies, SafeSEH, and Data Execution Prevention.

[edit]