Cryptography Reference
In-Depth Information
Revisiting Address Space Randomization
Zhi Wang
1
, Renquan Cheng
2
, and Debin Gao
2
1
College of Information Technology and Science, Nankai University, China
2
School of Information Systems, Singapore Management University, Singapore
Abstract.
Address space randomization is believed to be a strong de-
fense against memory error exploits. Many code and data objects in a
potentially vulnerable program and the system could be randomized,
including those on the stack and heap, base address of code, order of
functions, PLT, GOT, etc. Randomizing these code and data objects is
believed to be effective in obfuscating the addresses in memory to ob-
scure locations of code and data objects. However, attacking techniques
have advanced since the introduction of address space randomization. In
particular, return-oriented programming has made attacks without in-
jected code much more powerful than what they were before. Keeping
this new attacking technique in mind, in this paper, we revisit address
space randomization and analyze the effectiveness of randomizing various
code and data objects.
We show that randomizing certain code and data objects has become
much less effective. Typically, randomizing the base and order of func-
tions in shared libraries and randomizing the location and order of entries
in PLT and GOT do not introduce significant diculty to attacks using
return-oriented programming. We propose a more general version of such
attacks than what was introduced before, and point out weaknesses of a
previously proposed fix. We argue that address space randomization was
introduced without considering such attacks and a simple fix probably
does not exist.
Keywords:
Address space randomization, return-oriented programming,
software exploit.
1
Introduction
Address Space Randomization (ASR) has been proposed as a technique to fight
against memory error exploits [2,3,4]. Most of these techniques obfuscate addresses
in memory to obscure the location of code and data objects, including those on the
stack and heap, static data, PLT, GOT, and etc. An attacker would then have a
hard time finding out the addresses of code and data objects. This in turn makes
the result of invalid memory access unpredictable. For example, randomizing the
base of the stack and introducing random sized gaps between successive stack
frames could make it dicult for an attack to locate or overwrite the return ad-
dress; randomizing the locations of the PLT and GOT could make it dicult for an
attack to access system functions such as
after subverting the program's
control flow and therefore limit what a successful exploit could perform.
execve()
Search WWH ::
Custom Search