skip to main content
10.1145/1030083.1030124acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

On the effectiveness of address-space randomization

Published:25 October 2004Publication History

ABSTRACT

Address-space randomization is a technique used to fortify systems against buffer overflow attacks. The idea is to introduce artificial diversity by randomizing the memory location of certain system components. This mechanism is available for both Linux (via PaX ASLR) and OpenBSD. We study the effectiveness of address-space randomization and find that its utility on 32-bit architectures is limited by the number of bits available for address randomization. In particular, we demonstrate a <i>derandomization attack</i> that will convert any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization. The resulting exploit is as effective as the original exploit, although it takes a little longer to compromise a target machine: on average 216 seconds to compromise Apache running on a Linux PaX ASLR system. The attack does not require running code on the stack.

We also explore various ways of strengthening address-space randomization and point out weaknesses in each. Surprisingly, increasing the frequency of re-randomizations adds at most 1 bit of security. Furthermore, compile-time randomization appears to be more effective than runtime randomization. We conclude that, on 32-bit architectures, the only benefit of PaX-like address-space randomization is a small slowdown in worm propagation speed. The cost of randomization is extra complexity in system support.

References

  1. Aleph One. Smashing the stack for fun and profit. Phrack Magazine 49(14), Nov. 1996. http://www.phrack.org/phrack/49/P49-14]]Google ScholarGoogle Scholar
  2. Anonymous. Once upon a free(). Phrack Magazine 57(9), Aug. 2001. http://www.phrack.org/phrack/57/p57-0x09]]Google ScholarGoogle Scholar
  3. Apache Software Foundation. The Apache HTTP Server project. http://httpd.apache.org]]Google ScholarGoogle Scholar
  4. Apache Software Foundation. ASF bulletin 20020617, June 2002. http://httpd.apache.org/info/security_bulletin_20020617.txt]]Google ScholarGoogle Scholar
  5. Apache Software Foundation.ASF bulletin 20020620, June 2002. http://httpd.apache.org/info/security_bulletin_20020620.txt]]Google ScholarGoogle Scholar
  6. E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proc. 10th ACM Conf. Comp. and Comm. Sec. CCS 2003. pages 281--9. ACM Press, Oct. 2003.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In V. Paxson, editor, Proc. 12th USENIX Sec. Symp., pages 105--20. USENIX, Aug. 2003.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Bulba and Kil3r. Bypassing StackGuard and StackShield. Phrack Magazine 56(5), May 2000. http://www.phrack.org/phrack/56/p56-0x05]]Google ScholarGoogle Scholar
  9. CERT, June 2002. http://www.cert.org/advisories/CA-2002-17.html]]Google ScholarGoogle Scholar
  10. CERT. CERT advisory CA-2002-08: Multiple vulnerabilities in Oracle servers, Mar. 2002. http://www.cert.org/advisories/CA-2002-08.html]]Google ScholarGoogle Scholar
  11. CERT. CERT advisory CA-2003-04: MS-SQLServer worm, Jan. 2003. http://www.cert.org/advisories/CA-2003-04.html]]Google ScholarGoogle Scholar
  12. J. S. Chase, H. M. Levy, M. Baker-Harvey, and E. D. Lazowska. How to use a 64-bit address space. Technical Report 92-03-02, University of Washington, Department of Computer Science and Engineering, March 1992.]]Google ScholarGoogle Scholar
  13. C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer over flow vulnerabilities. In V. Paxson, editor, Proc. 12th USENIX Sec. Symp., pages 91--104. USENIX, Aug. 2003.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic detection and prevention of buffer-overflow attacks. In A. Rubin, editor, Proc. 7th USENIX Sec. Symp., pages 63--78. USENIX, Jan. 1998.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. T. Durden. Bypassing PaX ASLR protect on. Phrack Magazine 59(9),June 2002. http://www.phrack.org/phrack/59/p59-0x09]]Google ScholarGoogle Scholar
  16. H. Etoh and K. Yoda. ProPolice: Improved stack-smashing attack detect on. IPSJ SIGNotes Computer SECurity 014(025), Oct.2001. http://www.trl.ibm.com/projects/security/ssp]]Google ScholarGoogle Scholar
  17. FedCIRC. BotNets: Detect on and mitigation, Feb. 2003. http://www.fedcirc.gov/library/documents/botNetsv32.doc]]Google ScholarGoogle Scholar
  18. S. Forrest, A. Somayaji, and D. Ackley. Building diverse computer systems. In J. Mogul, editor, Proc. 6th Work. Hot Topics in Operating Sys. HotOS 1997. pages 67--72. IEEE Computer Society, May 1997.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. D. Geer, R. Bace, P. Gutmann, P. Metzger, C. Pfleeger, J. Quarterman, and B. Schneier. Cybersecurity: The cost of monopoly--how the dominance of Microsoft 's products poses a risk to security. Technical report, Comp. and Comm. Ind. Assn., 2003.]]Google ScholarGoogle Scholar
  20. M. Kaempf. Vudo malloc tricks. Phrack Magazine 57(8), Aug. 2001. http://www.phrack.org/phrack/57/p57-0x08]]Google ScholarGoogle Scholar
  21. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proc. 10th ACM Conf. Comp. and Comm. Sec., pages 272--80. ACM Press, Oct. 2003.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. D. Litchfield. Hackproofing Oracle Application Server, Jan. 2002. http://www.nextgenss.com/papers/hpoas.pdf]]Google ScholarGoogle Scholar
  23. L. McLaughlin. Bot software spreads, causes new worries. IEEE Distributed Systems Online 5(6), June 2004. http://csdl.computer.org/comp/mags/ds/2004/06/o6001.pdf]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Nergal. The advanced return-nto-lib(c)exploits (PaX case study). Phrack Magazine 58(4), Dec. 2001. http://www.phrack.org/phrack/58/p58-0x04]]Google ScholarGoogle Scholar
  25. D. Patterson. A simple way to estimate the cost of downtime. In A. Couch, edtor, Proc. 16th Systems Administration Conf. --LISA 2002 pages 185--8. USENIX, Nov. 2002.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. PaX Team. PaX. http://pax.grsecurity.net]]Google ScholarGoogle Scholar
  27. PaX Team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt]]Google ScholarGoogle Scholar
  28. Scut/team teso. Exploiting format string vulnerabilities. http://www.team-teso.net 2001.]]Google ScholarGoogle Scholar
  29. Solar Designer. StackPatch. http://www.openwall.com/linux]]Google ScholarGoogle Scholar
  30. Solar Designer."return-to-libc" attack. Bugtraq, Aug. 1997.]]Google ScholarGoogle Scholar
  31. S. Staniford, V. Paxson, and N. Weaver. How to own the Internet in your spare time. In D. Boneh, editor, Proc. 11th USENIX Sec. Symp., pages 149--67. USENIX, Aug. 2002.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Vendicator. StackShield. http://www.angelfire.com/sk/stackshield]]Google ScholarGoogle Scholar
  33. J. Xu, Z. Kalbarczyk, and R. Iyer. Transparent runtime randomization for security. In A. Fantechi, editor, Proc. 22nd Symp. on Reliable Distributed Systems --SRDS 2003 pages 260--9. IEEE Computer Society, Oct. 2003.]]Google ScholarGoogle Scholar
  34. C. Yarvin, R. Bukowski, and T. Anderson. Anonymous RPC: Low-latency protection in a 64-bit address space. In Proc. USENIX Summer 1993 Technical Conf., pages 175--86. USENIX, June 1993.]]Google ScholarGoogle Scholar
  35. M. Zalewski. Remote vulnerability in SSH daemon CRC32 compression attack detector, Feb. 2001. http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_ssh1crc.cfm]]Google ScholarGoogle Scholar

Index Terms

  1. On the effectiveness of address-space randomization

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in
    • Published in

      cover image ACM Conferences
      CCS '04: Proceedings of the 11th ACM conference on Computer and communications security
      October 2004
      376 pages
      ISBN:1581139616
      DOI:10.1145/1030083

      Copyright © 2004 ACM

      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 25 October 2004

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • Article

      Acceptance Rates

      Overall Acceptance Rate1,261of6,999submissions,18%

      Upcoming Conference

      CCS '24
      ACM SIGSAC Conference on Computer and Communications Security
      October 14 - 18, 2024
      Salt Lake City , UT , USA

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader