ASLR Address Space Layout Randomization.pdf

(258 KB) Pobierz

Computer Science, Informatik 4

Communication and Distributed Systems

ASLR

Address Space Layout Randomization

Seminar on Advanced Exploitation Techniques

Chair of Computer Science 4

RWTH Aachen

Tilo Müller

Computer Science, Informatik 4

Communication and Distributed Systems

What is ASLR?

A security technology to prevent exploitation of buffer overflows

Most popular alternative: Nonexecutable stack

Enabled by default since Kernel 2.6.12 (2005) / Vista Beta 2 (2006)

Earlier third party implementations: PaX (since 2000)

Computer Science, Informatik 4

Communication and Distributed Systems

How does ASLR work?

→

ASLR = Address Space Layout Randomization

Aim: Introduce randomness into the address space of each instantiation

(24 bits of a 32-bit address are randomized)

Addresses of infiltrated shellcode are not predictive anymore

Common Exploitation techniques fail, because the place of the shellcode

is unknown

bfaa2e58

...

bfaa2e14

bfaa2e10

bf9114c8

...

bf911484

bf911480

process

memory

stack

process

memory

inst.

Computer Science, Informatik 4

Communication and Distributed Systems

How does ASLR work?

Demonstration:

getEBP.c

unsigned long

getEBP(void) {

__asm__(“movl %ebp,%eax”);

}

int

main(void) {

printf(“EBP: %x\n”,getEBP());

}

ASLR disabled:

> ./getEBP

EBP:bffff3b8

> ./getEBP

EBP:bffff3b8

ASLR enabled:

> ./getEBP

EBP:bfaa2e58

> ./getEBP

EBP:bf9114c8

Computer Science, Informatik 4

Communication and Distributed Systems

What is randomized?

- Only the

stack

and

libraries

e.g.

not

the

heap,

text, data and bss segment

Demonstration:

> cat /proc/self/maps | egrep '(libc|heap|stack)'

0804d000-0806e000

rw-p 0804d000 00:00 0

[heap]

b7e5e000-b7fa5000

r-xp 00000000 08:01 1971213

/lib/i686/cmov/libc-2.7.so

b7fa5000-b7fa6000

r--p 00147000 08:01 1971213

/lib/i686/cmov/libc-2.7.so

b7fa6000-b7fa8000

rw-p 00148000 08:01 1971213

/lib/i686/cmov/libc-2.7.so

bfa0d000-bfa22000

rw-p bffeb000 00:00 0

[stack]

cat /proc/self/maps | egrep '(libc|heap|stack)'

0804d000-0806e000

rw-p 0804d000 00:00 0

b7da0000-b7ee7000

r-xp 00000000 08:01 1971213

b7ee7000-b7ee8000

r--p 00147000 08:01 1971213

b7ee8000-b7eea000

rw-p 00148000 08:01 1971213

bfa86000-bfa9b000

rw-p bffeb000 00:00 0

[heap]

/lib/i686/cmov/libc-2.7.so

[stack]

Plik z chomika:

qfx

Inne pliki z tego folderu:

Bypassing Stack Cookies, SafeSeh, HW DEP and ASLR.pdf (3140 KB)
Analyse du fonctionnement d un programme suspect.pdf (2383 KB)
Analyse de code malveillant.pdf (1760 KB)
Analyse d un packer de trojan et programmation d un unpacker.pdf (756 KB)
Control Flow Obfuscations in Malwares.pdf (1716 KB)

ASLR Address Space Layout Randomization.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: