|
 ABSTRACT
Address-space randomization is a technique used to fortify systems against buffer overflow attacks. The idea is to introduce artificial diversity by randomizing the memory location of certain system components. This mechanism is available for both Linux (via PaX ASLR) and OpenBSD. We study the effectiveness of address-space randomization and find that its utility on 32-bit architectures is limited by the number of bits available for address randomization. In particular, we demonstrate a <i>derandomization attack</i> that will convert any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization. The resulting exploit is as effective as the original exploit, although it takes a little longer to compromise a target machine: on average 216 seconds to compromise Apache running on a Linux PaX ASLR system. The attack does not require running code on the stack. We also explore various ways of strengthening address-space randomization and point out weaknesses in each. Surprisingly, increasing the frequency of re-randomizations adds at most 1 bit of security. Furthermore, compile-time randomization appears to be more effective than runtime randomization. We conclude that, on 32-bit architectures, the only benefit of PaX-like address-space randomization is a small slowdown in worm propagation speed. The cost of randomization is extra complexity in system support.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Aleph One. Smashing the stack for fun and profit. Phrack Magazine 49(14), Nov. 1996. http://www.phrack.org/phrack/49/P49-14
|
| |
2
|
Anonymous. Once upon a free(). Phrack Magazine 57(9), Aug. 2001. http://www.phrack.org/phrack/57/p57-0x09
|
| |
3
|
Apache Software Foundation. The Apache HTTP Server project. http://httpd.apache.org
|
| |
4
|
Apache Software Foundation. ASF bulletin 20020617, June 2002. http://httpd.apache.org/info/security_bulletin_20020617.txt
|
| |
5
|
Apache Software Foundation.ASF bulletin 20020620, June 2002. http://httpd.apache.org/info/security_bulletin_20020620.txt
|
 |
6
|
Elena Gabriela Barrantes , David H. Ackley , Trek S. Palmer , Darko Stefanovic , Dino Dai Zovi, Randomized instruction set emulation to disrupt binary code injection attacks, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
[doi> 10.1145/948109.948147]
|
| |
7
|
S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In V. Paxson, editor, Proc. 12th USENIX Sec. Symp., pages 105--20. USENIX, Aug. 2003.
|
| |
8
|
Bulba and Kil3r. Bypassing StackGuard and StackShield. Phrack Magazine 56(5), May 2000. http://www.phrack.org/phrack/56/p56-0x05
|
| |
9
|
CERT, June 2002. http://www.cert.org/advisories/CA-2002-17.html
|
| |
10
|
CERT. CERT advisory CA-2002-08: Multiple vulnerabilities in Oracle servers, Mar. 2002. http://www.cert.org/advisories/CA-2002-08.html
|
| |
11
|
CERT. CERT advisory CA-2003-04: MS-SQLServer worm, Jan. 2003. http://www.cert.org/advisories/CA-2003-04.html
|
| |
12
|
J. S. Chase, H. M. Levy, M. Baker-Harvey, and E. D. Lazowska. How to use a 64-bit address space. Technical Report 92-03-02, University of Washington, Department of Computer Science and Engineering, March 1992.
|
| |
13
|
C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer over flow vulnerabilities. In V. Paxson, editor, Proc. 12th USENIX Sec. Symp., pages 91--104. USENIX, Aug. 2003.
|
| |
14
|
C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic detection and prevention of buffer-overflow attacks. In A. Rubin, editor, Proc. 7th USENIX Sec. Symp., pages 63--78. USENIX, Jan. 1998.
|
| |
15
|
T. Durden. Bypassing PaX ASLR protect on. Phrack Magazine 59(9),June 2002. http://www.phrack.org/phrack/59/p59-0x09
|
| |
16
|
H. Etoh and K. Yoda. ProPolice: Improved stack-smashing attack detect on. IPSJ SIGNotes Computer SECurity 014(025), Oct.2001. http://www.trl.ibm.com/projects/security/ssp
|
| |
17
|
FedCIRC. BotNets: Detect on and mitigation, Feb. 2003. http://www.fedcirc.gov/library/documents/botNetsv32.doc
|
| |
18
|
|
| |
19
|
D. Geer, R. Bace, P. Gutmann, P. Metzger, C. Pfleeger, J. Quarterman, and B. Schneier. Cybersecurity: The cost of monopoly--how the dominance of Microsoft 's products poses a risk to security. Technical report, Comp. and Comm. Ind. Assn., 2003.
|
| |
20
|
M. Kaempf. Vudo malloc tricks. Phrack Magazine 57(8), Aug. 2001. http://www.phrack.org/phrack/57/p57-0x08
|
| |
21
|
|
| |
22
|
D. Litchfield. Hackproofing Oracle Application Server, Jan. 2002. http://www.nextgenss.com/papers/hpoas.pdf
|
| |
23
|
|
| |
24
|
Nergal. The advanced return-nto-lib(c)exploits (PaX case study). Phrack Magazine 58(4), Dec. 2001. http://www.phrack.org/phrack/58/p58-0x04
|
| |
25
|
|
| |
26
|
PaX Team. PaX. http://pax.grsecurity.net
|
| |
27
|
PaX Team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt
|
| |
28
|
Scut/team teso. Exploiting format string vulnerabilities. http://www.team-teso.net 2001.
|
| |
29
|
Solar Designer. StackPatch. http://www.openwall.com/linux
|
| |
30
|
Solar Designer."return-to-libc" attack. Bugtraq, Aug. 1997.
|
| |
31
|
|
| |
32
|
Vendicator. StackShield. http://www.angelfire.com/sk/stackshield
|
| |
33
|
J. Xu, Z. Kalbarczyk, and R. Iyer. Transparent runtime randomization for security. In A. Fantechi, editor, Proc. 22nd Symp. on Reliable Distributed Systems --SRDS 2003 pages 260--9. IEEE Computer Society, Oct. 2003.
|
| |
34
|
C. Yarvin, R. Bukowski, and T. Anderson. Anonymous RPC: Low-latency protection in a 64-bit address space. In Proc. USENIX Summer 1993 Technical Conf., pages 175--86. USENIX, June 1993.
|
| |
35
|
M. Zalewski. Remote vulnerability in SSH daemon CRC32 compression attack detector, Feb. 2001. http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_ssh1crc.cfm
|
CITED BY 24
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Nikolai Joukov , Aditya Kashyap , Gopalan Sivathanu , Erez Zadok, An electric fence for kernel buffers, Proceedings of the 2005 ACM workshop on Storage security and survivability, November 11-11, 2005, Fairfax, VA, USA
|
|
|
|
|
|
|
|
|
|
|
|
David Brumley , Li-Hao Liu , Pongsin Poosankam , Dawn Song, Design space and analysis of worm defense strategies, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Jun Xu , Peng Ning , Chongkyung Kil , Yan Zhai , Chris Bookholt, Automatic diagnosis and response to memory corruption vulnerabilities, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
|
|
|
|
|
|
|
|
|
S. Antonatos , P. Akritidis , E. P. Markatos , K. G. Anagnostakis, Defending against hitlist worms using network address space randomization, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
|
|
|
|
|
|
Joseph Tucek , James Newsome , Shan Lu , Chengdu Huang , Spiros Xanthos , David Brumley , Yuanyuan Zhou , Dawn Song, Sweeper: a lightweight end-to-end system for defending against fast worms, ACM SIGOPS Operating Systems Review, v.41 n.3, June 2007
|
|
|
Shuo Chen , Jun Xu , Emre C. Sezer , Prachi Gauriar , Ravishankar K. Iyer, Non-control-data attacks are realistic threats, Proceedings of the 14th conference on USENIX Security Symposium, p.12-12, July 31-August 05, 2005, Baltimore, MD
|
|
|
|
|
|
|
|
|
Martín Abadi , Mihai Budiu , Úlfar Erlingsson , Jay Ligatti, Control-flow integrity, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
|
|
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
D.4