An analysis of address space layout randomization on Windows Vista
Abstract and Figures
Address space layout randomization (ASLR) is a prophylactic security technology aimed at reducing the effectiveness of exploit attempts. With the advent of the Microsoft® Windows Vista operating system, ASLR has been integrated into the default configuration of the Windows® operating system for the first time. We measure the behavior of the ASLR implementation in the Windows Vista RTM release. Our analysis of the results uncovers predictability in the implementation that reduces its effectiveness. Address space layout randomization, or ASLR, is a prophylactic security technology that strengthens system security by increasing the diversity of attack targets [20]. Rather than increasing security by removing vulnerabilities from the system, ASLR makes it more difficult to exploit existing vulnerabilities. This technology complements efforts to remove security vulnerabilities since it can offer some protection from vulnerabilities that have not yet been remedied or may not even be known yet. ASLR is also complementary to other prophylactic techniques such as Data Execution Prevention (DEP): The combination of these two technologies provides a much stronger defense against memory manipulation vulnerabilities than either one alone. Techniques for exploiting memory manipulation vulnerabilities are sensitive to the memory layout of the program being targeted. This important class of vulnerability includes stack and heap overflows and underflows, format string vulnerabilities, array index overflows, and uninitialized variables. By randomizing the memory layout of an executing program, ASLR decreases the predictability of that layout and reduces the probability that an individual exploit attempt will succeed. The security offered by ASLR is based on several factors [12], including how predictable the random memory layout of a program is, how tolerant an exploit technique is to variations in memory layout, and how many exploitation attempts an attacker can practically make. Address space layout randomization has been integrated into several popular operating systems—including OpenBSD and Linux—for several years. Third-party ASLR implementations have been available for previous versions of the Windows operating system as stand-alone products or as part of host intrusion protection (HIPS) solutions [1][2][4][11][18]. With the advent of the Microsoft® Windows Vista operating system, ASLR has been integrated into the default configuration of a Windows® operating system for the first time [5]. We measured the behavior of the ASLR feature in the 32-bit Windows Vista RTM release. This paper discusses our measurement techniques and presents our findings. Our analysis uncovers some flaws that reduce the effectiveness of the ASLR implementation in Windows Vista.
Figures - uploaded by Ollie Whitehouse
Author content
All figure content in this area was uploaded by Ollie Whitehouse
Content may be subject to copyright.
... However, there exist an important amount of reports and studies that question the effectivity and solidity of this technique, even for the most recent Windows and Linux Operating Systems. In [1] Whitehouse performs a complete and detailed analysis of Windows Vista and, in its results, it reveals implementation errors that make the system not completely protected, situation that attackers can take advantage of to exploit memory vulnerabilities. ...
... This section includes the methodology of the performed comparative analysis on the presented Operating Systems. Both the code and methodology are based on [1], but adapted to the modern versions of Windows and the specific features available on Linux. ...
... LTS. In both of them, the scripts were run in two ways: continuously with 5 million iterations based on the work of Marco and Ripoll in [3]; and with system reboots each 100 iterations until reaching 500,000, considering a reasonable execution time and a significant number of repetitions, widely increased compared to the previous work of Whitehouse in [1]. ...
Memory management is one of the main tasks of an Operating System, where the data of each process running in the system is kept. In this context, there exist several types of attacks that exploit memory-related vulnerabilities, forcing Operating Systems to feature memory protection techniques that make difficult to exploit them. One of these techniques is ASLR, whose function is to introduce randomness into the virtual address space of a process. The goal of this work was to measure, analyze and compare the behavior of ASLR on the 64-bit versions of Windows 10 and Ubuntu 18.04 LTS. The results have shown that the implementation of ASLR has improved significantly on these two Operating Systems compared to previous versions. However, there are aspects, such as partial correlations or a frequency distribution that is not always uniform, so it can still be improved.
... To the best of our knowledge, there are only three published studies on Windows. The first, regarding Windows Vista [41], is outdated, so we will focus only on the ones analyzing Windows 10 [11] and Windows 7 [8]. The sampling of Windows 10 was performed through 5000 reboots using a custom-written tool, which took a total of 500,000 samples, while for the sections that were randomized at runtime 5 mln samples were considered [11]. ...
... The analysis of Windows 7 [8], even if it is outdated and considered only four memory sections, concluded that the problems highlighted in Windows Vista [41] were still present: heap-allocated objects with non-uniform distribution and shared libraries randomized at boot-time. ...
Address Space Layout Randomization (ASLR) is a crucial defense mechanism employed by modern operating systems to mitigate exploitation by randomizing processes' memory layouts. However, the stark reality is that real-world implementations of ASLR are imperfect and subject to weaknesses that attackers can exploit. This work evaluates the effectiveness of ASLR on major desktop platforms, including Linux, MacOS, and Windows, by examining the variability in the placement of memory objects across various processes, threads, and system restarts. In particular, we collect samples of memory object locations, conduct statistical analyses to measure the randomness of these placements and examine the memory layout to find any patterns among objects that could decrease this randomness. The results show that while some systems, like Linux distributions, provide robust randomization, others, like Windows and MacOS, often fail to adequately randomize key areas like executable code and libraries. Moreover, we find a significant entropy reduction in the entropy of libraries after the Linux 5.18 version and identify correlation paths that an attacker could leverage to reduce exploitation complexity significantly. Ultimately, we rank the identified weaknesses based on severity and validate our entropy estimates with a proof-of-concept attack. In brief, this paper provides the first comprehensive evaluation of ASLR effectiveness across different operating systems and highlights opportunities for Operating System (OS) vendors to strengthen ASLR implementations.
... The code-reuse attack reuses the code snippets in the program to implement unintended behaviors. The Return-oriented Programming (ROP) attack [1] is a kind of code-reuse attack. In the ROP attack, the code snippet consists of basic instructions followed by a return instruction, which are called gadgets. ...
Currently, security-critical server programs are well protected by various defense techniques, such as Address Space Layout Randomization(ASLR), eXecute Only Memory(XOM), and Data Execution Prevention(DEP), against modern code-reuse attacks like Return-oriented Programming(ROP) attacks. Moreover, in these victim programs, most syscall instructions lack the following ret instructions, which prevents attacks to stitch multiple system calls to implement advanced behaviors like launching a remote shell. Lacking this kind of gadget greatly constrains the capability of code-reuse attacks.This paper proposes a novel code-reuse attack method called Signal Enhanced Blind Return Oriented Programming (SeBROP) to address these challenges. Our SeBROP can initiate a successful exploit to server-side programs using only a stack overflow vulnerability. By leveraging a side-channel that exists in the victim program, we show how to find a variety of gadgets blindly without any pre-knowledges or reading/disassembling the code segment. Then, we propose a technique that exploits the current vulnerable signal checking mechanism to realize the execution flow control even when ret instructions are absent. Our technique can stitch a number of system calls without returns, which is more superior to conventional ROP attacks. Finally, the SeBROP attack precisely identifies many useful gadgets to constitute a Turing-complete set. SeBROP attack can defeat almost all state-of-the-art defense techniques. The SeBROP attack is compatible with both modern 64-bit and 32-bit systems.To validate its effectiveness, We craft three exploits of the SeBROP attack for three real-world applications, i.e., 32-bit Apache 1.3.49, 32-bit ProFTPD 1.3.0, and 64-bit Nginx 1.4.0. Experimental results demonstrate that the SeBROP attack can successfully spawn a remote shell on Nginx, ProFTPD, and Apache with less than 8500/4300/2100 requests, respectively.
... Microsoft ® Windows Vista ® (released January 2007) was the first version of Windows ® operating system to support ASLR [32]. Then all subsequent versions of Windows OS also supported ASLR [33]. There is a wide range of implementations with different levels of entropy, depending on the version and the security configuration: the Enhanced Mitigation Experience Toolkit (EMET), High Entropy ASLR or ForceASLR. ...
Memory errors are still a serious threat affecting millions of devices worldwide. Recently, bounty programs have reached a new record, paying up to USD 2.5 million for one single vulnerability in Android and up to USD 2 million for Apple’s operating system. In almost all cases, it is common to exploit memory errors in one or more stages to fully compromise those devices. In this paper, we review and discuss the importance of memory error vulnerabilities, and more specifically stack buffer overflows to provide a full view of how memory errors are exploited. We identify the root causes that make those attacks possible on modern x86-64 architecture in the presence of modern protection techniques. We have analyzed how unsafe library functions are prone to buffer overflows, revealing that although there are secure versions of those functions, they are not actually preventing buffer overflows from happening. Using secure functions does not result in software free from vulnerabilities and it requires developers to be security-aware. To overcome this problem, we discuss the three main security protection techniques present in all modern operating system; the non-eXecutable bit (NX), the Stack Smashing Protector (SSP) and the Address Space Layout Randomization (ASLR). After discussing their effectiveness, we conclude that although they provide a strong level of protection against classical exploitation techniques, modern attacks can bypass them.
... The standard mitigation technique against ROP/JOP/COP, and pretty much every CRA variant, is address space layout randomization (ASLR), which is currently a well-adopted de-fense, enabled on (pretty much) every contemporary OS [26]. Essentially, ASLR forces the attacker to first disclose the code layout (e.g., via a code pointer) to determine the addresses of gadgets. ...
Code-reuse attacks continue to pose a significant threat to systems security, from resource constrained environments to data-centers. Current mitigation techniques suffer from significant performance and energy overheads especially in the embedded domain. A viable alternative which, thus far, has been a software only mitigation, is Execution Path Randomization (EPR). The basic idea in EPR is to frequently switch between two distinct program variants forcing the attacker to gamble on which code to reuse. In this paper, we propose a novel technique, the Phantom Addressed Instructions that are Randomly Selected (PAIRS) that enables an efficient implementation of EPR with minor hardware adjustments and no source code modifications. For certain modes of operation, PAIRS does not require program re-compilation, thus is applicable to legacy binaries. Compared to state-of-the-art defenses, PAIRS has negligible performance overheads making it viable for embedded IoT devices up to server-grade systems.
This book contains the Proceeding of research papers presented at the 1st International
Conference of the IEEE Nigeria Computer Chapter (IEEEnigComputConf’16), held between Wednesday, 23rd November, 2016 and Saturday, 26th November, 2016 at the University of Ilorin, Ilorin, Kwara State, Nigeria.
The conference was organized by the IEEE Nigeria Computer Chapter (http://www.ieee.org/go/nigeriacomputerchapter) in collaboration with the Department of Computer Science, Faculty of Communication and Information Sciences, University of Ilorin. The Department of Computer Engineering, Faculty of Engineering and Technology of the same institution also served as a technical co-sponsor.
In all, a total of over sixty (60) papers were submitted as at the time of going to the press. Apart from Nigeria, submissions were received from such countries as Malaysia, South Africa and Pakistan. The papers were subjected to a referee process with respect to the actual content and the level of originality. The thirty eight (38) papers which appear in this Proceeding were those that substantially met the set acceptance criteria.
This paper proposes a co-design adaptive defense scheme against a class of zero-day buffer over-read attacks that follow unknown stationary probability distributions. In particular, the co-design scheme integrates an improved UCB algorithm and a customized server. The improved UCB algorithm adaptively allocates guard pages on a heap based on induced damage of the guard pages so as to minimize the accumulated damage over time. The security damages of the improved UCB algorithm are proven to be always below a temporal bound without knowing which attack is launched when the buffer allocation follows a certain stationary probability distribution. Then an efficient server modification is introduced to randomly allocate buffers. Moreover, the damages of our scheme asymptotically converge to those of the optimal defense policy where the launched attacks and their distributions are known in advance. Further, the co-design scheme is evaluated with several real-world Heartbleed attacks. The experiment results demonstrate the validity of the upper bound and show that the adaptive defense is effective against all the attacks of interest with runtime overheads as low as 5%.
Address-space randomization is a technique used to fortify systems against buffer overflow attacks. The idea is to introduce artificial diversity by randomizing the memory location of certain system components. This mechanism is available for both Linux (via PaX ASLR) and OpenBSD. We study the effectiveness of address-space randomization and find that its utility on 32-bit architectures is limited by the number of bits available for address randomization. In particular, we demonstrate a derandomization attack that will convert any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization. The resulting exploit is as effective as the original exploit, although it takes a little longer to compromise a target machine: on average 216 seconds to compromise Apache running on a Linux PaX ASLR system. The attack does not require running code on the stack. We also explore various ways of strengthening address-space randomization and point out weaknesses in each. Surprisingly, increasing the frequency of re-randomizations adds at most 1 bit of security. Furthermore, compile-time randomization appears to be more effective than runtime randomization. We conclude that, on 32-bit architectures, the only benefit of PaX-like address-space randomization is a small slowdown in worm propagation speed. The cost of randomization is extra complexity in system support.
[9] Pageexec Protecting against Pointer Subterfuge (Redux), " Dailydave mailing list An analysis of Microsoft Windows Vista's ASLR
- A Microsoft
- Rahbar
Microsoft, " Microsoft Portable Executable and Common Object File
Format Specification, " May 2006,
http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.
mspx.
[8] N. Goel, Microsoft, Private communications, Jan. 2007.
[9] Pageexec, " Protecting against Pointer Subterfuge (Redux), "
Dailydave mailing list, Oct. 2006,
http://archives.neohapsis.com/archives/dailydave/2006-q4/0028.html
[10] A. Rahbar, " An analysis of Microsoft Windows Vista's ASLR, " Oct.
2006, http://www.sysdream.com/articles/Analysis-of-Microsoft-
Windows-Vista's-ASLR.pdf.
Vista Probe 0.2 release
- Tuxedo-Es
Tuxedo-es, "Vista Probe 0.2 release," Jul. 2006, http://www.tuxedoes.org/blog/2006/07/06/vista-probe-02-release/.
Microsoft Windows Vista beta-2 build 5384: Vista-Probe 0.1 results
- Tuxedo-Es
Tuxedo-es, "Microsoft Windows Vista beta-2 build 5384: Vista-Probe 0.1 results," Jun. 2006, http://www.tuxedoes.org/blog/2006/06/13/microsoft-windows-vista-beta-2build-5384-vista-probe-01-results/.
Address Space Layout Randomization
- Wikipedia
Wikipedia, "Address Space Layout Randomization,"
http://en.wikipedia.org/wiki/Address_Layout_Randomization.
Alleged Bugs in Windows Vista's ASLR Implementation
- M Howard
M. Howard, "Alleged Bugs in Windows Vista's ASLR
Implementation," Oct. 2006,
http://blogs.msdn.com/michael_howard/archive/2006/10/04/Alleged-Bugs-in-Windows-Vista_1920_s-ASLR-Implementation.aspx.
Address Space Layout Randomization for Windows
- M Howard
M. Howard, "Address Space Layout Randomization for Windows,"
Sep. 2005,
http://blogs.msdn.com/michael_howard/archive/2005/09/30/475763.
aspx.
Address Space Layout Randomization in Windows Vista
- M Howard
M. Howard, "Address Space Layout Randomization in Windows
Vista," May 2006,
http://blogs.msdn.com/michael_howard/archive/2006/05/26/608315.
aspx.
Vista address space randomization data
- O Whitehouse
O. Whitehouse, "Vista address space randomization data," Feb 2007,
Available via E-Mail
Security Engineering in Vista
- I Hellen
- V Kumar
I. Hellen, V. Kumar, "Security Engineering in Vista," Sep. 2006,
http://packetstormsecurity.org/hitb06/DAY_1_-_Ian_Hellen_and_Vishal_Kumar_-_Security_Engineering_in_Vista.pdf.