funsec mailing list archives

Re: ASLR: Address Space Layout Randomization

From: Drsolly <drsollyp () drsolly com>
Date: Wed, 31 May 2006 21:23:45 +0100 (BST)

On Wed, 31 May 2006, Fergie wrote:

Has anyone looked at this in depth enough to explain this
to me a paragraph? I think I pretty much "get it" but I was
wondering if anyone else had actually taken some time to
peruse this concept -- I'm not a code monkey. :-)

ALthough I have _no_intentions_ of running Microsoft Vista, I
ran across something today which mentioned that "...Microsoft
had fitted the Vista beta 2 version with a feature called ASLR
(Address Space Layout Randomization) that should help protect
Vista against automated cyber-attacks."
Now, that's a pretty hefty statement.

So, I go looking for info on this.


"So what is ASLR? In short, when you boot a Windows Vista Beta 2 computer, 
we load system code into different locations in memory. This helps defeat 
a well-understood attack called âreturn-to-libcâ, where exploit code 
attempts to call a system function, such as the socket() function in 
wsock32.dll to open a socket, or LoadLibrary in kernel32.dll to load 
wsock32.dll in the first place. The job of ASLR is to move these function 
entry points around in memory so they are in unpredictable locations. In 
the case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of 
256 locations, which means an attacker has a 1/256 chance of getting the 
address right. In short, this makes it harder for exploits to work 
correctly."

So, if I were mounting an attack that aimed to patch a DLL or EXE, I have 
to find the entry point. Instead of there being a known address, there's 
256 different possible places where it might be. Maybe there's something 
more subtle that I haven't seen, but it seems to me tjhat you'd do a 
brute-force search for a buye sequence which could be in 256 different 
locations, and this would take a millisecond or two.

I can't believe they've do something that was so eaily defeated, so there 
must be more to it than is in the URL that Fergie cited.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

ASLR: Address Space Layout Randomization Fergie (May 31)
- Re: ASLR: Address Space Layout Randomization Drsolly (May 31)
  - Re: ASLR: Address Space Layout Randomization Valdis . Kletnieks (May 31)
  - Re: ASLR: Address Space Layout Randomization Peter Kosinar (May 31)
  - Re: ASLR: Address Space Layout Randomization Alexander Sotirov (May 31)
- <Possible follow-ups>
- Re: ASLR: Address Space Layout Randomization Fergie (May 31)