funsec mailing list archives
Re: ASLR: Address Space Layout Randomization
From: Drsolly <drsollyp () drsolly com>
Date: Wed, 31 May 2006 21:23:45 +0100 (BST)
On Wed, 31 May 2006, Fergie wrote:
Has anyone looked at this in depth enough to explain this to me a paragraph? I think I pretty much "get it" but I was wondering if anyone else had actually taken some time to peruse this concept -- I'm not a code monkey. :-) ALthough I have _no_intentions_ of running Microsoft Vista, I ran across something today which mentioned that "...Microsoft had fitted the Vista beta 2 version with a feature called ASLR (Address Space Layout Randomization) that should help protect Vista against automated cyber-attacks." Now, that's a pretty hefty statement. So, I go looking for info on this.
"So what is ASLR? In short, when you boot a Windows Vista Beta 2 computer, we load system code into different locations in memory. This helps defeat a well-understood attack called âreturn-to-libcâ, where exploit code attempts to call a system function, such as the socket() function in wsock32.dll to open a socket, or LoadLibrary in kernel32.dll to load wsock32.dll in the first place. The job of ASLR is to move these function entry points around in memory so they are in unpredictable locations. In the case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of 256 locations, which means an attacker has a 1/256 chance of getting the address right. In short, this makes it harder for exploits to work correctly." So, if I were mounting an attack that aimed to patch a DLL or EXE, I have to find the entry point. Instead of there being a known address, there's 256 different possible places where it might be. Maybe there's something more subtle that I haven't seen, but it seems to me tjhat you'd do a brute-force search for a buye sequence which could be in 256 different locations, and this would take a millisecond or two. I can't believe they've do something that was so eaily defeated, so there must be more to it than is in the URL that Fergie cited. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- ASLR: Address Space Layout Randomization Fergie (May 31)
- Re: ASLR: Address Space Layout Randomization Drsolly (May 31)
- Re: ASLR: Address Space Layout Randomization Valdis . Kletnieks (May 31)
- Re: ASLR: Address Space Layout Randomization Peter Kosinar (May 31)
- Re: ASLR: Address Space Layout Randomization Alexander Sotirov (May 31)
- <Possible follow-ups>
- Re: ASLR: Address Space Layout Randomization Fergie (May 31)
- Re: ASLR: Address Space Layout Randomization Drsolly (May 31)