Re: ASLR: Address Space Layout Randomization

[Valdis.Kletnieks () vt edu]

On Wed, 31 May 2006 21:23:45 BST, Drsolly said:

> So, if I were mounting an attack that aimed to patch a DLL or EXE, I have 
> to find the entry point. Instead of there being a known address, there's 
> 256 different possible places where it might be. Maybe there's something 
> more subtle that I haven't seen, but it seems to me tjhat you'd do a 
> brute-force search for a buye sequence which could be in 256 different 
> locations, and this would take a millisecond or two.

The problem is that usually, you only have a certain fixed number of bytes
to do your work.  If the target address is nailed down, you can probably
jump there in 3 or 5 bytes on an x86.  If you have to code a loop that
sweeps through looking for the right bit pattern, that will probably cost
you 15 or 20 bytes.  Big difference when you may only have 40 bytes for the
entire exploit. ;)

I'm surprised they only have 256 possible places - the ASLR code in the
current Linux kernel randomizes stuff like this over 19 bits or so...

Of course, this doesn't really do all *that* much all by itself.  As long
as you're screwing around with the memory map, it's a good time to also
add NX support and make the stack and heap non-exec, and make the code
segments non-writeable.  That's not totally foolproof either, but trying
to write an exploit that works around the ExecShield code from RedHat
or the PAX stuff from GRSecurity is a *lot* steeper challenge.

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.