funsec mailing list archives
Re: ASLR: Address Space Layout Randomization
From: Valdis.Kletnieks () vt edu
Date: Wed, 31 May 2006 16:45:53 -0400
On Wed, 31 May 2006 21:23:45 BST, Drsolly said:
So, if I were mounting an attack that aimed to patch a DLL or EXE, I have to find the entry point. Instead of there being a known address, there's 256 different possible places where it might be. Maybe there's something more subtle that I haven't seen, but it seems to me tjhat you'd do a brute-force search for a buye sequence which could be in 256 different locations, and this would take a millisecond or two.
The problem is that usually, you only have a certain fixed number of bytes to do your work. If the target address is nailed down, you can probably jump there in 3 or 5 bytes on an x86. If you have to code a loop that sweeps through looking for the right bit pattern, that will probably cost you 15 or 20 bytes. Big difference when you may only have 40 bytes for the entire exploit. ;) I'm surprised they only have 256 possible places - the ASLR code in the current Linux kernel randomizes stuff like this over 19 bits or so... Of course, this doesn't really do all *that* much all by itself. As long as you're screwing around with the memory map, it's a good time to also add NX support and make the stack and heap non-exec, and make the code segments non-writeable. That's not totally foolproof either, but trying to write an exploit that works around the ExecShield code from RedHat or the PAX stuff from GRSecurity is a *lot* steeper challenge.
Attachment:
_bin
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- ASLR: Address Space Layout Randomization Fergie (May 31)
- Re: ASLR: Address Space Layout Randomization Drsolly (May 31)
- Re: ASLR: Address Space Layout Randomization Valdis . Kletnieks (May 31)
- Re: ASLR: Address Space Layout Randomization Peter Kosinar (May 31)
- Re: ASLR: Address Space Layout Randomization Alexander Sotirov (May 31)
- <Possible follow-ups>
- Re: ASLR: Address Space Layout Randomization Fergie (May 31)
- Re: ASLR: Address Space Layout Randomization Drsolly (May 31)