Address space layout randomization
Address space layout randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
The Linux PaX project first coined the term "ASLR", and published the first design and implementation of ASLR in July 2001 as a patch for the Linux kernel. It is seen as a complete implementation, providing also a patch for kernel stack randomization since October 2002.
Address space randomization hinders some types of security attacks by making it more difficult for an attacker to predict target addresses. For example, attackers trying to execute return-to-libc attacks must locate the code to be executed, while other attackers trying to execute shellcode injected on the stack have to find the stack first. In both cases, the system obscures related memory-addresses from the attackers. These values have to be guessed, and a mistaken guess is not usually recoverable due to the application crashing.
Address space layout randomization is based upon the low chance of an attacker guessing the locations of randomly placed areas. Security is increased by increasing the search space. Thus, address space randomization is more effective when more entropy is present in the random offsets. Entropy is increased by either raising the amount of virtual memory area space over which the randomization occurs or reducing the period over which the randomization occurs. The period is typically implemented as small as possible, so most systems must increase VMA space randomization.
To defeat the randomization, attackers must successfully guess the positions of all areas they wish to attack. For data areas such as stack and heap, where custom code or useful data can be loaded, more than one state can be attacked by using NOP slides for code or repeated copies of data. This allows an attack to succeed if the area is randomized to one of a handful of values. In contrast, code areas such as library base and main executable need to be discovered exactly. Often these areas are mixed, for example stack frames are injected onto the stack and a library is returned into.
The following variables can be declared:
- (entropy bits of stack top)
- (entropy bits of
- (entropy bits of main executable base)
- (entropy bits of heap base)
- (attacked bits per attempt of stack entropy)
- (attacked bits per attempt of
- (attacked bits per attempt of main executable entropy)
- (attacked bits per attempt of heap base entropy)
- (attempts made)
- (total amount of entropy: )
To calculate the probability of an attacker succeeding, we have to assume a number of attempts α carried out without being interrupted by a signature-based IPS, law enforcement, or other factor; in the case of brute forcing, the daemon cannot be restarted. We also have to figure out how many bits are relevant and how many are being attacked in each attempt, leaving however many bits the attacker has to defeat.
The following formulas represent the probability of success for a given set of α attempts on N bits of entropy.
- (isolated guessing; address space is re-randomized after each attempt)
- (systematic brute forcing on copies of the program with the same address space)
In many systems, can be in the thousands or millions; on modern[update] 64-bit systems, these numbers typically reach the millions at least, Marco H. and Ripoll I. showed how to bypass the ASLR in 64-bit systems in less than one second under certain circumstances. For 32-bit systems at 2004 computer speeds which have 16 bits for address randomization, Shacham and co-workers state "... 16 bits of address randomization can be defeated by a brute force attack within minutes." It should be noted that the authors' statement depends on the ability to attack the same application multiple times without any delay. Proper implementations of ASLR, like that included in grsecurity, provide several methods to make such brute force attacks infeasible. One method involves preventing an executable from executing for a configurable amount of time if it has crashed a certain number of times.
Android,[non-primary source needed] and possibly other systems[which?], implement Library Load Order Randomization, a form of ASLR which randomizes the order in which libraries are loaded. This supplies very little entropy. An approximation of the number of bits of entropy supplied per needed library appears below; this does not yet account for varied library sizes, so the actual entropy gained is really somewhat higher. Note that attackers usually need only one library; the math is more complex with multiple libraries, and shown below as well. Note that the case of an attacker using only one library is a simplification of the more complex formula for .
- l (number of libraries loaded)
- β (number of libraries used by the attacker)
These values tend to be low even for large values of l, most importantly since attackers typically can use only the C standard library and thus one can often assume that . Interestingly, however, even for a small number of libraries there are a few bits of entropy gained here; it is thus potentially interesting to combine library load order randomization with VMA address randomization to gain a few extra bits of entropy. Note that these extra bits of entropy will not apply to other mmap() segments, only libraries.
Attackers may make use of several methods to reduce the entropy present in a randomized address space, ranging from simple information leaks to attacking multiple bits of entropy per attack (such as by heap spraying). There is little that can be done about this.
It is possible to leak information about memory layout using format string vulnerabilities. Format string functions such as printf use a variable argument list to do their job; format specifiers describe what the argument list looks like. Because of the way arguments are typically passed, each format specifier moves closer to the top of the stack frame. Eventually, the return pointer and stack frame pointer can be extracted, revealing the address of a vulnerable library and the address of a known stack frame; this can completely eliminate library and stack randomization as an obstacle to an attacker.
One can also decrease entropy in the stack or heap. The stack typically must be aligned to 16 bytes, and so this is the smallest possible randomization interval; while the heap must be page-aligned, typically 4096 bytes. When attempting an attack, it is possible to align duplicate attacks with these intervals; a NOP slide may be used with shellcode injection, and the string '
/bin/sh' can be replaced with '
////////bin/sh' for an arbitrary number of slashes when attempting to return to system. The number of bits removed is exactly for n intervals attacked.
Such decreases are limited due to the amount of data in the stack or heap. The stack, for example, is typically limited to MB8  and grows to much less; this allows for at most , although a more conservative estimate would be around 8– 19 bits corresponding to 4– 10 bitsKB16  of stack stuffing. The heap on the other hand is limited by the behavior of the memory allocator; in the case of glibc, allocations above 128 KB are created using mmap, limiting attackers to 5 bits of reduction. This is also a limiting factor when brute forcing; although the number of attacks to perform can be reduced, the size of the attacks is increased enough that the behavior could in some circumstances become apparent to intrusion detection systems. attempts on N bits of entropy.
Several mainstream, general-purpose operating systems implement ASLR.
Android 4.0 Ice Cream Sandwich provides address space layout randomization (ASLR) to help protect system and third party applications from exploits due to memory-management issues. Position-independent executable support was added in Android 4.1. Android 5.0 dropped non-PIE support and requires all dynamically linked binaries to be position independent. Library load ordering randomization was accepted into the Android open-source project on 26 October 2015,[non-primary source needed] and was included in the Android 7.0 release.
iOS (iPhone, iPod touch, iPad)
KASLR randomized Kernel base = 0x01000000 + ((1+0xRR) * 0x00200000)
where 0xRR = a random byte from SHA1(random data) generated by iBoot (the iOS Boot Loader)
Linux kernel enabled a weak form of ASLR by default since the kernel version 2.6.12, released in June 2005. The PaX and Exec Shield patchsets to the Linux kernel provide more complete implementations. The Exec Shield patch for Linux supplies 19 bits of stack entropy on a period of 16 bytes; and 8 bits of mmap base randomization on a period of 1 page of 4096 bytes. This places the stack base in an area 8 MB wide containing 524 288 possible positions; and the mmap base in an area 1 MB wide containing 256 possible positions. Various Linux distributions—
Position-independent executable (PIE) implements a random base address for the main executable binary and has been in place since 2003. It provides the same address randomness to the main executable as being used for the shared libraries. The PIE feature is in use only for the network facing daemons – the PIE feature cannot be used together with the prelink feature for the same executable. The prelink tool implements randomization at prelink time rather than runtime, because by design prelink aims to handle relocating libraries before the dynamic linker has to, which allows the relocation to occur once for many runs of the program. As a result, real address space randomization would defeat the purpose of prelinking.
Kernel address space layout randomization (KASLR), bringing support for address space randomization to running Linux kernel images by randomizing where the kernel code is placed at boot time, was merged into the Linux kernel mainline in kernel version 3.14, released on 30 March 2014. When compiled in, it can be disabled at boot time by specifying nokaslr as one of the kernel's boot parameters. KASLR was sharply criticized by Brad Spengler, primary developer of grsecurity, to be providing very limited additional levels of security.
Microsoft's Windows Vista (released January 2007) and later have ASLR enabled for only those executables and dynamic link libraries specifically linked to be ASLR-enabled. For compatibility, it is not enabled by default for other applications. Typically, only older software is incompatible and ASLR can be fully enabled by editing a registry entry "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages", or by installing Microsoft's Enhanced Mitigation Experience Toolkit.
The locations of the heap, stack, Process Environment Block, and Thread Environment Block are also randomized. A security whitepaper from Symantec noted that ASLR in 32-bit Windows Vista may not be as robust as expected, and Microsoft has acknowledged a weakness in its implementation.
Host-based intrusion prevention systems such as WehnTrust and Ozone also offer ASLR for Windows XP and Windows Server 2003 operating systems. WehnTrust is open-source. Complete details of Ozone's implementation is not available.
It was noted in February 2012 that ASLR on 32-bit Windows systems prior to Windows 8 can have its effectiveness reduced in low memory situations. Similar effect also had been achieved on Linux in the same research. The test code caused the Mac OS X 10.7.3 system to kernel panic, so it was left unclear about its ASLR behavior in this scenario.
Launching the eShop from a physical address space layout randomization (PASLR) mode was added in system version 10.4.0-29, released on January 18, 2016. This update also added the ability for the PASLR mode to be applied to any system applet, or application. However, this ability was not utilized until system version 11.0, in which the PASLR mode was also applied to both digital and physical versions of Cubic Ninja and The Legend of Zelda: Ocarina of Time 3D. In 11.1, VVVVVV, Freakyforms Deluxe: Your Creations Alive!, Pokémon Super Mystery Dungeon, Pokémon Omega Ruby and Alpha Sapphire, Citizens of Earth, and Pokémon Picross were all updated to launch in this same PASLR mode. In 11.2, Steel Diver: Sub Wars and Paper Mario: Sticker Star were updated to launch in the PASLR mode, and the loader was updated so that every game built for the 11.2 NATIVE_FIRM or newer will be launched in a PASLR mode. This PASLR mode has been used by Nintendo since the 3DS 11.0 system update in an attempt to patch homebrew exploits that allow access to the Homebrew Launcher on current firmware or to make exploits impossible to install with current stock (non-hacked or not ARM9 kernel exploited) firmware. This is because the current Homebrew Launcher payloads called *hax 2.7 cannot currently launch games in a PASLR mode, so any exploit game that gets PASLR applied can no longer have its exploit installed on stock consoles. Since non stock (CFW, or custom firmware) consoles replace the official loader Nintendo uses to apply PASLR and other functions to games with a dummy one that is programmed to launch any title with no PASLR applied, installation of homebrew exploits with PASLR applied will always work on a CFW console. This can be utilized to install a homebrew exploit that has PASLR applied to it for 11.0+ on a CFW console to use in a stock 11.0+ console, but this only works for exploit games with a cartridge version, unless a system transfer is utilized. Adding PASLR to an exploit game also makes the existing homebrew exploit for that game incredibly unreliable to a point that it is often unusable or broken. While exploits affected by this can be fixed with exploit updates via PASLR bypass methods, such as the ones used in the current versions of Ninjhax 2, Freakyhax OoT3Dhax, stickerhax, supermysterychunkhax, basehaxx, and steelhax, the exploits humblehax and *V Hax were effectively killed by the addition of PASLR to their exploit games, as these two exploits were never updated to bypass the PASLR like other exploits were. Steelhax to an extent was killed with by the PASLR, because it is no longer possible to install the exploit on stock 11.2+, but since this exploit in particular is largely used in system transfers from CFW to stock consoles, this is not really an issue, as CFW consoles are able to install the exploit before performing the system transfer.
On September 20, 2016, Smealum, a leader in the 3DS homebrew community, announced on Twitter that he was working on a PASLR bypass for the Homebrew Launcher for a new version of the payloads he called *hax 2.8. If this is released, it would make Nintendo's strategy of applying the PASLR mode to homebrew exploit games (and in 11.2, everything built for 11.2 NATIVE_FIRM and above) useless, since homebrew exploits that have PASLR applied will once again be able to be installed on stock consoles on 11.0+.
In 2003, OpenBSD became the first mainstream operating system to support a strong form of ASLR and to activate it by default. OpenBSD completed its ASLR support in 2008 when it added support for PIE binaries. OpenBSD 4.4's malloc(3) was designed to improve security by taking advantage of ASLR and gap page features implemented as part of OpenBSD's
mmap system call, and to detect use-after-free bugs. Released in 2013, OpenBSD 5.3 was the first mainstream operating system to enable Position-independent executables by default on multiple hardware platforms, and OpenBSD 5.7 activated position-independent static binaries (Static-PIE) by default.
In Mac OS X Lion 10.7 (released July 2011), Apple expanded their implementation to cover all applications, stating "address space layout randomization (ASLR) has been improved for all applications. It is now available for 32-bit apps (as are heap memory protections), making 64-bit and 32-bit applications more resistant to attack."
- Brad Spengler (October 2003). "PaX: The Guaranteed End of Arbitrary Code Execution". grsecurity.net. Slides 22 through 35. Retrieved 20 August 2015.
- Theo De Raadt (2005). "Exploit Mitigation Techniques (updated to include random malloc and mmap) at OpenCON 2005". Retrieved 26 August 2009.
- "OpenBSD Innovations". The OpenBSD project. Retrieved 12 September 2016.
- Marco-Gisbert, Hector, and Ismael Ripoll. On the Ectiveness of Full-ASLR on 64-bit Linux, 20 November 2014.
- On the Effectiveness of Address-Space Randomization, Shacham, H. and Page, M. and Pfaff, B. and Goh, E.J. and Modadugu, N. and Boneh, D, Proceedings of the 11th ACM conference on Computer and communications security, pp 298—307, 2004
- "Implement Library Load Order Randomization". Retrieved 6 March 2016.
- Transistorized memory, such as RAM, ROM, flash and cache sizes as well as file sizes are specified using binary meanings for K (10241), M (10242), G (10243), ...
- "Android Security". Android Developers. Retrieved 7 July 2012.
- "oss-security". Retrieved 4 October 2015.
- "Android Code Review". Retrieved 4 October 2015.
- mmap - add mmap offset randomization, DragonFly Gitweb, 25 November 2010.
- Pwn2Own day 2: iPhone, BlackBerry beaten; Chrome, Firefox no-shows, Ars Technica, 11 March 2011
- iOS Kernel ASLR
- The NX Bit And ASLR, Tom's Hardware, 25 March 2009.
- Jake Edge (9 October 2013). "Kernel address space layout randomization". LWN.net. Retrieved 2 April 2014.
- "Linux kernel 3.14, Section 1.7. Kernel address space randomization". kernelnewbies.org. 30 March 2014. Retrieved 2 April 2014.
- "kernel/git/torvalds/linux.git: x86, kaslr: Return location from decompress_kernel (Linux kernel source tree)". kernel.org. 13 October 2013. Retrieved 2 April 2014.
- Brad Spengler (20 March 2013). "KASLR: An Exercise in Cargo Cult Security". grsecurity.net. Retrieved 30 January 2015.
- "Windows ISV Software Security Defenses". Msdn.microsoft.com. Retrieved 10 April 2012.
- Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (PRO-Developer) ISBN 978-0-7356-2530-3
- Ollie Whitehouse (February 2007). "An Analysis of Address Space Layout Randomization on Windows Vista" (PDF).
- "WehnTrust". Codeplex.com. Retrieved 10 April 2012.
- "Security Architects' Ozone". Security Architects. Retrieved 10 April 2012.
- "WehnTrust source code". Retrieved 15 November 2013.
- "Address-Space Randomization for Windows Systems" (PDF). Retrieved 10 April 2012.
- Ollie (2 March 2012). "Research, Develop, Assess, Consult & Educate | Recx: A Partial Technique Against ASLR – Multiple O/Ss". Recxltd.blogspot.co.uk. Retrieved 10 April 2012.
- "Announcing NetBSD 5.0". Retrieved 25 April 2016.
- Christos Zoulas (2016). "PIE binaries and ASLR are on in the default build for amd64". Retrieved 25 April 2016.
- Kurt Miller (2008). "OpenBSD's Position Independent Executable (PIE) Implementation". Archived from the original on 12 June 2011. Retrieved 22 July 2011.
- "libc/stdlib/malloc.c". BSD Cross Reference, OpenBSD src/lib/.
- "Mac OS X – Security – Keeps safe from viruses and malware". Apple. Archived from the original on 25 May 2011. Retrieved 10 April 2012.
- "Security". Apple Inc. Archived from the original on 6 June 2011. Retrieved 6 June 2011.
- "OS X Mountain Lion Core Technologies Overview" (PDF). June 2012. Retrieved 25 July 2012.
- Controlling Access to Machine Resources, Oracle Information Library, 26 October 2012.
- More about Exploit Mitigation Techniques: an Update After 10 Years in OpenBSD.
- PaX documentation on ASLR
- Comparison of PaX to Exec Shield and W^X
- ASLR for Windows Vista beta 2
- ASLR for Windows 2000/XP/2003 (WehnTrust)
- Bypassing PaX ASLR protection
- On the effectiveness of address space layout randomization
- Test Applications (or libraries) for their ASLR and DEP support
- ASLR Smack & Laugh Reference