SI485H: Stack Based Binary Exploits (SP17)

Home Policy Calendar Units Assignments Resources

Summary 2: On the Effective of Address Space Randomization


  • Read the assigned paper.
  • You must turn in a typed summary of the paper that meets the following requirements.
    • It must be at least two paragraphs (but less than 2 pages)
    • The first paragraph should provide a summary of the technical contributions, including any measurements and results
    • The second paragraph should discuss an item you found surprising and an item you found lacking or insufficient
  • This summary is graded on a pass/fail basses. You may resubmit failing summaries until complete for full credit.

Summary Paper

Title: On the Effectiveness of Address Space Randomization

Author(s): Hovav Sachem, Matthew Page, Ben Pfaff, Eu-Jin Goh, Negendra Modadugu, and Dan Boneh

Venue: Conference on Computer Communication Security (CCS)

Year: 2004

Abstract:Address-space randomization is a technique used to fortify systems against buffer overflow attacks. The idea is to introduce artificial diversity by randomizing the memory location of certain system components. This mechanism is available for both Linux (via PaX ASLR) and OpenBSD. We study the effectiveness of address-space randomization and find that its utility on 32-bit architectures is limited by the number of bits available for address randomization. In particular, we demonstrate a <i>derandomization attack</i> that will convert any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization. The resulting exploit is as effective as the original exploit, although it takes a little longer to compromise a target machine: on average 216 seconds to compromise Apache running on a Linux PaX ASLR system. The attack does not require running code on the stack.

We also explore various ways of strengthening address-space randomization and point out weaknesses in each. Surprisingly, increasing the frequency of re-randomizations adds at most 1 bit of security. Furthermore, compile-time randomization appears to be more effective than runtime randomization. We conclude that, on 32-bit architectures, the only benefit of PaX-like address-space randomization is a small slowdown in worm propagation speed. The cost of randomization is extra complexity in system support.