Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software

Address space randomization is an emerging and promising method for stopping a broad range of memory corruption attacks. By randomly shifting critical memory regions at process initialization time, address space randomization converts an otherwise successful malicious attack into a benign process crash. However, existing approaches either introduce insufficient randomness, or require source code modification. While insufficient randomness allows successful brute-force attacks, as shown in recent studies, the required source code modification prevents this effective method from being used for commodity software, which is the major source of exploited vulnerabilities on the Internet. We propose address space layout permutation (ASLP) that introduces high degree of randomness (or high entropy) with minimal performance overhead. Essential to ASLP is a novel binary rewriting tool that can place the static code and data segments of a compiled executable to a randomly specified location and performs fine grained permutation of procedure bodies in the code segment as well as static data objects in the data segment. We have also modified the Linux operating system kernel to permute stack, heap, and memory mapped regions. Together, ASLP completely permutes memory regions in an application. Our security and performance evaluation shows minimal performance overhead with orders of magnitude improvement in randomness (e.g., up to 29 bits of randomness on a 32-bit architecture)

[1]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[2]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[3]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[4]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[5]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[6]  Ulrich Drepper Security Enhancements in Red Hat Enterprise Linux ( beside SELinux ) , .

[7]  Sabrina De Capitani di Vimercati,et al.  Proceedings of the 13th ACM conference on Computer and communications security , 2005, CCS 2006.

[8]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[9]  Christopher Glen Bookholt Address Space Layout Permutation: Increasing Resistance to Memory Corruption Attacks , 2005 .

[10]  Ravishankar K. Iyer,et al.  Transparent runtime randomization for security , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[11]  T. E. Hull,et al.  Random Number Generators , 1962 .

[12]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[13]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[14]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[15]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[16]  Tsutomu Hoshino,et al.  The PAX project , 1992 .

[17]  Martin Greenberger,et al.  Random number generators , 1959, ACM National Meeting.

[18]  Mary Lou Nohr UNIX System V: Understanding Elf Object Files and DeBugging Tools , 1993 .