Address_Space_Layout_Randomization.pdf

An Analysis of Address Space

Layout Randomization on

Windows Vista™

Ollie Whitehouse, Architect,

Symantec Advanced Threat Research

Symantec Advanced Threat Research

An Analysis of Address Space Layout

Randomization on Windows Vista

Contents

Previous measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Organization of this paper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

ASLR in Windows Vista . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Occurrences of duplicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Frequency distribution analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

I. ASLR.cpp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

II. ReSeed.bat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

III. Runs between consecutive values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

An Analysis of Address Space Layout Randomization on Windows Vista

Abstract: Address space layout randomization (ASLR) is a prophylactic security technology aimed

at reducing the effectiveness of exploit attempts. With the advent of the Microsoft® Windows Vista

operating system, ASLR has been integrated into the default configuration of the Windows® operating

system for the first time. We measure the behavior of the ASLR implementation in the Windows Vista

RTM release. Our analysis of the results uncovers predictability in the implementation that reduces

its effectiveness.

Address space layout randomization, or ASLR, is a prophylactic security technology that strengthens

system security by increasing the diversity of attack targets [20]. Rather than increasing security by

removing vulnerabilities from the system, ASLR makes it more difficult to exploit existing vulnerabilities.

This technology complements efforts to remove security vulnerabilities since it can offer some protection

from vulnerabilities that have not yet been remedied or may not even be known yet.

ASLR is also complementary to other prophylactic techniques such as Data Execution Prevention (DEP):

The combination of these two technologies provides a much stronger defense against memory manipulation

vulnerabilities than either one alone. Techniques for exploiting memory manipulation vulnerabilities are

sensitive to the memory layout of the program being targeted. This important class of vulnerability includes

stack and heap overflows and underflows, format string vulnerabilities, array index overflows, and

uninitialized variables. By randomizing the memory layout of an executing program, ASLR decreases the

predictability of that layout and reduces the probability that an individual exploit attempt will succeed. The

security offered by ASLR is based on several factors [12], including how predictable the random memory

layout of a program is, how tolerant an exploit technique is to variations in memory layout, and how many

exploitation attempts an attacker can practically make.

Address space layout randomization has been integrated into several popular operating systems—

including OpenBSD and Linux—for several years. Third-party ASLR implementations have been available

for previous versions of the Windows operating system as stand-alone products or as part of host intrusion

protection (HIPS) solutions [1][2][4][11][18]. With the advent of the Microsoft® Windows Vista operating

system, ASLR has been integrated into the default configuration of a Windows® operating system for the

first time [5].

We measured the behavior of the ASLR feature in the 32-bit Windows Vista RTM release. This paper

discusses our measurement techniques and presents our findings. Our analysis uncovers some flaws that

reduce the effectiveness of the ASLR implementation in Windows Vista.

Previous measurements

There have been several efforts to describe and measure the ASLR implementation in Windows Vista.

The first is described in the tuxedo-es.org blog [13] and supported by the release of its Vista Probe tool

[14][15][16][17]. This was soon followed by a paper by Rahbar [10], but its analysis was refuted by

Howard [6]. Both efforts used a beta release of Windows Vista for their measurements because a release

version was not yet available.

An Analysis of Address Space Layout Randomization on Windows Vista

To our knowledge, our work is the first to measure the ASLR implementation in the Windows Vista RTM

release. Unlike previous work, we rebooted the test system between measurements so ASLR would be

in the environment it was intended to be used in. While previous work relied on a small number of

measurements to draw conclusions, we took a much larger number and expect our results to have more

statistical significance. Finally, we discovered several important and unexpected deficiencies in the ASLR

implementation that were not previously reported and have since been acknowledged by Microsoft.

Organization of this paper

The first section of this paper discusses the ASLR implementation provided by Windows Vista and

describes our methodology for measuring its behavior. The next section presents and analyzes the

measurements we made. The final section summarizes our findings. The Appendix includes more

information on the research, including program source and results graphs.

ASLR in Windows Vista

Windows Vista provides ASLR on a per-image basis. Any executable image that contains a PE header,

such as executable binaries (.exe) and dynamic link libraries (.dll), can elect to participate in address

space layout randomization. This election is made by setting a bit (0x40) in one of the PE header fields

(DLLCHARACTERISTICS) [7]. An option (/dynamicbase) is provided by the Microsoft Visual Studio® 2005

linker for setting this bit when linking an image.

While loading an image that has elected to participate in ASLR, the system uses a random global image

offset. This offset is selected once per reboot, although we’ve uncovered at least one other way to cause

this offset to be reset without a reboot (see Appendix II). The image offset is selected from a range of 256

values and is 64 KB aligned. The offset and the other random parameters are generated pseudo-randomly [3].

All images loaded together into a process—including the main executable and DLLs—are loaded one after

another at this offset. Because image offsets are constant across all processes, a DLL that is shared

between processes can be loaded at the same address in all processes for efficiency.

When executing a program whose image has been marked for ASLR, the memory layout of the process is

further randomized by placing the thread stack and the process heaps randomly. The stack address is

selected first. The stack region is selected from a range of 32 possible locations, each separated by 64 KB

or 256 KB (depending on the STACK_SIZE setting).

Once the stack has been placed, the initial stack pointer is further randomized by a random decremental

amount. The initial offset is selected to be up to half a page (2,048 bytes), but is limited to naturally

aligned addresses (4-byte alignment on IA32 and 16-byte alignment on IA64). The choices result in an

initial stack pointer chosen from one of 16,384 possible values on an IA32 system.

Once the stack address has been selected, the process heaps are selected. Each heap is allocated from a

range of 32 different locations, each separated by 64 KB. The location of the first heap must be chosen to

avoid the previously placed stack, and each of the heaps following must be allocated to avoid those that

come before.

An Analysis of Address Space Layout Randomization on Windows Vista

The address of an operating system structure known as the Process Environment Block (PEB) is also

selected randomly. The PEB randomization feature was introduced earlier in Windows XP SP2 and

Windows 2003 SP1, and is also present in Windows Vista. Although implemented separately, it is also

a form of address space randomization; but unlike the other ASLR features, PEB randomization occurs

whether or not the executable being loaded elected to use the ASLR feature.

An important result of the ASLR design in Windows Vista is that some address space layout parameters,

such as PEB, stack, and heap locations, are selected once per program execution. Other parameters, such as

the location of the program code, data segment, BSS segment, and libraries, change only between reboots.

Methodology

We measured the ASLR implementation of Windows Vista to verify its behavior and to determine how

random the memory layouts of loaded programs are. We constructed a program to log several important

addresses associated with the program each time it is executed. To measure the randomization of the

image base address, the test program prints the address of a function in the code segment. To measure

the randomization of the stack, it prints the address of an automatic variable; for measurement of the

randomization of the PEB structure, it prints the address of the PEB.

Finally, the test program measures the placement of three heaps. It measures the CRT heap by printing the

first value returned by malloc; and prints the first values returned by HeapAlloc using the default process

heap as well as a heap created with CreateHeap.

We compiled our test program with Microsoft Visual Studio 2005 SP1 Beta and linked it statically. The

program source is listed in Appendix I. When executed repeatedly in the same environment on a machine

that does not support ASLR or PEB randomization, this program reports the same constants each time. Any

variation in the output is due solely to the effects of ASLR.

Some ASLR parameters are set only once per system boot. 1 To properly measure the effects of ASLR, we

rebooted the system between measurements. We configured an AMD Athlon 3200 system running 32-bit

Windows Vista RTM to automatically log in and run our data collection utility during system startup, and

then to reboot. This setup closely mimics the environment of long-running services that are executed once

during system startup. Our test harness was used to collect samples from 11,500 test runs over 12 days.

The complete data is being made available [19].

1 Normally, as previously noted.

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: