On the Effectiveness of Address-Space RandomizationAuthors: H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh
Address-space randomization is a technique used to fortify systems against buffer overflow attacks. The idea is to introduce artificial diversity by randomizing the memory location of certain system components. This mechanism is available for both Linux (via PaX ASLR) and OpenBSD. We study the effectiveness of address-space randomization and find that its utility on 32-bit architectures is limited by the number of bits available for address randomization. In particular, we demonstrate a derandomization attack that will convert any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization. The resulting exploit is as effective as the original exploit, although it takes a little longer to compromise a target machine (216 seconds on average). The attack does not require running code on the stack.
In proceedings of the 11'th ACM conference on Computer and Communications Security (CCS), pp. 298-307, 2004
Full paper: pdf