On the Effectiveness of Address-Space Randomization
Authors: H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh
Abstract:
Address-space randomization is a technique used to fortify systems
against buffer overflow attacks. The idea is to introduce artificial
diversity by randomizing the memory location of certain system
components. This mechanism is available for both Linux (via PaX ASLR)
and OpenBSD. We study the effectiveness of address-space randomization
and find that its utility on 32-bit architectures is limited by the
number of bits available for address randomization. In particular, we
demonstrate a derandomization attack that will convert any standard
buffer-overflow exploit into an exploit that works against systems
protected by address-space randomization. The resulting exploit is as
effective as the original exploit, although it takes a little longer
to compromise a target machine (216 seconds on average). The attack
does not require running code on the stack.
Reference:
In proceedings of the 11'th ACM conference on Computer and
Communications Security (CCS), pp. 298-307, 2004
Full paper: pdf