[转载]On the Effectiveness of AddressSpace Randomization
信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])[b]ABSTRACT[/b]
Address-space randomization is a technique used to fortify
systems against bu er over
ow attacks. The idea is to in-
troduce arti cial diversity by randomizing the memory lo-
cation of certain system components. This mechanism is
available for both Linux (via PaX ASLR) and OpenBSD.
We study the e ectiveness of address-space randomization
and nd that its utility on 32-bit architectures is limited by
the number of bits available for address randomization. In
particular, we demonstrate a derandomization attack that
will convert any standard bu er-over
ow exploit into an ex-
ploit that works against systems protected by address-space
randomization. The resulting exploit is as e ective as the
original exploit, although it takes a little longer to compro-
mise a target machine: on average 216 seconds to compro-
mise Apache running on a Linux PaX ASLR system. The
attack does not require running code on the stack.
We also explore various ways of strengthening address-
space randomization and point out weaknesses in each. Sur-
prisingly, increasing the frequency of re-randomizations adds
at most 1 bit of security. Furthermore, compile-time ran-
domization appears to be more e ective than runtime ran-
domization. We conclude that, on 32-bit architectures, the
only bene t of PaX-like address-space randomization is a
small slowdown in worm propagation speed. The cost of
randomization is extra complexity in system support.
页:
[1]