On the effectiveness of address-space randomization

Shacham, Hovav; Page, Matthew J.; Pfaff, Ben; Goh, Eu-Jin; Modadugu, Nagendra; Boneh, Dan

doi:10.1145/1030083.1030124

Cited by 654 publications

(525 citation statements)

References 5 publications

Supporting

Mentioning

499

Contrasting

Unclassified

Order By: Relevance

“…Additionally, it can be performed at compile time to also randomize the location of program routines and variables. Shacham et al [40] show that ASLR may not be very effective on 32-bit systems, as they do not allow for sufficient entropy. In contrast, Bhatkar et al [41] argue that it is possible to introduce enough entropy for ASLR to be effective.…”

Section: Related Workmentioning

confidence: 99%

Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution

Portokalidis

Keromytis

2011

Advances in Information Security

View full text Add to dashboard Cite

Abstract. Instruction-set randomization (ISR) obfuscates the "language" understood by a system to protect against code-injection attacks by presenting an ever-changing target. ISR was originally motivated by code injection through buffer overflow vulnerabilities. However, Stuxnet demonstrated that attackers can exploit other vectors to place malicious binaries into a victim's filesystem and successfully launch them, bypassing most mechanisms proposed to counter buffer overflows. We propose the holistic adoption of ISR across the software stack, preventing the execution of unauthorized binaries and scripts regardless of their origin. Our approach requires that programs be randomized with different keys during a user-controlled installation, effectively combining the benefits of code whitelisting/signing and runtime program integrity. We discuss how an ISR-enabled environment for binaries can be implemented with little overhead in hardware, and show that higher-overhead softwareonly alternatives are possible. We use Perl and SQL to demonstrate the application of ISR in scripting environments with negligible overhead.

show abstract

Section: Related Workmentioning

confidence: 99%

Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution

Portokalidis

Keromytis

2011

Advances in Information Security

View full text Add to dashboard Cite

show abstract

“…For Windows XP, all the gadgets we use are from shell32.dll and msctf.dll with base addresses 0x7d590000 and 0x74680000, respectively. Windows 7, on the other hand, uses ASLR [3,4,24,27,29] where the base addresses of libraries are randomized after every restarting. We assume that the base addresses of ntdll.dll, kernel32.dll and shell32.dll are known (of values 0x77530000, 0x76710000 and 0x768e0000, respectively in our experiment), an assumption previous work on ROP also makes [6,22,23].…”

Section: Gadgets Used In Our Implementationmentioning

confidence: 99%

Packed, Printable, and Polymorphic Return-Oriented Programming

Zou

Wen

et al. 2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W ⊕ X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signaturebased detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.

show abstract

“…Feeding such addresses into the algorithm above, instead of using a random R perform close to 100% reliability. Other derandomization attacks against full ASLR may be used to improve the reliability of this method [17].…”

Section: If Not Gotomentioning

confidence: 99%

“…In 2004, Shacham et al [17] presented a brute-force guessing attack against the PaX ASLR [13]. ASLR randomizes the location of the libraries and some of the data segments of a process.…”

Section: Related Workmentioning

confidence: 99%

Known/Chosen Key Attacks against Software Instruction Set Randomization

Weiss¹,

Barrantes

2006

2006 22nd Annual Computer Security Applications Conference (ACSAC'06)

View full text Add to dashboard Cite

Instruction Set Randomization (ISR) has been proposed as a form of defense against binary code injection into an executing program. One proof-of-concept implementation is Randomized Instruction Set Emulator (RISE), based on the open-source Valgrind IA-32 to IA-32 binary translator. Although RISE is effective against attacks that are not RISEaware, it is vulnerable to pure data and hybrid data-code attacks that target its data, as well to some classes of bruteforce guessing. In order to enable the design of a production version, we describe implementation-specific and generic vulnerabilities that can be used to overcome RISE in its current form. We present and discuss attacks and solutions in three categories: known-key attacks that rely on the key being leaked and then used to pre-scramble the attacking code; chosen-key attacks that use implementation weaknesses to allow the attacker to define its own key,or otherwise affect key generation; and key-guessing ("bruteforce") attacks, about which we explore the design of minimalistic loaders which can be used to minimize the number of mask bytes required for a successful key-guessing attack.All the described attacks were tested in real-world scenarios.

show abstract

On the effectiveness of address-space randomization

Cited by 654 publications

References 5 publications

Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution

Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution

Packed, Printable, and Polymorphic Return-Oriented Programming

Known/Chosen Key Attacks against Software Instruction Set Randomization

Contact Info

Product

Resources

About