On the Effectiveness of Full-ASLR on 64-bit Linux

Hector Marco Gisbert; Ismael Ripoli

On the Effectiveness of Full-ASLR on 64-bit Linux

Hector Marco Gisbert, Ismael Ripoli

Research output: Contribution to conference › Paper › peer-review

Abstract

Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layout
remaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can obtain the maximum protection from the ASLR technique since all the sections are loaded at random locations.

We have identified a security weakness on the implementation of the ASLR in Linux when the executable is PIE compiled, named offset2lib. A PoC attack is described to illustrate how the offset2lib can be exploited. Our attack
bypasses the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). A remote shell is got in less than one second.

Finally, how the RenewSSP technique can be used as a workaround is discussed and how to remove the offset2lib weakness from the current ASLR implementation is also presented.

Original language	English
Number of pages	9
Publication status	Published - 20 Nov 2014
Externally published	Yes
Event	In-depth Security Conference 2014 (DeepSec) - Vienna, Austria Duration: 18 Nov 2014 → 21 Nov 2014 https://deepsec.net/archive/2014.deepsec.net/index.html

Conference

Conference	In-depth Security Conference 2014 (DeepSec)
Country/Territory	Austria
City	Vienna
Period	18/11/14 → 21/11/14
Internet address	https://deepsec.net/archive/2014.deepsec.net/index.html

Access to Document

Cite this

@conference{77faa3268e8840529988a90c13282012,

title = "On the Effectiveness of Full-ASLR on 64-bit Linux",

abstract = "Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layoutremaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can obtain the maximum protection from the ASLR technique since all the sections are loaded at random locations.We have identified a security weakness on the implementation of the ASLR in Linux when the executable is PIE compiled, named offset2lib. A PoC attack is described to illustrate how the offset2lib can be exploited. Our attackbypasses the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). A remote shell is got in less than one second.Finally, how the RenewSSP technique can be used as a workaround is discussed and how to remove the offset2lib weakness from the current ASLR implementation is also presented.",

author = "{Marco Gisbert}, Hector and Ismael Ripoli",

year = "2014",

month = nov,

day = "20",

language = "English",

note = "In-depth Security Conference 2014 (DeepSec) ; Conference date: 18-11-2014 Through 21-11-2014",

url = "https://deepsec.net/archive/2014.deepsec.net/index.html",

}

TY - CONF

T1 - On the Effectiveness of Full-ASLR on 64-bit Linux

AU - Marco Gisbert, Hector

AU - Ripoli, Ismael

PY - 2014/11/20

Y1 - 2014/11/20

N2 - Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layoutremaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can obtain the maximum protection from the ASLR technique since all the sections are loaded at random locations.We have identified a security weakness on the implementation of the ASLR in Linux when the executable is PIE compiled, named offset2lib. A PoC attack is described to illustrate how the offset2lib can be exploited. Our attackbypasses the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). A remote shell is got in less than one second.Finally, how the RenewSSP technique can be used as a workaround is discussed and how to remove the offset2lib weakness from the current ASLR implementation is also presented.

AB - Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layoutremaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can obtain the maximum protection from the ASLR technique since all the sections are loaded at random locations.We have identified a security weakness on the implementation of the ASLR in Linux when the executable is PIE compiled, named offset2lib. A PoC attack is described to illustrate how the offset2lib can be exploited. Our attackbypasses the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). A remote shell is got in less than one second.Finally, how the RenewSSP technique can be used as a workaround is discussed and how to remove the offset2lib weakness from the current ASLR implementation is also presented.

M3 - Paper

T2 - In-depth Security Conference 2014 (DeepSec)

Y2 - 18 November 2014 through 21 November 2014

ER -

On the Effectiveness of Full-ASLR on 64-bit Linux

Abstract

Conference

Access to Document

Fingerprint

Cite this