On the Effectiveness of Full-ASLR on 64-bit Linux

Hector Marco Gisbert, Ismael Ripoli

Research output: Research - peer-reviewPaper

Abstract

Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layout
remaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can obtain the maximum protection from the ASLR technique since all the sections are loaded at random locations.

We have identified a security weakness on the implementation of the ASLR in Linux when the executable is PIE compiled, named offset2lib. A PoC attack is described to illustrate how the offset2lib can be exploited. Our attack
bypasses the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). A remote shell is got in less than one second.

Finally, how the RenewSSP technique can be used as a workaround is discussed and how to remove the offset2lib weakness from the current ASLR implementation is also presented.

Conference

ConferenceIn-depth Security Conference 2014 (DeepSec)
CountryAustria
CityVienna
Period18/11/1421/11/14
Internet address

Fingerprint

Hinges
Linux

Cite this

Marco Gisbert, H., & Ripoli, I. (2014). On the Effectiveness of Full-ASLR on 64-bit Linux. Paper presented at In-depth Security Conference 2014 (DeepSec), Vienna, Austria.
Marco Gisbert, Hector ; Ripoli, Ismael. / On the Effectiveness of Full-ASLR on 64-bit Linux. Paper presented at In-depth Security Conference 2014 (DeepSec), Vienna, Austria.9 p.
@conference{77faa3268e8840529988a90c13282012,
title = "On the Effectiveness of Full-ASLR on 64-bit Linux",
abstract = "Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layoutremaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can obtain the maximum protection from the ASLR technique since all the sections are loaded at random locations.We have identified a security weakness on the implementation of the ASLR in Linux when the executable is PIE compiled, named offset2lib. A PoC attack is described to illustrate how the offset2lib can be exploited. Our attackbypasses the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). A remote shell is got in less than one second.Finally, how the RenewSSP technique can be used as a workaround is discussed and how to remove the offset2lib weakness from the current ASLR implementation is also presented.",
author = "{Marco Gisbert}, Hector and Ismael Ripoli",
year = "2014",
month = "11",

}

Marco Gisbert, H & Ripoli, I 2014, 'On the Effectiveness of Full-ASLR on 64-bit Linux' Paper presented at In-depth Security Conference 2014 (DeepSec), Vienna, Austria, 18/11/14 - 21/11/14, .

On the Effectiveness of Full-ASLR on 64-bit Linux. / Marco Gisbert, Hector; Ripoli, Ismael.

2014. Paper presented at In-depth Security Conference 2014 (DeepSec), Vienna, Austria.

Research output: Research - peer-reviewPaper

TY - CONF

T1 - On the Effectiveness of Full-ASLR on 64-bit Linux

AU - Marco Gisbert,Hector

AU - Ripoli,Ismael

PY - 2014/11/20

Y1 - 2014/11/20

N2 - Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layoutremaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can obtain the maximum protection from the ASLR technique since all the sections are loaded at random locations.We have identified a security weakness on the implementation of the ASLR in Linux when the executable is PIE compiled, named offset2lib. A PoC attack is described to illustrate how the offset2lib can be exploited. Our attackbypasses the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). A remote shell is got in less than one second.Finally, how the RenewSSP technique can be used as a workaround is discussed and how to remove the offset2lib weakness from the current ASLR implementation is also presented.

AB - Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layoutremaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can obtain the maximum protection from the ASLR technique since all the sections are loaded at random locations.We have identified a security weakness on the implementation of the ASLR in Linux when the executable is PIE compiled, named offset2lib. A PoC attack is described to illustrate how the offset2lib can be exploited. Our attackbypasses the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). A remote shell is got in less than one second.Finally, how the RenewSSP technique can be used as a workaround is discussed and how to remove the offset2lib weakness from the current ASLR implementation is also presented.

M3 - Paper

ER -

Marco Gisbert H, Ripoli I. On the Effectiveness of Full-ASLR on 64-bit Linux. 2014. Paper presented at In-depth Security Conference 2014 (DeepSec), Vienna, Austria.