Revisiting Address Space Randomization | SpringerLink
Skip to main content
Springer Nature Link
Log in

Revisiting Address Space Randomization

  • Conference paper
Information Security and Cryptology - ICISC 2010 (ICISC 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6829))

Included in the following conference series:

  • 1224 Accesses

Abstract

Address space randomization is believed to be a strong defense against memory error exploits. Many code and data objects in a potentially vulnerable program and the system could be randomized, including those on the stack and heap, base address of code, order of functions, PLT, GOT, etc. Randomizing these code and data objects is believed to be effective in obfuscating the addresses in memory to obscure locations of code and data objects. However, attacking techniques have advanced since the introduction of address space randomization. In particular, return-oriented programming has made attacks without injected code much more powerful than what they were before. Keeping this new attacking technique in mind, in this paper, we revisit address space randomization and analyze the effectiveness of randomizing various code and data objects.

We show that randomizing certain code and data objects has become much less effective. Typically, randomizing the base and order of functions in shared libraries and randomizing the location and order of entries in PLT and GOT do not introduce significant difficulty to attacks using return-oriented programming. We propose a more general version of such attacks than what was introduced before, and point out weaknesses of a previously proposed fix. We argue that address space randomization was introduced without considering such attacks and a simple fix probably does not exist.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. CVE-2008-0411, Ghostscript (8.61 and earlier) zseticcspace() Stack-based Buffer Overflow Vulnerability

    Google Scholar 

  2. PaX (2001), http://pax.grsecurity.net

  3. Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium (USENIX Security 2003) (2003)

    Google Scholar 

  4. Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the 14th USENIX Security Symposium (USENIX Security 2005) (2005)

    Google Scholar 

  5. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008 (2008)

    Google Scholar 

  6. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS (2010)

    Google Scholar 

  7. Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can dres provide long-lasting security? the case of return-oriented programming and the avc advantage. In: Proceedings of the 2009 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections, EVT/WOTE 2009 (2009)

    Google Scholar 

  8. Solar Designer. JPEG COM marker processing vulnerability (2000), http://www.openwall.com/articles/JPEG-COM-Marker-Vulnerability

  9. Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008 (2008)

    Google Scholar 

  10. Hund, R., Holz, T., Freiling, F.C.: Returnoriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of the 18th USENIX Security Symposium (USENIX Security 2009) (2009)

    Google Scholar 

  11. Kornau, T.: Return oriented programming for the arm architecture. Master’s thesis, Ruhr-University Bochum, Germany (2009)

    Google Scholar 

  12. Aleph One. Smashing the stack for fun and profit. Phrack magazine (1996), http://www.phrack.com/issues.html?issue=49&id=14

  13. Roglia, G.F., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: Proceedings of the 25th Annual Computer Security Applications Conference, ACSAC 2009 (2009)

    Google Scholar 

  14. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM conference on Computer and Communications Security, CCS 2007 (2007)

    Google Scholar 

  15. Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004 (2004)

    Google Scholar 

  16. Scut/team teso. Exploiting format string vulnerabilities (2001), http://team-teso.net

  17. Xu, J., Kalbarczyk, Z., Iyer, R.K.: Transparent runtime randomization for security. In: Symposium on Reliable and Distributed Systems, SRDS (2003)

    Google Scholar 

  18. Zalewski, M.: Remote vulnerability in ssh daemon crc32 compensation attack detector (2001) (Bindview)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. College of Information Technology and Science, Nankai University, China

    Zhi Wang

  2. School of Information Systems, Singapore Management University, Singapore

    Renquan Cheng & Debin Gao

Authors
  1. Zhi Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Renquan Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Debin Gao
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of IT Convergence Application Engineering, Pukyong National University, 599-1 Daeyeon 3-Dong Namgu, 608-737, Busan, Republic of Korea

    Kyung-Hyune Rhee

  2. Department of Computer Science and Information Technology, INHA University, 253 Yonghyun-dong, Nam-gu, 402-751, Incheon, Republic of Korea

    DaeHun Nyang

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wang, Z., Cheng, R., Gao, D. (2011). Revisiting Address Space Randomization. In: Rhee, KH., Nyang, D. (eds) Information Security and Cryptology - ICISC 2010. ICISC 2010. Lecture Notes in Computer Science, vol 6829. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24209-0_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-24209-0_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-24208-3

  • Online ISBN: 978-3-642-24209-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation