ASLR - What It Is, and What It Isn’t

Posted by Mordechai Guri, Ph.D. on Dec 17, 2015 7:56:12 AM
Mordechai Guri, Ph.D.
Find me on:

ASLR_versus_Moving_Target_Defense-82341470.jpg

We often get asked how our Moving Target Defense (MTD) approach differs from ASLR. While the concepts may sound similar, ASLR is missing several key elements to make it successful at countering 0-day and targeted attacks.

Address Space Layout Randomization (ASLR) is a computer security technique which involves randomly positioning the base address of an executable and the position of libraries, heap, and stack, in a process's address space. The random mixing of memory addresses performed by ASLR means that an attack no longer knows at what address the required code (such as functions or ROP gadgets) is actually located. That way, rather than removing vulnerabilities from the system, ASLR attempts to make it more challenging to exploit existing vulnerabilities..

Here are the main shortcomings of ASLR:

  1. Boot-time based randomization

With ASLR, the base addresses of DLLs are based on boot-time randomization. Practically, this means that the base addresses of libraries will be randomized at the next reboot. This is an Achilles heel that can be exploited by attackers, simply by combining vulnerabilities such as memory disclosure or brute force attacks.

  1. Unsupported executables/libraries, low-entropy.

ASLR is not supported when the executable or DLLs are not built with ASLR support. Although Windows 8 and Windows 10 try to overcome this limitation (e.g., force ASLR in Windows 8), there are still exceptions that many times render the ASLR protection ineffective. Older version of Windows and legacy programs are particularly prone to this limitation. In addition, ASLR on 32-bit systems suffers from low entropy, making it vulnerable to brute force and similar attacks.

  1. ASLR does not trap the attack

ASLR aims to prevent an attack from reliably reaching its target memory address. ASLR does not focus on trapping the attack, rather on making the attack unlikely to work. Once the shellcode jumps to the wrong address during the exploit (due to the memory randomization), the program behavior is undefined. The process might receive an exception, crash, get stuck or simply continue with inconsistent behavior as a result.

  1. ASLR does not alert in a case of an attack

ASLR does not give any alerts about attack attempts. When a vulnerability is exploited and fails (due to ASLR’s memory randomization), no alert or attack indication is received. Essentially ASLR doesn't 'know' when an attack happened..

  1. ASLR does not provide information about an attack

Forensic information about an attack, exploitation and shellcode is crucial for any serious forensic investigation. Exploited processes, memory dumps and call stacks can be used to identify, fingerprint and tag exploits. ASLR cannot provide this information because it doesn't actually know if an attack happens or at which point it was stopped.

  1. ASLR is being bypassed by exploits daily

Since ASLR was introduced in Windows OS, it has been bypassed countless times by real-world exploits and attacks. Attackers continuously develop new techniques to defeat ASLR defense. Bypass techniques include using ROP chain in non-ASLR modules (e.g., CVE 2013-1347), JIT/NOP spraying (e.g., CVE-2013-3346), as well as memory disclosure vulnerabilities and other techniques (e.g., CVE-2015-1685, CVE-2015-2449, CVE-2013-2556, CVE-2013-0640, CVE-2013-0634).


 

At Mophisec, we view ASLR as the predecessor of a multi-variable, modern Moving Target Defense approach. Morphisec Endpoint Security delivers protection that overcomes all of the limitations listed above. In addition, our solution offers a full management system, and is able to provide rich forensic information and intelligent classification and fingerprinting of attacks for actionable remediation directives.

Here I am  writing a  new whathathat  sdfjdsfksd;afjd;fkdhfakdf

Topics: ASLR, Moving Target Defense

Welcome to our Blog

Keeping you in the loop with company updates, industry insight, cyber security trends, and cyber attack information.

Subscribe to the blog

Morphisec Named a Cool Vendor 2016

Morphisec is a Gartner Cool Vendor 2016

Each year Gartner identifies new Cool Vendors it considers innovative or transformative. Morphisec is honored be to named a Cool Vendor 2016. Here's more....