Address space layout randomisation (ASLR) refers to the randomisation of the locations of the key components of an executable — stack, heap, libraries and memory-mapped files, executable code — in the address space; to mitigate remote code execution and other attacks targeting CWE-787 and CWE-125.
Watch Dr. Yeongjin Jang’s lecture on ASLR:
ASLR targets memory corruption vulnerabilities such as buffer overflows, which typically occur when data get written to memory that is smaller than the size of the data — a common programming error when using a memory-unsafe language like C.
By introducing uncertainty into the locations of the shellcode (or any other attack code), ASLR hinders exploitations of memory corruption vulnerabilities.
There are many ways ASLR can be done, and different operating systems do it differently.
There are three dimensions to be considered [MGRR19]:
When
This is about when the entropy used for ASLR is generated (see Table 1):
Per-deployment: The application is randomised when it is installed in the system.
This limited form of randomisation, called pre-linking, enables randomisation on systems that do not support position-independent code (PIC) or relocatable code.
Per-boot: Randomisation is done whenever the system boots.
Useful for systems whose shared libraries are not compiled as PIC.
Per-exec: Randomisation is done whenever a new executable image is loaded into memory.
This pre-process randomisation is triggered by the exec() system call but not the fork() system call.
Per-fork: Randomisation is done whenever a new process is created/forked.
Per-object: Every object is randomised when it is created.
⚠ Objects that are at a constant distance away from another already mapped object are not considered to be randomised on a per-object basis, even if the reference object is randomised, because knowledge of one object’s location compromises the location of another.
What
This is about what to randomise.
In the extreme, if a single object (e.g., the executable) is not randomised, ASLR is considered to be broken.
An “aggressive” form of ASLR is when the randomisation is applied to the logical elements contained in the memory objects: processor instructions, blocks of code, functions, and even the data structures of the application; see Table 1.
In this case 👆, the compiler, linker and loader are required to play an active role.
This form of ASLR is not known to be in use.
How
Table 1 lists the main strategies:
Partial-VM vs full-VM: In the former case, a subset of the virtual memory space is divided into non-overlapping ranges or zones, and each zone contains one or more objects.
In the latter case, randomisation applies to the whole virtual memory space.
Full-VM randomisation does not honour the order of the main areas (i.e., exec, heap, libs, stack, ...), but it is not known to be in use.
Isolated-object vs correlated-object: In the former case, every object is randomly mapped with respect to any other.
In the latter case, the position of an object is calculated as a function of the position of another object and a random value.
For details on the other strategies in Table 1, please refer to [MGRR19, pp. 5-6].
Table 1: Summary of the three dimensions of ASLR [MGRR19, Table 1]. vDSO = virtual dynamic shared object; VM = virtual memory.
References
[MGRR19]
H. Marco-Gisbert and I. Ripoll Ripoll, Address space layout randomization next generation, Applied Sciences9 no. 14 (2019). https://doi.org/10.3390/app9142928.
