Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ASLR - Address Space Layout Randomization

b4d
November 09, 2016
Research
0
240

ASLR - Address Space Layout Randomization

Talk for 2016 ISP course on Faculty of Computer and Information Science, Ljubljana.

Address Space Layout Randomization (ASLR) is a computer security technique that provides protection from buffer overflow attacks. ASLR randomizes address space positions of key data of a process, thus making it difficult for an attacker to reliably jump to a particular exploited function in memory. In this paper we study limitations of ASLR and present viable exploitation options that can circumvent kernel space ASLR on current operating systems. We also discuss mitigation strategies against some of the attacks with their strengths and weaknesses revealed.

b4d

November 09, 2016
Tweet

More Decks by b4d

See All by b4d
Python basics
b4d
0
36

Other Decks in Research

See All in Research
[Human-AI Decision Making勉強会] 説明の更新はユーザにどのような影響をもたらすか
okoso
1
180
東工大Swallowプロジェクトにおける大規模日本語Webコーパスの構築
aya_se
12
6.5k
「EBPMエコシステム」の可能性
daimoriwaki
0
200
床面圧力センサ開発における感圧導電シート分離方式の検討 / WISS2023
yumulab
0
270
Bridging Continuous and Discrete Spaces: Interpretable Sentence Representation Learning via Compositional Operations
rudorudo11
0
160
方策の長期性能に対する 効率的なオフライン評価・学習 (Long-term Off-Policy Evaluation and Learning)
usaito
PRO
2
180
CASCON 2023 Most Influential Paper Award Talk
tsantalis
0
120
論文紹介 DISN: Deep Implicit Surface Network for High quality Single-view 3D Reconstruction / DISN: Deep Implicit Surface Network for High quality Single-view 3D Reconstruction
nttcom
0
110
説明可能AI:代表的手法と最近の動向 
yuyay
1
590
Combating Misinformation in the age of LLMs
teacherpeterpan
0
130
「歴史的農業環境閲覧システム」と「迅速測図」について
wata909
1
600
Scaling Rectified Flow Transformers for High-Resolution Image Synthesis / Stable Diffusion 3
shunk031
0
460

Featured

See All Featured
Documentation Writing (for coders)
carmenintech
60
3.9k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
187
16k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Debugging Ruby Performance
tmm1
70
11k
How GitHub (no longer) Works
holman
304
140k
RailsConf 2023
tenderlove
4
540
For a Future-Friendly Web
brad_frost
172
9k
Git: the NoSQL Database
bkeepers
PRO
422
63k
A Tale of Four Properties
chriscoyier
151
22k
Navigating Team Friction
lara
178
13k

Transcript

  1. ADDRESS SPACE LAYOUT RANDOMIZATION DENI BACIC

  2. // full-nelson.c static int __attribute__((regparm(3))) getroot(void * file, void *

    vma) { commit_creds(prepare_kernel_cred(0)); return -1; } // https://blog.plenz.com/2013-02/privilege-escalation-kernel-exploit.html int privesc(struct sk_buff *skb, struct nlmsghdr *nlh) { commit_creds(prepare_kernel_cred(0)); return 0; }
  3. None

  4. kernel ext4 iptable_nat ahci kernel ext4 iptable_nat ahci memory address

    space boot 1 boot 2

  5. $ cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel' 0000000000000000 T

    commit_creds 0000000000000000 T prepare_kernel_cred $ sudo cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel' ffffffff81099ab0 T commit_creds ffffffff81099f90 T prepare_kernel_cred $ sudo cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel' ffffffff8108ca70 T commit_creds ffffffff8108ce50 T prepare_kernel_cred user super user boot 1 super user boot 2

  6. ADOPTION STATUS Jang, Yeongjin, Sangho Lee, and Taesoo Kim. "Breaking

    Kernel Address Space Layout Randomization with Intel TSX." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016.

  7. KASLR ATTACKING ? ‣InfO vulnerability? ‣TIMING SIDE-CHANNel ‣memory ADDRESS access

  8. ‣UNmapped == more TIME ‣Mapped == less TIME KASLR ATTACKING

    ?

  9. unmapped mapped Hund, Ralf, Carsten Willems, and Thorsten Holz. "Practical

    timing side channel attacks against kernel space ASLR." Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013. ?

  10. user cpu TLB OS exception handling user OS Noise TLB

    = translation lookaside buffer time ->

  11. user cpu TLB OS exception handling user OS Noise OS

    Noise TLB TLB = translation lookaside buffer time ->

  12. ‣DrK ATTACK ‣EXPLOITS INTEL TSX IMPROVE CAN WE IT?

  13. time -> user cpu TLB OS exception handling user user

    cpu TLB user OS Noise OS Noise TLB time ->

  14. Jang, Yeongjin, Sangho Lee, and Taesoo Kim. "Breaking Kernel Address

    Space Layout Randomization with Intel TSX." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016. unmapped mapped Hund, Ralf, Carsten Willems, and Thorsten Holz. "Practical timing side channel attacks against kernel space ASLR." Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013. ? std ~40 std ~10
  15. None

  16. EVEN FROM VIRTUAL MACHINE VM OS https://github.com/felixwilhelm/mario_baslr

  17. APPROACHES MITIGATION ? ‣coarse-grined timer ‣fake mapping

  18. APPROACHES MITIGATION ? ‣monitoring ‣live re-randomization

  19. ?