Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ASLR - Address Space Layout Randomization

b4d
November 09, 2016
Research
0
260

ASLR - Address Space Layout Randomization

Talk for 2016 ISP course on Faculty of Computer and Information Science, Ljubljana.

Address Space Layout Randomization (ASLR) is a computer security technique that provides protection from buffer overflow attacks. ASLR randomizes address space positions of key data of a process, thus making it difficult for an attacker to reliably jump to a particular exploited function in memory. In this paper we study limitations of ASLR and present viable exploitation options that can circumvent kernel space ASLR on current operating systems. We also discuss mitigation strategies against some of the attacks with their strengths and weaknesses revealed.

b4d

November 09, 2016
Tweet

More Decks by b4d

See All by b4d
Python basics
b4d
0
41

Other Decks in Research

See All in Research
論文読み会 SNLP2024 Instruction-tuned Language Models are Better Knowledge Learners. In: ACL 2024
s_mizuki_nlp
1
350
Embers of Autoregression: Understanding Large Language Models Through the Problem They are Trained to Solve
eumesy
PRO
7
1.2k
The Fellowship of Trust in AI
tomzimmermann
0
130
渋谷Well-beingアンケート調査結果
shibuyasmartcityassociation
0
260
Matching 2D Images in 3D: Metric Relative Pose from Metric Correspondences
sgk
1
320
SNLP2024:Planning Like Human: A Dual-process Framework for Dialogue Planning
yukizenimoto
1
330
MIRU2024チュートリアル「様々なセンサやモダリティを用いたシーン状態推定」
miso2024
4
2.2k
データサイエンティストをめぐる環境の違い 2024年版〈一般ビジネスパーソン調査の国際比較〉
datascientistsociety
PRO
0
580
Practical The One Person Framework
asonas
1
1.6k
ニュースメディアにおける事前学習済みモデルの可能性と課題 / IBIS2024
upura
3
510
文献紹介:A Multidimensional Framework for Evaluating Lexical Semantic Change with Social Science Applications
a1da4
1
220
3次元点群の分類における評価指標について
kentaitakura
0
410

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
A Philosophy of Restraint
colly
203
16k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Teambox: Starting and Learning
jrom
133
8.8k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Faster Mobile Websites
deanohume
305
30k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k

Transcript

  1. ADDRESS SPACE LAYOUT RANDOMIZATION DENI BACIC

  2. // full-nelson.c static int __attribute__((regparm(3))) getroot(void * file, void *

    vma) { commit_creds(prepare_kernel_cred(0)); return -1; } // https://blog.plenz.com/2013-02/privilege-escalation-kernel-exploit.html int privesc(struct sk_buff *skb, struct nlmsghdr *nlh) { commit_creds(prepare_kernel_cred(0)); return 0; }
  3. None

  4. kernel ext4 iptable_nat ahci kernel ext4 iptable_nat ahci memory address

    space boot 1 boot 2

  5. $ cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel' 0000000000000000 T

    commit_creds 0000000000000000 T prepare_kernel_cred $ sudo cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel' ffffffff81099ab0 T commit_creds ffffffff81099f90 T prepare_kernel_cred $ sudo cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel' ffffffff8108ca70 T commit_creds ffffffff8108ce50 T prepare_kernel_cred user super user boot 1 super user boot 2

  6. ADOPTION STATUS Jang, Yeongjin, Sangho Lee, and Taesoo Kim. "Breaking

    Kernel Address Space Layout Randomization with Intel TSX." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016.

  7. KASLR ATTACKING ? ‣InfO vulnerability? ‣TIMING SIDE-CHANNel ‣memory ADDRESS access

  8. ‣UNmapped == more TIME ‣Mapped == less TIME KASLR ATTACKING

    ?

  9. unmapped mapped Hund, Ralf, Carsten Willems, and Thorsten Holz. "Practical

    timing side channel attacks against kernel space ASLR." Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013. ?

  10. user cpu TLB OS exception handling user OS Noise TLB

    = translation lookaside buffer time ->

  11. user cpu TLB OS exception handling user OS Noise OS

    Noise TLB TLB = translation lookaside buffer time ->

  12. ‣DrK ATTACK ‣EXPLOITS INTEL TSX IMPROVE CAN WE IT?

  13. time -> user cpu TLB OS exception handling user user

    cpu TLB user OS Noise OS Noise TLB time ->

  14. Jang, Yeongjin, Sangho Lee, and Taesoo Kim. "Breaking Kernel Address

    Space Layout Randomization with Intel TSX." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016. unmapped mapped Hund, Ralf, Carsten Willems, and Thorsten Holz. "Practical timing side channel attacks against kernel space ASLR." Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013. ? std ~40 std ~10
  15. None

  16. EVEN FROM VIRTUAL MACHINE VM OS https://github.com/felixwilhelm/mario_baslr

  17. APPROACHES MITIGATION ? ‣coarse-grined timer ‣fake mapping

  18. APPROACHES MITIGATION ? ‣monitoring ‣live re-randomization

  19. ?